security plan

18F automates compliance documentation

18F is building an open source platform for automating system security plan (SSP) updates so agencies can easily access, update and create compliance documentation as rapidly as they deploy systems.

Currently a prototype, the Compliance Masonry platform is a content capture and management framework for documenting the usually complex and lengthy SSPs, which describe a system’s architecture, implemented security controls and overall security posture, according to 18F.

The tool is being designed to create machine-readable SSPs that continuously update with code as the system changes, allowing agency executives, system custodians and security operations staff to interact, update and generate assurance reports with searchable content and testable security controls.

To build the Compliance Masonry platform, 18F stores SSP data in machine readable YAML/JSON format with OpenControl Schema, a machine-readable format for storing compliance documentation.

It also provides automated processes, or pipelines, for generating  standardized certification documentation. There are pipelines already in place for converting these YAML/JSON SSPs to GitBooks (a GitHub tool) and Microsoft Word and for verifying complex tests like whether a system is using static code analysis tools.

18F took a component-first approach with the platform, meaning the SSP documentation is based on components rather than security controls. This focus will allow agencies to quickly add, adjust and remove documentation for new or updated components.

So far, 18F is using Compliance Masonry to organize SSP documentation for The open source platform is available for use and contribution by all agencies, developers and service providers.

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected