From 475074c8401e41199444daaa3b741a7ea0cb1dda Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 23 Apr 2019 20:37:56 -0400 Subject: [PATCH 1/2] add project goals and background to the README --- README.md | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fa35758..024f3b6 100644 --- a/README.md +++ b/README.md @@ -1 +1,27 @@ -# fismatic \ No newline at end of file +# FISMAtic + +The goal of FISMAtic is to reduce the amount of time spent authoring, reviewing, and editing the security compliance documentation leading up to an Authority to Operate (ATO). We plan to build prototype(s) that: + +- Automate validation of and feedback on security compliance documentation + - Think "Clippy for ATOs" :eyes: :paperclip: :lock: +- Help compliance teams select security controls that are appropriate to a system (tailored baselines) + - This can cut out time spent around irrelevant controls in all other steps of the compliance lifecycle + +## Background + +"The ATO process", as it's commonly called, is formally defined in the National Institute of Standards & Technology (NIST)'s [Risk Management Framework (RMF)](): + +![NIST Risk Management Framework diagram](https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/images-media/OrgRMF_v3.png) + +Security compliance is time consuming (and therefore expensive) for most organizations in and around the federal government. Two particular pain points were identified: + +- Select[ing] Controls that are appropriate for a given system +- The back-and-forth between delivery teams and assessors Implement/Assess[ing the] Controls + +Delivery teams, who may or may not have experience writing System Security Plans (SSPs), spend a lot of time working on the language for security controls. This is then sent to the assessor, who may be pointing out common mistakes. Each of these back-and-forths can take days or weeks, costing staff hours on both sides and stretching out the time before the project can actually deliver value to users. + +**Our hypothesis is that we can reduce the time spent on the Select, Implement, and Assess Controls steps of the RMF through tooling.** + +## Call for collaborators + +If you’ve worked in this space or are interested in collaborating, please reach out in an issue or by email. Thanks! aidan.l.feldman@census.gov From e4f3c4b505f04d77b612472c486ee4812d74b09f Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 23 Apr 2019 20:42:31 -0400 Subject: [PATCH 2/2] shrink the RMF diagram --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 024f3b6..e4dd8ed 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ The goal of FISMAtic is to reduce the amount of time spent authoring, reviewing, "The ATO process", as it's commonly called, is formally defined in the National Institute of Standards & Technology (NIST)'s [Risk Management Framework (RMF)](): -![NIST Risk Management Framework diagram](https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/images-media/OrgRMF_v3.png) +NIST Risk Management Framework diagram Security compliance is time consuming (and therefore expensive) for most organizations in and around the federal government. Two particular pain points were identified: