This repository contains documents and scripts that can be used to create and maintain a System Security Plan (SSP) as required by the Risk Management Framework (RMF) version 1. Included are examples of SSP "front matter", control implementation statements (as defined in NIST SP 800-53r4 along with the Privacy Overlay), and a collection of appendices.
We understand that version 2 of the Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (RMFv2) has been released and we are planning to update this repository to include the controls as defined in NIST SP 800-53r5 (draft) as this is finalized.
Control templates are in machine readable (OpenControl) YAML files. The intention is to enable these files to be updated automatically by gathering evidence on the state of the running system.
A current version can be viewed in Git Markdown from this repository:
- Front matter (points of contact, system and technical description, ...)
- Control implementation statements
- Appendices (incident response, configuration management, regulations, ...)
The contents of these pages are provided as an information guide only. They are intended to enhance compliance understanding and are not intended to be used directly as a System Security Plan without agency-specific review.
You will need docker and docker-compose running locally in a bash compatible shell. These can be obtained by installing the Docker Desktop.
docker --version
docker-compose --versionWe use the bowline docker sandbox helper to instantiate local containers with compliancetools and secrender. The following two commands will activate your local environment, setting up local aliases for the bowline-exposed commands which are described below.
docker-compose pull
source activateTo update the local Markdown and or to create new exportable files, perform the following steps:
createfiles -i configuration.yaml -t templates- Generate markdown versions of the RMF control implementation family files in the
/docs/controls/directory:
mkdir -p docs/controls
makefamilies-
Generate Standard Operating Procedure (SOP) docs (from
components/andkeys/sop.yaml) in thedocs/sopdirectorysop -i configuration.yaml -c components -o docs
-
Generate Microsoft Word (.docx) versions of the control family files (see the
docx/directory):
exportto -c docs/controls-
Generate Microsoft Word (.docx) versions of the appendices and front matter (also in
docx/directory):./makeDocx.sh
-
Generate a reponsiblity matrix with:
creatematrix- Optional (and temporary) hack to add a Table of Contents (requires https://github.com/ekalinin/github-markdown-toc v0.5+ with
gh-md-tocin your shell search path):
./makeDocsTOC.shThe SSP-Toolkit is currently in an extended format of OpenControl in which each component represents its controls in separate RMF Control Family files. Use the compliance-io tools to convert the SSP-Toolkit to a compliance-masonry-friendly OpenControl directory and from that generate an OSCAL component definition:
# You may want to create a python virtual environment for the pip install
pip install git+https://github.com/civicactions/compliance-io.git@main#egg=complianceio
mkdir opencontrol oscal
python library/defenestrate.py opencontrol.yaml opencontrol
python library/oc_to_oscal_components.py opencontrol/opencontrol.yaml > oscal/ssp-toolkit.json
See the compliance-io/README.md for more information.
GNU General Public License v3.0 or later. Some portions of this work were produced under a Government contract and are licensed under the terms of Creative Commons Zero v1.0 Universal.
SPDX-License-Identifier: GPL-3.0-or-later
Copyright 2019-2024 CivicActions, Inc.