Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add project goals and background to the README #19

Merged
merged 2 commits into from
Apr 24, 2019
Merged

add project goals and background to the README #19

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
475074c
add project goals and background to the README
afeld Apr 24, 2019
e4f3c4b
shrink the RMF diagram
afeld Apr 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,27 @@
# fismatic
# FISMAtic

The goal of FISMAtic is to reduce the amount of time spent authoring, reviewing, and editing the security compliance documentation leading up to an Authority to Operate (ATO). We plan to build prototype(s) that:

- Automate validation of and feedback on security compliance documentation
- Think "Clippy for ATOs" :eyes: :paperclip: :lock:
- Help compliance teams select security controls that are appropriate to a system (tailored baselines)
- This can cut out time spent around irrelevant controls in all other steps of the compliance lifecycle

## Background

"The ATO process", as it's commonly called, is formally defined in the National Institute of Standards & Technology (NIST)'s [Risk Management Framework (RMF)](<https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview>):

<img alt="NIST Risk Management Framework diagram" width="500" src="https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/images-media/OrgRMF_v3.png"/>

Security compliance is time consuming (and therefore expensive) for most organizations in and around the federal government. Two particular pain points were identified:

- Select[ing] Controls that are appropriate for a given system
- The back-and-forth between delivery teams and assessors Implement/Assess[ing the] Controls

Delivery teams, who may or may not have experience writing System Security Plans (SSPs), spend a lot of time working on the language for security controls. This is then sent to the assessor, who may be pointing out common mistakes. Each of these back-and-forths can take days or weeks, costing staff hours on both sides and stretching out the time before the project can actually deliver value to users.

**Our hypothesis is that we can reduce the time spent on the Select, Implement, and Assess Controls steps of the RMF through tooling.**

## Call for collaborators

If you’ve worked in this space or are interested in collaborating, please reach out in an issue or by email. Thanks! [email protected]