security plan

18F automates compliance documentation

18F is building an open source platform for automating system security plan (SSP) updates so agencies can easily access, update and create compliance documentation as rapidly as they deploy systems.

Currently a prototype, the Compliance Masonry platform is a content capture and management framework for documenting the usually complex and lengthy SSPs, which describe a system’s architecture, implemented security controls and overall security posture, according to 18F.

The tool is being designed to create machine-readable SSPs that continuously update with code as the system changes, allowing agency executives, system custodians and security operations staff to interact, update and generate assurance reports with searchable content and testable security controls.

To build the Compliance Masonry platform, 18F stores SSP data in machine readable YAML/JSON format with OpenControl Schema, a machine-readable format for storing compliance documentation.

It also provides automated processes, or pipelines, for generating  standardized certification documentation. There are pipelines already in place for converting these YAML/JSON SSPs to GitBooks (a GitHub tool) and Microsoft Word and for verifying complex tests like whether a system is using static code analysis tools.

18F took a component-first approach with the platform, meaning the SSP documentation is based on components rather than security controls. This focus will allow agencies to quickly add, adjust and remove documentation for new or updated components.

So far, 18F is using Compliance Masonry to organize SSP documentation for Cloud.gov. The open source platform is available for use and contribution by all agencies, developers and service providers.

About the Author

Amanda Ziadeh is a Reporter/Producer for GCN.

Prior to joining 1105 Media, Ziadeh was a contributing journalist for USA Today Travel's Experience Food and Wine site. She's also held a communications assistant position with the University of Maryland Office of the Comptroller, and has reported for the American Journalism Review, Capitol File Magazine and DC Magazine.

Ziadeh is a graduate of the University of Maryland where her emphasis was multimedia journalism and French studies.

Click here for previous articles by Ms. Ziadeh or connect with her on Twitter: @aziadeh610.


Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.