Skip to content

Commit

Permalink
Merge pull request #19 from uscensusbureau/readme
Browse files Browse the repository at this point in the history 
add project goals and background to the README
  • Loading branch information
@afeld
afeld authored Apr 24, 2019
2 parents 6002af8 + e4f3c4b commit 4f7d430
Showing 1 changed file with 27 additions and 1 deletion.
28 changes: 27 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1,27 @@
# fismatic
# FISMAtic

The goal of FISMAtic is to reduce the amount of time spent authoring, reviewing, and editing the security compliance documentation leading up to an Authority to Operate (ATO). We plan to build prototype(s) that:

- Automate validation of and feedback on security compliance documentation
- Think "Clippy for ATOs" :eyes: :paperclip: :lock:
- Help compliance teams select security controls that are appropriate to a system (tailored baselines)
- This can cut out time spent around irrelevant controls in all other steps of the compliance lifecycle

## Background

"The ATO process", as it's commonly called, is formally defined in the National Institute of Standards & Technology (NIST)'s [Risk Management Framework (RMF)](<https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview>):

<img alt="NIST Risk Management Framework diagram" width="500" src="https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/images-media/OrgRMF_v3.png"/>

Security compliance is time consuming (and therefore expensive) for most organizations in and around the federal government. Two particular pain points were identified:

- Select[ing] Controls that are appropriate for a given system
- The back-and-forth between delivery teams and assessors Implement/Assess[ing the] Controls

Delivery teams, who may or may not have experience writing System Security Plans (SSPs), spend a lot of time working on the language for security controls. This is then sent to the assessor, who may be pointing out common mistakes. Each of these back-and-forths can take days or weeks, costing staff hours on both sides and stretching out the time before the project can actually deliver value to users.

**Our hypothesis is that we can reduce the time spent on the Select, Implement, and Assess Controls steps of the RMF through tooling.**

## Call for collaborators

If you’ve worked in this space or are interested in collaborating, please reach out in an issue or by email. Thanks! [email protected]

0 comments on commit 4f7d430

Please sign in to comment.