has anyone done textual analysis of SSPs, or tried automating feedback on them?

[afeld]

The short version:

We are working to reduce time to ATO by building a tool to give automated feedback on SSPs. If you:

• Have worked in this space
• Know of any relevant tools/efforts we should know about
• Are interested in collaborating on it
• Know any assessors (any agency) who would be willing to chat with us

please reach out! [email protected]

The long version:

I’m an employee at the Census Bureau, and like anyone doing technology in/around federal government, security compliance is time consuming for us. In particular, there was a pain point identified around the back-and-forth between delivery teams and assessors during the Authority to Operate (ATO) process. This happens at the Implement/Assess Controls steps of the Risk Management Framework:

Delivery teams, who may or may not have experience writing System Security Plans (SSPs), spend a lot of time working on the language for security controls. This is then sent to the assessor, who may be pointing out common mistakes. Each of these back-and-forths can take days or weeks, costing staff hours and stretching out the time before the project can actually deliver value to users.

We got funding internally to work on this problem, to try and reduce this turnaround time. The idea is to have a tool to give automated feedback on security control responses. The working title is "FISMAtic"; think “Clippy for ATOs” 😉 To get there, we are planning to use natural language processing to do analysis of past SSPs, to find things like “what are terms that are commonly present in this control?”

If you’ve worked in this space or are interested in collaborating, please reach out! [email protected]

Thanks!

cc @gregelin @JJediny

[trevorbryant]

I think this would be a good time to revisit #25 by @trevor-vaughan as they actively in this space of automating IA efforts and reducing ATO's delivery times.

My specific experience in this space is pushing agency's to create methods for "live" documentation in which CM Plans, SSP's, etc are created and/or updated as Docs As Code during the SDLC and integrated into CI/CD pipelines. However, that idea may be out of scope for this if OpenControl is housing schema and not necessarily targeting Enterprise solutions.

[afeld]

There's now a repository, if anyone is interested in following along: https://github.com/uscensusbureau/fismatic

[trevor-vaughan]

Here's a swipe at something I did a while ago. It works reasonably well for creating the SSP templates and letting people know what to do: https://github.com/simp/NIST-800-18-SSP_Template

[afeld]

Updated the "Short version" up top with what I'm looking for.

Also looking for assessors to talk to for their perspective - any agency. Please connect me if you know of anyone!

[openprivacy]

This would be a natural language-based SSP "linter" to check work after creation? Looks like a super useful tool, particularly for organizational controls.

I've been exploring building reusable components ("system elements" in RMFv2-speak) that embed control/guidance specific language into their templates. For technical controls, these components would pair with a verifier that gathers evidence and scores against a baseline, for which (in some cases) there could be default values. Perhaps a post processor that ranks "control coverage" could be included as part of FISMAtic (I like the name!).

[afeld]

Update on the Discovery: going well - learning a ton! At this point, looking to talk with people that have:

• Been involved in a number of ATOs on the assessment side (ISSM/ISSEs)
• Done market research on tools that deal with compliance documentation (Archer, GovReady, Xacta, etc.)

If anyone has any leads, please introduce!

This would be a natural language-based SSP "linter" to check work after creation?

During and/or after, yep!

embed control/guidance specific language into their templates

cc uscensusbureau/fismatic#20

control coverage

Compliance Masonry refers to this as gap analysis.

[afeld]

In case anyone's interested, posted the summary of our research interviews for your enjoyment.

[trevor-vaughan]

@afeld Where would you like discussion on the summary?

[afeld]

Hmmmm... no strong feelings. Here is fine, or perhaps an issue on the FISMAtic repository if [a piece of] feedback warrants its own discussion thread. Thanks for asking!

[afeld]

On second thought, let's do an issue there, and keep this thread for soliciting collaborators. Thanks!

[its-a-lisa]

Awesome! Suggest closing considering this announcement is over a year old.