README
¶
Compliance Masonry
Compliance Masonry is a command-line interface (CLI) that allows users to construct certification documentation using the OpenControl Schema. See Benefits for more explanation, and learn more in our blog post about Compliance Masonry. If you're interested in working on the code, see our developer documentation.
Quick start
-
Install Go 1.6, and ensure your
GOPATHis set. Using gvm is recommended. -
Install the tool
go get github.com/opencontrol/compliance-masonry -
Run the CLI
compliance-masonry
Creating an OpenControl project
-
Start a fresh directory
mkdir your-project-name && cd your-project-name -
Create an
opencontrol.yaml -
Collect dependencies
compliance-masonry get
The get command will retrieve dependencies needed to compile documentation in an opencontrols/ folder. You will probably want to exclude this from your version control system (e.g. add opencontrols/ to your .gitignore).
Creating Gitbook Documentation
-
Update dependencies
compliance-masonry get -
Run the gitbook command
compliance-masonry docs gitbook LATO # Or compliance-masonry docs gitbook FedRAMP-low
The gitbook command by default will create a folder called exports that contains the files needed to create a gitbook. Visit the gitbook documentation for more information on creating gitbooks via the CLI.
Adding additional markdown content to Gitbook documentation (optional)
Security documentation usually requires unstructured information that is not captured in the control documentation. The markdowns directory can be used to add this supplemental information.
-
Create a
markdownsfolder in the same directory as theopencontrol.yaml.mkdir markdowns -
Create the
markdowns/SUMMARY.mdandmarkdowns/README.mddocuments.touch markdowns/SUMMARY.md touch markdowns/README.md
The content of the markdowns/SUMMARY.md and markdowns/README.md files and the files they reference is prepended to the Gitbook documentation.
For more information on using the SUMMARY.md and README.md files visit the Gitbook documentation. For an example markdowns directory visit the cloud.gov markdowns.
Viewing gitbook locally in browser
Requires NodeJS. After running the steps above,
-
Install the gitbook CLI
npm install -g gitbook-cli -
Navigate to the
exportsdirectorycd exports -
Serve the gitbook site locally
gitbook serve -
Open the site: http://localhost:4000
After making any edits, view the changes by running
compliance-masonry get && compliance-masonry docs gitbook <certification>
Export gitbook as a PDF
-
Following the steps above
-
Navigate to the
exportsdirectorycd exports -
Follow these instructions
Create Docx template
-
Create a Word Document template that uses the following template tag format:
Documentation for Standard: NIST-800-53 and Control: CM-2 will be rendered below {{ getControl "NIST-800-53@CM-2"}} Documentation for Standard: NIST-800-53 and Control: AC-2 will be rendered below {{ getControl "NIST-800-53@AC-2"}} -
Run the docx command.
compliance-masonry docs docx -t path/to/template.docx
Running the docx command will by default create a file named export.docx in the local directory.
Gap Analysis
Use Gap Analysis to determine the difference between how many controls you have documented versus the total controls for a given certification. This should be used continually as you work to indicate your compliance progress.
Given you have an opencontrol.yaml for your project and you have already collected your dependencies via the compliance-masonry get command, run compliance-masonry diff <the-certification>:
# Example
$ compliance-masonry diff FedRAMP-moderate
Number of missing controls: 5
NIST-800-53@CP-7 (1)
NIST-800-53@PS-2
NIST-800-53@PS-3 (3)
NIST-800-53@MP-5
NIST-800-53@PS-7
Examples
Compliance Masonry examples in the wild (in order of completeness):
- cloud.gov data and gitbook
- 18F Identity-IdP (Upaya)
- 18F Confidential Survey (needs update)
Documentation Format
Compliance Masonry uses the OpenControl v2 Schema.
Benefits
Modern applications are built on existing systems such as S3, EC2, and Cloud Foundry. Documentation for how these underlying systems fulfill NIST controls or PCI SSC Data Security Standards is a prerequisite for receiving authorization to operate (ATO). Unlike most System Security Plan documentation, Compliance Masonry documentation is built using OpenControl Schema, a machine readable format for storing compliance documentation.
Compliance Masonry simplifies the process of certification documentations by providing:
- a data store for certifications (ex FISMA), standards (ex NIST-800-53), and the individual system components (ex AWS-EC2).
- a way for government project to edit existing files and also add new control files for their applications and organizations.
- a pipeline for generating clean and standardized certification documentation.
Documentation
¶
There is no documentation for this package.
Source Files
Directories