Compliance Masonry allows users to construct certification documentation, which is required for approval of government IT systems and applications. See Benefits for more explanation.
Alpha note: Compliance Masonry is an emerging project. We recognize that in its current state, Compliance Masonry's user experience still needs to mature. Nevertheless, we are "eating our own dog food" and working to make continuous improvements.
Compliance Masonry examples in the wild:
-
Run
pip install git+https://github.com/opencontrol/compliance-masonry.git
masonry init
New data directory will be created called data
containing certifications, standards, and components folders.
masonry new system system_key
New system template will be created as data/components/system_key/
masonry new component system_key component_key
New system template will be created as data/components/system_key/component_key
masonry certs FedRAMP-low
Creates certification yamls in exports/certifications
masonry docs gitbook FedRAMP-low
Generates the markdowns for a gitbook.
masonry inventory FedRAMP-low
Generates a yaml inventory of listing missing certification and components documentation.
General documentation can be concatenated to gitbook documentation placing gitbook compatible format in the data/markdowns/gitbook
directory.
components/
system_key/
system.yaml
component_key/
component.yaml
image.png
table.md
name: System Name
Component documentation contains information about individual system components and the standards they satisfy.
name: Amazon Elastic Compute Cloud # Name of the component
documentation_complete: false # Manual check if the documentation is complete (for gap analysis)
references:
- name: Reference # Name of the reference ie. EC2 website
path: Refernce Path # Relative path of local file or URL
type: Image # Image type of reference (will affect how it's rendered in the documentation)
verifications:
EC2_Verification_1: # ID of verification
name: EC2 Verification 1 # Name of verification
path: Verification 1 URL # URL of the verification
type: Image # Image type of reference (will affect how it's rendered in the documentation)
EC2_Verification_2:
name: EC2 Governor 2
path: Verification 2 URL
type: Image
satisfies:
NIST-800-53:
CM-2:
narrative: Justification in narrative form # Justification text
implementation_status: partial # Manual status of implementation (for gap analysis)
references:
- verification: EC2_Verification_1 # The specific verification ID that the reference links, no component or system is needed for internal references
- system: CloudFoundry # System name of the verification (can link to other systems / components)
component: UAA # System name of the verification (can link to other systems / components)
verification: UAA_Verification_1 # The specific verification ID that the reference links to
Contain information about security standards.
# nist-800-53.yaml
standards:
C-2:
name: User Access
description: There is an affordance for managing access by...
# PCI.yaml
standards:
Regulation-6:
name: User Access PCI
description: There is an affordance for managing access by...
Empty yaml for creating certification documentation. Serve as a template for combining controls and standards yamls.
# Fisma.yaml
standards:
nist-800-53:
C-2:
C-3:
PCI:
6:
Modern applications are built on existing systems such as S3, EC2, and Cloud Foundry. Documentation for how these underlying systems fulfill NIST controls or PCI SSC Data Security Standards is a prerequisite for receiving authorization to operate (ATO). Unlike most System Security Plan documentation, Compliance Masonry documentation is organized by components making it easier for engineers and security teams to collaborate.
Compliance Masonry simplifies the process of certification documentations by providing:
- a data store for certifications (ex FISMA), standards (ex NIST-800-53), and the individual system components (ex AWS-EC2).
- a way for government project to edit existing files and also add new control files for their applications and organizations.
- a pipeline for generating clean and standardized certification documentation.
(Here's the .gliffy source.)