Skip to content

azeswitz/compliance-masonry

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

294 Commits

fixtures

fixtures

 
 

masonry

masonry

 
 

src

src

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

Compliance Masonry - Alpha

Build Status Code Climate

About

Compliance Masonry allows users to construct certification documentation, which is required for approval of government IT systems and applications. See Benefits for more explanation.

Alpha note: Compliance Masonry is an emerging project. We recognize that in its current state, Compliance Masonry's user experience still needs to mature. Nevertheless, we are "eating our own dog food" and working to make continuous improvements.

Examples

Compliance Masonry examples in the wild:

Quick Start with CLI

Installing

  1. Install Python 3.

  2. Install Node.js.

  3. Install gitbook.

  4. Run

    pip install git+https://github.com/opencontrol/compliance-masonry.git

New Masonry Project

masonry init

New data directory will be created called data containing certifications, standards, and components folders.

New System Template

masonry new system system_key

New system template will be created as data/components/system_key/

New Component Template

masonry new component system_key component_key

New system template will be created as data/components/system_key/component_key

Create certification yamls

masonry certs FedRAMP-low

Creates certification yamls in exports/certifications

Create documentations

masonry docs gitbook FedRAMP-low

Generates the markdowns for a gitbook.

Create Inventory

masonry inventory FedRAMP-low

Generates a yaml inventory of listing missing certification and components documentation.

Add General Documentation

General documentation can be concatenated to gitbook documentation placing gitbook compatible format in the data/markdowns/gitbook directory.

Documentation Format

Component File Organization

components/
  system_key/
    system.yaml
    component_key/
      component.yaml
      image.png
      table.md

System yaml

name: System Name

Component yaml

Component documentation contains information about individual system components and the standards they satisfy.

name: Amazon Elastic Compute Cloud # Name of the component
documentation_complete: false # Manual check if the documentation is complete (for gap analysis)
references:
  - name: Reference  # Name of the reference ie. EC2 website
    path: Refernce Path  # Relative path of local file or URL
    type: Image # Image type of reference (will affect how it's rendered in the documentation)
verifications:
  EC2_Verification_1: # ID of verification
    name: EC2 Verification 1  # Name of verification
    path: Verification 1 URL #  URL of the verification
    type: Image # Image type of reference (will affect how it's rendered in the documentation)
  EC2_Verification_2:
    name: EC2 Governor 2
    path: Verification 2 URL
    type: Image
satisfies:
  NIST-800-53:
    CM-2:
      narrative: Justification in narrative form # Justification text
      implementation_status: partial # Manual status of implementation (for gap analysis)
      references:
        - verification: EC2_Verification_1 # The specific verification ID that the reference links, no component or system is needed for internal references
        - system: CloudFoundry  # System name of the verification (can link to other systems / components)
          component: UAA  # System name of the verification (can link to other systems / components)
          verification: UAA_Verification_1 # The specific verification ID that the reference links to

Standards Documentation

Contain information about security standards.

# nist-800-53.yaml
standards:
  C-2:
    name: User Access
    description: There is an affordance for managing access by...

# PCI.yaml
standards:
  Regulation-6:
    name: User Access PCI
    description: There is an affordance for managing access by...

Certifications

Empty yaml for creating certification documentation. Serve as a template for combining controls and standards yamls.

# Fisma.yaml
standards:
  nist-800-53:
    C-2:
    C-3:
  PCI:
    6:

Benefits

Modern applications are built on existing systems such as S3, EC2, and Cloud Foundry. Documentation for how these underlying systems fulfill NIST controls or PCI SSC Data Security Standards is a prerequisite for receiving authorization to operate (ATO). Unlike most System Security Plan documentation, Compliance Masonry documentation is organized by components making it easier for engineers and security teams to collaborate.

Compliance Masonry simplifies the process of certification documentations by providing:

  1. a data store for certifications (ex FISMA), standards (ex NIST-800-53), and the individual system components (ex AWS-EC2).
  2. a way for government project to edit existing files and also add new control files for their applications and organizations.
  3. a pipeline for generating clean and standardized certification documentation.

Long Term Plan Diagram

compliance-masonry (Here's the .gliffy source.)

Data Flow Diagram

compliance-masonry

About

Security Documentation Builder

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Python 100.0%