18F automates compliance documentation

18F is building an open source platform for automating system security plan (SSP) updates so agencies can easily access, update and create compliance documentation as rapidly as they deploy systems.

Currently a prototype, the Compliance Masonry platform is a content capture and management framework for documenting the usually complex and lengthy SSPs, which describe a system’s architecture, implemented security controls and overall security posture, according to 18F.

The tool is being designed to create machine-readable SSPs that continuously update with code as the system changes, allowing agency executives, system custodians and security operations staff to interact, update and generate assurance reports with searchable content and testable security controls.

To build the Compliance Masonry platform, 18F stores SSP data in machine readable YAML/JSON format with OpenControl Schema, a machine-readable format for storing compliance documentation.

It also provides automated processes, or pipelines, for generating standardized certification documentation. There are pipelines already in place for converting these YAML/JSON SSPs to GitBooks (a GitHub tool) and Microsoft Word and for verifying complex tests like whether a system is using static code analysis tools.

18F took a component-first approach with the platform, meaning the SSP documentation is based on components rather than security controls. This focus will allow agencies to quickly add, adjust and remove documentation for new or updated components.

So far, 18F is using Compliance Masonry to organize SSP documentation for Cloud.gov. The open source platform is available for use and contribution by all agencies, developers and service providers.