OpenControl template #66
Description
Originally posted by @timothy-spencer in #65 (comment):
I'm trying to make a template project that people can copy, add their app, and then use the mostly prepopulated opencontrol data while they are filling out their SSP by following along in the generated opencontrol gitbook as they work through their SSP. The text in the different sections should give them example content they can cut and paste in, or will give directions on what documents they should read to understand how to fill something out.
https://github.com/18F/gcp-appengine-template/blob/dev/README.md#ato-and-compliance-considerations
However, I have a few problems:
- The opencontrol format is kind of undocumented (like how are you supposed to actually represent where to look for a control that you have inherited?), so I keep having to puzzle over how/where to write about things.
- Everybody seems busy, so I have yet to get anybody to give a serious look at the controls that I have written up so far. :-( I think that I have documentation that ISSOs will like, but I don't know for sure.
- The project is truly mostly aimed at the GSA LATO. It all maps back to 800-53 and all, so it ought to be relatively portable, but those are the only 24 controls that I have spent any time on at all.
- Nobody has actually used this project yet besides me.
- I'm not quite done with everything, so there are still rough spots.
I'd like to think that having all this info prepopulated for somebody would save them a ton of time. I have spent a couple of months struggling with this, but if I had to do it again, I feel like I could just use this thing to zip through the process as I understand it.
Anyways, not sure if this is useful or not, but that's been my approach. I am trying to snowplow the difficulties away by creating most of the documentation up front in language that (I hope) security people will understand.