Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

public SSPs? #68

Open
afeld opened this issue Apr 26, 2019 · 9 comments
Open

public SSPs? #68

afeld opened this issue Apr 26, 2019 · 9 comments

Comments

@afeld
Copy link
Member

afeld commented Apr 26, 2019

I'm working on a project that involves natural language processing of System Security Plans (SSPs; #65). While I will be working with SSPs from within the agency, I'm looking for others that I can test with. Do you know of any SSPs / platform SSP templates that are publicly accessible? @Jkrzy just pointed me to the Azure one via @anweiss - wondering if there are others. Thanks!
@afeld
Copy link
Member Author

afeld commented Apr 26, 2019

Also, if you know of a team that would be willing to share their SSP(s) with another government agency, that would work too. [email protected]

@mogul
Copy link

mogul commented Apr 26, 2019

As a govvie, you can certainly request access to the entire cloud.gov FedRAMP package (which includes the SSP) using the FedRAMP form and our package ID.

@afeld afeld mentioned this issue Apr 26, 2019
Open
2 tasks
@trevorbryant
Copy link

SSPs in other agencies will be hard to come. AOs and CISOs will be reluctant to share even the templates. If they're willing to share there'll be an approval process and typically an MOU. Something to be prepared for.

@openprivacy
Copy link
Member

We are actively working to create reusable components that will generate the majority of an SSP, including not only control implementation but also templated system and technical descriptions, POCs, and various policies/plans usually found in an appendix. It is my understanding that AWS is doing the same for their related components. Doesn't help you now (as we haven't published yet) but we plan to publish all on GitHub.

@afeld
Copy link
Member Author

afeld commented May 16, 2019

Worth noting that the cloud.gov Control Implementation Summary + Customer Responsibility Matrix + Control-by-Control Inheritance spreadsheet is available publicly. Is this the case for other platforms?

@trevorbryant
Copy link

cloud.gov is unique in that it took the steps to actually provide information and open source it. The majority of USG do not yet use FedRAMP, and thus their solutions to FISMA are considered legacy. I would be surprised if agencies had a matrix, if at all a RACI for these.

@afeld
Copy link
Member Author

afeld commented May 21, 2019

I suppose the OpenControl full project examples qualify here too.

@afeld
Copy link
Member Author

afeld commented May 21, 2019

A couple more with public control implementations:

@afeld afeld mentioned this issue May 21, 2019
Open
This was referenced Jun 4, 2019
Open
Closed
@afeld afeld mentioned this issue Aug 20, 2019
Closed
5 tasks
@afeld
Copy link
Member Author

afeld commented Nov 15, 2019

I had been looking at the Azure Blueprint before, which seems to be a template for systems that are building on top of Azure. I didn't realize the Azure SSP itself is public!!! Kudos to @dlapiduz for the tip.

@JJediny JJediny mentioned this issue Nov 27, 2019
Closed
5 tasks
@its-a-lisa its-a-lisa mentioned this issue Aug 29, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mogul @afeld @openprivacy @trevorbryant