zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-07-21 10:16:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add compliance documentation to source control (#116)

Browse source 
* add initial setup of compliance-trestle
This commit is contained in:
Logan McDonald 2022-09-14 08:46:43 -04:00 committed by GitHub
parent 42ac5c98ac
commit 1d3dfdb8d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
313 changed files with 17974 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
.gitignore vendored
View file

@ -21,6 +21,8 @@ __pycache__/
build/
develop-eggs/
dist/
# We do want the dist in compliance documentation
!docs/compliance/dist
downloads/
eggs/
.eggs/
@ -156,3 +158,6 @@ node_modules
# Vim
*.swp
# Compliance/trestle related
docs/compliance/.trestle/cache

0
docs/compliance/.trestle/.keep Normal file
View file

27
docs/compliance/.trestle/config.ini Normal file
View file

@ -0,0 +1,27 @@
[catalog]
decomposition_rules = ['catalog.groups.*.controls.*']
create_number_of_groups = 2
create_number_of_controls = 2
[profile]
decomposition_rules = []
[target-definition]
decomposition_rules = ['target-definition.targets.*.target-control-implementations.*']
create_number_of_targets = 2
create_number_of_target_control_implementations = 2
[component-definition]
decomposition_rules = []
[system-security-plan]
decomposition_rules = []
[assessment-plan]
decomposition_rules = []
[assessment-result]
decomposition_rules = []
[plan-of-action-and-milestone]
decomposition_rules = []

11
docs/compliance/Makefile Normal file
View file

@ -0,0 +1,11 @@
generate-with-header:
trestle author ssp-generate -p ato -o dist/system-security-plans/ato -y status_header.yaml
generate:
trestle author ssp-generate -p ato -o dist/system-security-plans/ato
assemble:
trestle author ssp-assemble --markdown dist/system-security-plans/ --output ato
status:
grep -R "\- c\-" dist/system-security-plans/* | cut -d':' -f2 | sed -E 's/^.*(c-)/\1/' | sort | uniq -c

12
docs/compliance/Pipfile Normal file
View file

@ -0,0 +1,12 @@
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[packages]
compliance-trestle = "*"
[dev-packages]
[requires]
python_version = "3.10"

876
docs/compliance/Pipfile.lock generated Normal file
View file

@ -0,0 +1,876 @@
{
"_meta": {
"hash": {
"sha256": "d0491659fc916b6d6085de8b555960fc53b69c0d3a88cf8fe105671590f5f004"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.10"
},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"anyio": {
"hashes": [
"sha256:413adf95f93886e442aea925f3ee43baa5a765a64a0f52c6081894f9992fdd0b",
"sha256:cb29b9c70620506a9a8f87a309591713446953302d7d995344d0d7c6c0c9a7be"
],
"markers": "python_full_version >= '3.6.2'",
"version": "==3.6.1"
},
"argcomplete": {
"hashes": [
"sha256:6372ad78c89d662035101418ae253668445b391755cfe94ea52f1b9d22425b20",
"sha256:cffa11ea77999bb0dd27bb25ff6dc142a6796142f68d45b1a26b11f58724561e"
],
"markers": "python_version >= '3.6'",
"version": "==2.0.0"
},
"attrs": {
"hashes": [
"sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
"sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==19.3.0"
},
"bcrypt": {
"hashes": [
"sha256:0b0f0c7141622a31e9734b7f649451147c04ebb5122327ac0bd23744df84be90",
"sha256:1c3334446fac200499e8bc04a530ce3cf0b3d7151e0e4ac5c0dddd3d95e97843",
"sha256:2d0dd19aad87e4ab882ef1d12df505f4c52b28b69666ce83c528f42c07379227",
"sha256:594780b364fb45f2634c46ec8d3e61c1c0f1811c4f2da60e8eb15594ecbf93ed",
"sha256:7c7dd6c1f05bf89e65261d97ac3a6520f34c2acb369afb57e3ea4449be6ff8fd",
"sha256:845b1daf4df2dd94d2fdbc9454953ca9dd0e12970a0bfc9f3dcc6faea3fa96e4",
"sha256:8780e69f9deec9d60f947b169507d2c9816e4f11548f1f7ebee2af38b9b22ae4",
"sha256:bf413f2a9b0a2950fc750998899013f2e718d20fa4a58b85ca50b6df5ed1bbf9",
"sha256:bfb67f6a6c72dfb0a02f3df51550aa1862708e55128b22543e2b42c74f3620d7",
"sha256:c59c170fc9225faad04dde1ba61d85b413946e8ce2e5f5f5ff30dfd67283f319",
"sha256:dc6ec3dc19b1c193b2f7cf279d3e32e7caf447532fbcb7af0906fe4398900c33",
"sha256:ede0f506554571c8eda80db22b83c139303ec6b595b8f60c4c8157bdd0bdee36"
],
"markers": "python_version >= '3.6'",
"version": "==4.0.0"
},
"black": {
"hashes": [
"sha256:0a12e4e1353819af41df998b02c6742643cfef58282915f781d0e4dd7a200411",
"sha256:0ad827325a3a634bae88ae7747db1a395d5ee02cf05d9aa7a9bd77dfb10e940c",
"sha256:32a4b17f644fc288c6ee2bafdf5e3b045f4eff84693ac069d87b1a347d861497",
"sha256:3b2c25f8dea5e8444bdc6788a2f543e1fb01494e144480bc17f806178378005e",
"sha256:4a098a69a02596e1f2a58a2a1c8d5a05d5a74461af552b371e82f9fa4ada8342",
"sha256:5107ea36b2b61917956d018bd25129baf9ad1125e39324a9b18248d362156a27",
"sha256:53198e28a1fb865e9fe97f88220da2e44df6da82b18833b588b1883b16bb5d41",
"sha256:5594efbdc35426e35a7defa1ea1a1cb97c7dbd34c0e49af7fb593a36bd45edab",
"sha256:5b879eb439094751185d1cfdca43023bc6786bd3c60372462b6f051efa6281a5",
"sha256:78dd85caaab7c3153054756b9fe8c611efa63d9e7aecfa33e533060cb14b6d16",
"sha256:792f7eb540ba9a17e8656538701d3eb1afcb134e3b45b71f20b25c77a8db7e6e",
"sha256:8ce13ffed7e66dda0da3e0b2eb1bdfc83f5812f66e09aca2b0978593ed636b6c",
"sha256:a05da0430bd5ced89176db098567973be52ce175a55677436a271102d7eaa3fe",
"sha256:a983526af1bea1e4cf6768e649990f28ee4f4137266921c2c3cee8116ae42ec3",
"sha256:bc4d4123830a2d190e9cc42a2e43570f82ace35c3aeb26a512a2102bce5af7ec",
"sha256:c3a73f66b6d5ba7288cd5d6dad9b4c9b43f4e8a4b789a94bf5abfb878c663eb3",
"sha256:ce957f1d6b78a8a231b18e0dd2d94a33d2ba738cd88a7fe64f53f659eea49fdd",
"sha256:cea1b2542d4e2c02c332e83150e41e3ca80dc0fb8de20df3c5e98e242156222c",
"sha256:d2c21d439b2baf7aa80d6dd4e3659259be64c6f49dfd0f32091063db0e006db4",
"sha256:d839150f61d09e7217f52917259831fe2b689f5c8e5e32611736351b89bb2a90",
"sha256:dd82842bb272297503cbec1a2600b6bfb338dae017186f8f215c8958f8acf869",
"sha256:e8166b7bfe5dcb56d325385bd1d1e0f635f24aae14b3ae437102dedc0c186747",
"sha256:e981e20ec152dfb3e77418fb616077937378b322d7b26aa1ff87717fb18b4875"
],
"markers": "python_full_version >= '3.6.2'",
"version": "==22.8.0"
},
"certifi": {
"hashes": [
"sha256:0aa1a42fbd57645fabeb6290a7687c21755b0344ecaeaa05f4e9f6207ae2e9a8",
"sha256:aa08c101214127b9b0472ca6338315113c9487d45376fd3e669201b477c71003"
],
"markers": "python_version >= '3.6'",
"version": "==2022.6.15.2"
},
"cffi": {
"hashes": [
"sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5",
"sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef",
"sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104",
"sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426",
"sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405",
"sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375",
"sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a",
"sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e",
"sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc",
"sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf",
"sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185",
"sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497",
"sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3",
"sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35",
"sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c",
"sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83",
"sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21",
"sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca",
"sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984",
"sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac",
"sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd",
"sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee",
"sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a",
"sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2",
"sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192",
"sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7",
"sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585",
"sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f",
"sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e",
"sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27",
"sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b",
"sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e",
"sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e",
"sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d",
"sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c",
"sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415",
"sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82",
"sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02",
"sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314",
"sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325",
"sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c",
"sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3",
"sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914",
"sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045",
"sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d",
"sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9",
"sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5",
"sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2",
"sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c",
"sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3",
"sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2",
"sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8",
"sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d",
"sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d",
"sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9",
"sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162",
"sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76",
"sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4",
"sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e",
"sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9",
"sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6",
"sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b",
"sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01",
"sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0"
],
"version": "==1.15.1"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
},
"charset-normalizer": {
"hashes": [
"sha256:5a3d016c7c547f69d6f81fb0db9449ce888b418b5b9952cc5e6e66843e9dd845",
"sha256:83e9a75d1911279afd89352c68b45348559d1fc0506b054b346651b5e7fee29f"
],
"markers": "python_version >= '3.6'",
"version": "==2.1.1"
},
"click": {
"hashes": [
"sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e",
"sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48"
],
"markers": "python_version >= '3.7'",
"version": "==8.1.3"
},
"cmarkgfm": {
"hashes": [
"sha256:02f14c7e77fcddf044df14cc227d7703027ee720bac719616ac505af29812b73",
"sha256:0c5d762351f14479b07bfda6773905caa0fa7f132f6478c35e467d0be21e9f2e",
"sha256:13c34b6dc5b77100201c543cd205366ef7ecc612efce4247e2b7a0bb258b271e",
"sha256:3157b37d1a897ee57ae57be8eafac3659e31fdce33fbbc85f76df34ee2804d5a",
"sha256:371c4a2d88508800f6cc872082970afdb414f2d3b86ac7769419f27da0d43acc",
"sha256:3a31b239dfe4945fcb6a53fcb7dac64cb857ecfb1f710d891ff96955c64509f6",
"sha256:3a5138d76e93378a72fb7a704cbf09764ebb43cfcf121e6d7ffdc40fb7917d4a",
"sha256:3c7053c8650bf1f79c607dc88ff56652d07f52aac4b60aa1bf07529c9b4473a7",
"sha256:4121f6047c4d4a28ded3cf02c087869549e9f0c3712e5a2af180972f9d1348a5",
"sha256:427ca60eb2f56c6293ac0e91b728acf608297c9030dccd3c928e938b3bf3ee77",
"sha256:51134e3775ac7c47ca2430a53b02c6ff03463143af8dfaeb1575c03e039ee485",
"sha256:57e4f57aa9264a3244a28665d3c5ec81b1ace454b01a1c09ff0d67a2cd12ca5a",
"sha256:605bd69fa4b247be9bb4e7d75bda4df37428a153e3a67aca50d7cd9dc1ee8225",
"sha256:6377e46d854cc32e03933a44a0b6e6750cf89b4314e1c84958a7a547c3952c23",
"sha256:6a48a67ff8425b4dee33196f6cd9bdba7b902c0b7e369150f6704989f9c40476",
"sha256:6bb05e1b4adc8027c41ddbd11761482c652f1aa2ae4419469e3883ec8b0bdf67",
"sha256:706daefce3f9bd1cd955b6bb06beac31c050b65f4bec8025dade3b0f05dbeed2",
"sha256:713bd4e64651e7bbd897bbaee6057c16b72c6ac3cf59b2b38892d635d52755eb",
"sha256:7262bb2b875d1c47dfa0e074fe349eb1ba1901e323fcf9e3fc4dbf97f0b92d97",
"sha256:737e4525c63ae3bca731e5c57056c02078e31e579ec655b72bd28eae525d6b53",
"sha256:7641061c0bc4caf754f119c326131ad41c25beb1e95e2479e8aab60dbd8f9f79",
"sha256:786e8a06f7eec6eb3f3789353a586c8b065570d2db9811fdcdaced736a36ce53",
"sha256:791c7f8aed353d540aed52c6724df408eb73208d7c9dd98aae6506d5783cb95f",
"sha256:7a974b3b90805f656054d6873cd876ee5c7949e7860d131b7ec0b29a3de3a3f3",
"sha256:82cfc1bc7099fa819993c41d3c6778bff29e5547dbf1de1dbb113ef4d2bc0df9",
"sha256:872f3c9d99aedf55ad6950a4158873a107f6338040bc381b21849ccf165e9d90",
"sha256:89cc51c26a10ebdaada4ed2630f6f375cf059d3aca5d77aff493a2010f6ed60a",
"sha256:8b58277117a439fd27aee2bcc8869be334fb7e8781e27066ec31ec0a596a6a01",
"sha256:8be0c52d0caf1852a5374c7c9a279801c1a8dd9e2040939e75262d02b003835b",
"sha256:8eebdc5ca2cd565998195d1e6189d5979a00a5db9c579d05953478cb085ef435",
"sha256:8f901c002172a3be8bb91a422da23dfae0301afe062addf41c976385f96bc1ef",
"sha256:94ba213739648006232aa917f8c4c42c520812601d85502fa7a5dad0f0d1590e",
"sha256:989432956e34591387f0aaab98caabd699f2f5d4c708d1a0d882334a8b760cc5",
"sha256:a386b01a266a42e8e9052c74ad42dc1ff50b209d8958a3656e0435fa018a0223",
"sha256:ae6796d4e8ea746dc8e29173f95ffb9b12f940ff5b9186d10203445526cf8d4d",
"sha256:b04da61652984c89868b31aface2d75e3d26081273d3764e18b5661eea98916e",
"sha256:b594063a3421561e0559cc5a68419cdcb020512fc40c3eb37e4629bae2a954b6",
"sha256:c17e19db003f86662d08ce382912767f7221637703a64cfdb85b8c1447cc4b36",
"sha256:c58c904c22b946d436637e8e1987db5886af8041c57e0028c419f98075344f1f",
"sha256:c61f3f2cd2b9c44cb2579e165a18f824a6c99682aff10ac2779a7a74a3167e89",
"sha256:ccbfb5e427ca815d80962e6705834ebadeb55058ac745e0339fb570bb78a6114",
"sha256:ce717bd3e26a95b749fbbf68da42cc5cb9200779a4943bbdd38fa73711366081",
"sha256:d4422e0dd3a11eeebbe86c6c08ac1c28783efed4b7b948a9878724e677eda107",
"sha256:e550ca0826eab1ab87d9eed58da89cc113f13f369fdd61c799705007422dbfce",
"sha256:e66f15d4c645c87819f7170990a00e0fa9e0e8255097f8bd5eb3037d78264efb",
"sha256:e7b5b6cd8befa8c1cf2a55f750a4dcf84de05c80a7110d933ea6724fbc6d2cf8",
"sha256:ec2bf8d5799c4b5bbfbae30a4a1dfcb06512f2e17e9ee60ba7e1d390318582fc",
"sha256:f0da78ef960f57aec8a6854821a99fa7a520dad77631b19becb68b2ebf8dbc2d",
"sha256:f56aa4940aa4ee98fd6f3e0a648b8ae1e6a27f5007d64d406aeadc51451dc13b",
"sha256:fa28b1a335adb5bad04b4a50382cbcfcc6c8d68413ba35e2cd3f657a1dc76347"
],
"version": "==0.6.0"
},
"compliance-trestle": {
"hashes": [
"sha256:2d9fd9ef09ba2aac0d78777291edfbc106284bd22ef9407516f232ca4e70697d",
"sha256:82b52835ce2f31a71559c33b8ed3262e01cd07e95ecd9f577189e2d1e81fe25e"
],
"index": "pypi",
"version": "==1.1.0"
},
"cryptography": {
"hashes": [
"sha256:0a3bf09bb0b7a2c93ce7b98cb107e9170a90c51a0162a20af1c61c765b90e60b",
"sha256:1f64a62b3b75e4005df19d3b5235abd43fa6358d5516cfc43d87aeba8d08dd51",
"sha256:32db5cc49c73f39aac27574522cecd0a4bb7384e71198bc65a0d23f901e89bb7",
"sha256:4881d09298cd0b669bb15b9cfe6166f16fc1277b4ed0d04a22f3d6430cb30f1d",
"sha256:4e2dddd38a5ba733be6a025a1475a9f45e4e41139d1321f412c6b360b19070b6",
"sha256:53e0285b49fd0ab6e604f4c5d9c5ddd98de77018542e88366923f152dbeb3c29",
"sha256:70f8f4f7bb2ac9f340655cbac89d68c527af5bb4387522a8413e841e3e6628c9",
"sha256:7b2d54e787a884ffc6e187262823b6feb06c338084bbe80d45166a1cb1c6c5bf",
"sha256:7be666cc4599b415f320839e36367b273db8501127b38316f3b9f22f17a0b815",
"sha256:8241cac0aae90b82d6b5c443b853723bcc66963970c67e56e71a2609dc4b5eaf",
"sha256:82740818f2f240a5da8dfb8943b360e4f24022b093207160c77cadade47d7c85",
"sha256:8897b7b7ec077c819187a123174b645eb680c13df68354ed99f9b40a50898f77",
"sha256:c2c5250ff0d36fd58550252f54915776940e4e866f38f3a7866d92b32a654b86",
"sha256:ca9f686517ec2c4a4ce930207f75c00bf03d94e5063cbc00a1dc42531511b7eb",
"sha256:d2b3d199647468d410994dbeb8cec5816fb74feb9368aedf300af709ef507e3e",
"sha256:da73d095f8590ad437cd5e9faf6628a218aa7c387e1fdf67b888b47ba56a17f0",
"sha256:e167b6b710c7f7bc54e67ef593f8731e1f45aa35f8a8a7b72d6e42ec76afd4b3",
"sha256:ea634401ca02367c1567f012317502ef3437522e2fc44a3ea1844de028fa4b84",
"sha256:ec6597aa85ce03f3e507566b8bcdf9da2227ec86c4266bd5e6ab4d9e0cc8dab2",
"sha256:f64b232348ee82f13aac22856515ce0195837f6968aeaa94a3d0353ea2ec06a6"
],
"markers": "python_version >= '3.6'",
"version": "==36.0.2"
},
"datamodel-code-generator": {
"extras": [
"http"
],
"hashes": [
"sha256:437d84345be5603a78e555f2febf35155dc0376277cd4458f49381eaa2514659",
"sha256:c61a0e18a32278490f2854ae13dda9097fb39fa116f47d209c3da0590d3ed2ab"
],
"markers": "python_version < '4' and python_full_version >= '3.6.1'",
"version": "==0.13.1"
},
"defusedxml": {
"hashes": [
"sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69",
"sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==0.7.1"
},
"dnspython": {
"hashes": [
"sha256:0f7569a4a6ff151958b64304071d370daa3243d15941a7beedf0c9fe5105603e",
"sha256:a851e51367fb93e9e1361732c1d60dab63eff98712e503ea7d92e6eccb109b4f"
],
"markers": "python_version >= '3.6' and python_version < '4'",
"version": "==2.2.1"
},
"email-validator": {
"hashes": [
"sha256:6757aea012d40516357c0ac2b1a4c31219ab2f899d26831334c5d069e8b6c3d8",
"sha256:c8589e691cf73eb99eed8d10ce0e9cbb05a0886ba920c8bcb7c82873f4c5789c"
],
"version": "==1.2.1"
},
"et-xmlfile": {
"hashes": [
"sha256:8eb9e2bc2f8c97e37a2dc85a09ecdcdec9d8a396530a6d5a33b30b9a92da0c5c",
"sha256:a2ba85d1d6a74ef63837eed693bcb89c3f752169b0e3e7ae5b16ca5e1b3deada"
],
"markers": "python_version >= '3.6'",
"version": "==1.1.0"
},
"furl": {
"hashes": [
"sha256:5a6188fe2666c484a12159c18be97a1977a71d632ef5bb867ef15f54af39cc4e",
"sha256:9ab425062c4217f9802508e45feb4a83e54324273ac4b202f1850363309666c0"
],
"version": "==2.1.3"
},
"genson": {
"hashes": [
"sha256:8caf69aa10af7aee0e1a1351d1d06801f4696e005f06cedef438635384346a16"
],
"version": "==1.2.2"
},
"h11": {
"hashes": [
"sha256:36a3cb8c0a032f56e2da7084577878a035d3b61d104230d4bd49c0c6b555a9c6",
"sha256:47222cb6067e4a307d535814917cd98fd0a57b6788ce715755fa2b6c28b56042"
],
"markers": "python_version >= '3.6'",
"version": "==0.12.0"
},
"httpcore": {
"hashes": [
"sha256:1105b8b73c025f23ff7c36468e4432226cbb959176eab66864b8e31c4ee27fa6",
"sha256:18b68ab86a3ccf3e7dc0f43598eaddcf472b602aba29f9aa6ab85fe2ada3980b"
],
"markers": "python_version >= '3.7'",
"version": "==0.15.0"
},
"httpx": {
"hashes": [
"sha256:42974f577483e1e932c3cdc3cd2303e883cbfba17fe228b0f63589764d7b9c4b",
"sha256:f28eac771ec9eb4866d3fb4ab65abd42d38c424739e80c08d8d20570de60b0ef"
],
"version": "==0.23.0"
},
"idna": {
"hashes": [
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3.5'",
"version": "==3.4"
},
"ilcli": {
"hashes": [
"sha256:8a56b053836f8b0e1bbbdda884288d18dc966bd8e90fdf9b340914dba625cd7f",
"sha256:dfb7d2da49c63ef92c5a589eb5f765d073d7ea83275c3dd2aea8ae5cbe4c5be2"
],
"version": "==0.3.2"
},
"inflect": {
"hashes": [
"sha256:aadc7ed73928f5e014129794bbac03058cca35d0a973a5fc4eb45c7fa26005f9",
"sha256:b45d91a4a28a4e617ff1821117439b06eaa86e2a4573154af0149e9be6687238"
],
"markers": "python_version >= '3.7'",
"version": "==5.6.2"
},
"isodate": {
"hashes": [
"sha256:0751eece944162659049d35f4f549ed815792b38793f07cf73381c1c87cbed96",
"sha256:48c5881de7e8b0a0d648cb024c8062dc84e7b840ed81e864c7614fd3c127bde9"
],
"version": "==0.6.1"
},
"isort": {
"hashes": [
"sha256:6f62d78e2f89b4500b080fe3a81690850cd254227f27f75c3a0c491a1f351ba7",
"sha256:e8443a5e7a020e9d7f97f1d7d9cd17c88bcb3bc7e218bf9cf5095fe550be2951"
],
"markers": "python_version < '4' and python_full_version >= '3.6.1'",
"version": "==5.10.1"
},
"jinja2": {
"hashes": [
"sha256:077ce6014f7b40d03b47d1f1ca4b0fc8328a692bd284016f806ed0eaca390ad8",
"sha256:611bb273cd68f3b993fabdc4064fc858c5b47a973cb5aa7999ec1ba405c87cd7"
],
"markers": "python_version >= '3.6'",
"version": "==3.0.3"
},
"jsonschema": {
"hashes": [
"sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
"sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
],
"version": "==3.2.0"
},
"markupsafe": {
"hashes": [
"sha256:0212a68688482dc52b2d45013df70d169f542b7394fc744c02a57374a4207003",
"sha256:089cf3dbf0cd6c100f02945abeb18484bd1ee57a079aefd52cffd17fba910b88",
"sha256:10c1bfff05d95783da83491be968e8fe789263689c02724e0c691933c52994f5",
"sha256:33b74d289bd2f5e527beadcaa3f401e0df0a89927c1559c8566c066fa4248ab7",
"sha256:3799351e2336dc91ea70b034983ee71cf2f9533cdff7c14c90ea126bfd95d65a",
"sha256:3ce11ee3f23f79dbd06fb3d63e2f6af7b12db1d46932fe7bd8afa259a5996603",
"sha256:421be9fbf0ffe9ffd7a378aafebbf6f4602d564d34be190fc19a193232fd12b1",
"sha256:43093fb83d8343aac0b1baa75516da6092f58f41200907ef92448ecab8825135",
"sha256:46d00d6cfecdde84d40e572d63735ef81423ad31184100411e6e3388d405e247",
"sha256:4a33dea2b688b3190ee12bd7cfa29d39c9ed176bda40bfa11099a3ce5d3a7ac6",
"sha256:4b9fe39a2ccc108a4accc2676e77da025ce383c108593d65cc909add5c3bd601",
"sha256:56442863ed2b06d19c37f94d999035e15ee982988920e12a5b4ba29b62ad1f77",
"sha256:671cd1187ed5e62818414afe79ed29da836dde67166a9fac6d435873c44fdd02",
"sha256:694deca8d702d5db21ec83983ce0bb4b26a578e71fbdbd4fdcd387daa90e4d5e",
"sha256:6a074d34ee7a5ce3effbc526b7083ec9731bb3cbf921bbe1d3005d4d2bdb3a63",
"sha256:6d0072fea50feec76a4c418096652f2c3238eaa014b2f94aeb1d56a66b41403f",
"sha256:6fbf47b5d3728c6aea2abb0589b5d30459e369baa772e0f37a0320185e87c980",
"sha256:7f91197cc9e48f989d12e4e6fbc46495c446636dfc81b9ccf50bb0ec74b91d4b",
"sha256:86b1f75c4e7c2ac2ccdaec2b9022845dbb81880ca318bb7a0a01fbf7813e3812",
"sha256:8dc1c72a69aa7e082593c4a203dcf94ddb74bb5c8a731e4e1eb68d031e8498ff",
"sha256:8e3dcf21f367459434c18e71b2a9532d96547aef8a871872a5bd69a715c15f96",
"sha256:8e576a51ad59e4bfaac456023a78f6b5e6e7651dcd383bcc3e18d06f9b55d6d1",
"sha256:96e37a3dc86e80bf81758c152fe66dbf60ed5eca3d26305edf01892257049925",
"sha256:97a68e6ada378df82bc9f16b800ab77cbf4b2fada0081794318520138c088e4a",
"sha256:99a2a507ed3ac881b975a2976d59f38c19386d128e7a9a18b7df6fff1fd4c1d6",
"sha256:a49907dd8420c5685cfa064a1335b6754b74541bbb3706c259c02ed65b644b3e",
"sha256:b09bf97215625a311f669476f44b8b318b075847b49316d3e28c08e41a7a573f",
"sha256:b7bd98b796e2b6553da7225aeb61f447f80a1ca64f41d83612e6139ca5213aa4",
"sha256:b87db4360013327109564f0e591bd2a3b318547bcef31b468a92ee504d07ae4f",
"sha256:bcb3ed405ed3222f9904899563d6fc492ff75cce56cba05e32eff40e6acbeaa3",
"sha256:d4306c36ca495956b6d568d276ac11fdd9c30a36f1b6eb928070dc5360b22e1c",
"sha256:d5ee4f386140395a2c818d149221149c54849dfcfcb9f1debfe07a8b8bd63f9a",
"sha256:dda30ba7e87fbbb7eab1ec9f58678558fd9a6b8b853530e176eabd064da81417",
"sha256:e04e26803c9c3851c931eac40c695602c6295b8d432cbe78609649ad9bd2da8a",
"sha256:e1c0b87e09fa55a220f058d1d49d3fb8df88fbfab58558f1198e08c1e1de842a",
"sha256:e72591e9ecd94d7feb70c1cbd7be7b3ebea3f548870aa91e2732960fa4d57a37",
"sha256:e8c843bbcda3a2f1e3c2ab25913c80a3c5376cd00c6e8c4a86a89a28c8dc5452",
"sha256:efc1913fd2ca4f334418481c7e595c00aad186563bbc1ec76067848c7ca0a933",
"sha256:f121a1420d4e173a5d96e47e9a0c0dcff965afdf1626d28de1460815f7c4ee7a",
"sha256:fc7b548b17d238737688817ab67deebb30e8073c95749d55538ed473130ec0c7"
],
"markers": "python_version >= '3.7'",
"version": "==2.1.1"
},
"mypy-extensions": {
"hashes": [
"sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d",
"sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8"
],
"version": "==0.4.3"
},
"openapi-schema-validator": {
"hashes": [
"sha256:230db361c71a5b08b25ec926797ac8b59a8f499bbd7316bd15b6cd0fc9aea5df",
"sha256:8ef097b78c191c89d9a12cdf3d311b2ecf9d3b80bbe8610dbc67a812205a6a8d",
"sha256:af023ae0d16372cf8dd0d128c9f3eaa080dc3cd5dfc69e6a247579f25bd10503"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==0.1.6"
},
"openapi-spec-validator": {
"hashes": [
"sha256:43d606c5910ed66e1641807993bd0a981de2fc5da44f03e1c4ca2bb65b94b68e",
"sha256:49d7da81996714445116f6105c9c5955c0e197ef8636da4f368c913f64753443"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==0.3.3"
},
"openpyxl": {
"hashes": [
"sha256:0ab6d25d01799f97a9464630abacbb34aafecdcaa0ef3cba6d6b3499867d0355",
"sha256:e47805627aebcf860edb4edf7987b1309c1b3632f3750538ed962bbcc3bd7449"
],
"markers": "python_version >= '3.6'",
"version": "==3.0.10"
},
"orderedmultidict": {
"hashes": [
"sha256:04070bbb5e87291cc9bfa51df413677faf2141c73c61d2a5f7b26bea3cd882ad",
"sha256:43c839a17ee3cdd62234c47deca1a8508a3f2ca1d0678a3bf791c87cf84adbf3"
],
"version": "==1.0.1"
},
"orjson": {
"hashes": [
"sha256:02d638d43951ba346a80f0abd5942a872cc87db443e073f6f6fc530fee81e19b",
"sha256:03ed95814140ff09f550b3a42e6821f855d981c94d25b9cc83e8cca431525d70",
"sha256:1b1cd25acfa77935bb2e791b75211cec0cfc21227fe29387e553c545c3ff87e1",
"sha256:2058653cc12b90e482beacb5c2d52dc3d7606f9e9f5a52c1c10ef49371e76f52",
"sha256:2065b6d280dc58f131ffd93393737961ff68ae7eb6884b68879394074cc03c13",
"sha256:25b5e48fbb9f0b428a5e44cf740675c9281dd67816149fc33659803399adbbe8",
"sha256:2bdb1042970ca5f544a047d6c235a7eb4acdb69df75441dd1dfcbc406377ab37",
"sha256:2d81e6e56bbea44be0222fb53f7b255b4e7426290516771592738ca01dbd053b",
"sha256:3c7225e8b08996d1a0c804d3a641a53e796685e8c9a9fd52bd428980032cad9a",
"sha256:3e2459d441ab8fd8b161aa305a73d5269b3cda13b5a2a39eba58b4dd3e394f49",
"sha256:4065906ce3ad6195ac4d1bddde862fe811a42d7be237a1ff762666c3a4bb2151",
"sha256:5b072ef8520cfe7bd4db4e3c9972d94336763c2253f7c4718a49e8733bada7b8",
"sha256:5edb93cdd3eb32977633fa7aaa6a34b8ab54d9c49cdcc6b0d42c247a29091b22",
"sha256:5f856279872a4449fc629924e6a083b9821e366cf98b14c63c308269336f7c14",
"sha256:5fd6cac83136e06e538a4d17117eaeabec848c1e86f5742d4811656ad7ee475f",
"sha256:6433c956f4a18112342a18281e0bec67fcd8b90be3a5271556c09226e045d805",
"sha256:655d7387a1634a9a477c545eea92a1ee902ab28626d701c6de4914e2ed0fecd2",
"sha256:66c19399bb3b058e3236af7910b57b19a4fc221459d722ed72a7dc90370ca090",
"sha256:6a23b40c98889e9abac084ce5a1fb251664b41da9f6bdb40a4729e2288ed2ed4",
"sha256:6e3da2e4bd27c3b796519ca74132c7b9e5348fb6746315e0f6c1592bc5cf1caf",
"sha256:6ea5fe20ef97545e14dd4d0263e4c5c3bc3d2248d39b4b0aed4b84d528dfc0af",
"sha256:7536a2a0b41672f824912aeab545c2467a9ff5ca73a066ff04fb81043a0a177a",
"sha256:7990a9caf3b34016ac30be5e6cfc4e7efd76aa85614a1215b0eae4f0c7e3db59",
"sha256:7b0e72974a5d3b101226899f111368ec2c9824d3e9804af0e5b31567f53ad98a",
"sha256:87462791dd57de2e3e53068bf4b7169c125c50960f1bdda08ed30c797cb42a56",
"sha256:896a21a07f1998648d9998e881ab2b6b80d5daac4c31188535e9d50460edfcf7",
"sha256:8b391d5c2ddc2f302d22909676b306cb6521022c3ee306c861a6935670291b2c",
"sha256:8f687776a03c19f40b982fb5c414221b7f3d19097841571be2223d1569a59877",
"sha256:9a93850a1bdc300177b111b4b35b35299f046148ba23020f91d6efd7bf6b9d20",
"sha256:9e6ac22cec72d5b39035b566e4b86c74b84866f12b5b0b6541506a080fb67d6d",
"sha256:a709c2249c1f2955dbf879506fd43fa08c31fdb79add9aeb891e3338b648bf60",
"sha256:b68a42a31f8429728183c21fb440c21de1b62e5378d0d73f280e2d894ef8942e",
"sha256:be02f6acee33bb63862eeff80548cd6b8a62e2d60ad2d8dfd5a8824cc43d8887",
"sha256:d189e2acb510e374700cb98cf11b54f0179916ee40f8453b836157ae293efa79",
"sha256:d2b5dafbe68237a792143137cba413447f60dd5df428e05d73dcba10c1ea6fcf",
"sha256:e1418feeb8b698b9224b1f024555895169d481604d5d884498c1838d7412794c",
"sha256:e2defd9527651ad39ec20ae03c812adf47ef7662bdd6bc07dabb10888d70dc62",
"sha256:e2f4a5542f50e3d336a18cb224fc757245ca66b1fd0b70b5dd4471b8ff5f2b0e",
"sha256:e68c699471ea3e2dd1b35bfd71c6a0a0e4885b64abbe2d98fce1ef11e0afaff3",
"sha256:f4b46dbdda2f0bd6480c39db90b21340a19c3b0fcf34bc4c6e465332930ca539",
"sha256:fb42f7cf57d5804a9daa6b624e3490ec9e2631e042415f3aebe9f35a8492ba6c",
"sha256:ff13410ddbdda5d4197a4a4c09969cb78c722a67550f0a63c02c07aadc624833"
],
"markers": "python_version >= '3.7'",
"version": "==3.8.0"
},
"paramiko": {
"hashes": [
"sha256:003e6bee7c034c21fbb051bf83dc0a9ee4106204dd3c53054c71452cc4ec3938",
"sha256:655f25dc8baf763277b933dfcea101d636581df8d6b9774d1fb653426b72c270"
],
"version": "==2.11.0"
},
"pathspec": {
"hashes": [
"sha256:46846318467efc4556ccfd27816e004270a9eeeeb4d062ce5e6fc7a87c573f93",
"sha256:7ace6161b621d31e7902eb6b5ae148d12cfd23f4a249b9ffb6b9fee12084323d"
],
"markers": "python_version >= '3.7'",
"version": "==0.10.1"
},
"platformdirs": {
"hashes": [
"sha256:027d8e83a2d7de06bbac4e5ef7e023c02b863d7ea5d079477e722bb41ab25788",
"sha256:58c8abb07dcb441e6ee4b11d8df0ac856038f944ab98b7be6b27b2a3c7feef19"
],
"markers": "python_version >= '3.7'",
"version": "==2.5.2"
},
"prance": {
"hashes": [
"sha256:51ec41d10b317bf5d4e74782a7f7f0c0488c6042433b5b4fde2a988cd069d235",
"sha256:ce06feef8814c3436645f3b094e91067b1a111bc860a51f239f93437a8d4b00e"
],
"markers": "python_version >= '3.6'",
"version": "==0.21.8.0"
},
"pycparser": {
"hashes": [
"sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9",
"sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"
],
"version": "==2.21"
},
"pydantic": {
"extras": [
"email"
],
"hashes": [
"sha256:05e00dbebbe810b33c7a7362f231893183bcc4251f3f2ff991c31d5c08240c42",
"sha256:06094d18dd5e6f2bbf93efa54991c3240964bb663b87729ac340eb5014310624",
"sha256:0b959f4d8211fc964772b595ebb25f7652da3f22322c007b6fed26846a40685e",
"sha256:19b3b9ccf97af2b7519c42032441a891a5e05c68368f40865a90eb88833c2559",
"sha256:1b6ee725bd6e83ec78b1aa32c5b1fa67a3a65badddde3976bca5fe4568f27709",
"sha256:1ee433e274268a4b0c8fde7ad9d58ecba12b069a033ecc4645bb6303c062d2e9",
"sha256:216f3bcbf19c726b1cc22b099dd409aa371f55c08800bcea4c44c8f74b73478d",
"sha256:2d0567e60eb01bccda3a4df01df677adf6b437958d35c12a3ac3e0f078b0ee52",
"sha256:2e05aed07fa02231dbf03d0adb1be1d79cabb09025dd45aa094aa8b4e7b9dcda",
"sha256:352aedb1d71b8b0736c6d56ad2bd34c6982720644b0624462059ab29bd6e5912",
"sha256:355639d9afc76bcb9b0c3000ddcd08472ae75318a6eb67a15866b87e2efa168c",
"sha256:37c90345ec7dd2f1bcef82ce49b6235b40f282b94d3eec47e801baf864d15525",
"sha256:4b8795290deaae348c4eba0cebb196e1c6b98bdbe7f50b2d0d9a4a99716342fe",
"sha256:5760e164b807a48a8f25f8aa1a6d857e6ce62e7ec83ea5d5c5a802eac81bad41",
"sha256:6eb843dcc411b6a2237a694f5e1d649fc66c6064d02b204a7e9d194dff81eb4b",
"sha256:7b5ba54d026c2bd2cb769d3468885f23f43710f651688e91f5fb1edcf0ee9283",
"sha256:7c2abc4393dea97a4ccbb4ec7d8658d4e22c4765b7b9b9445588f16c71ad9965",
"sha256:81a7b66c3f499108b448f3f004801fcd7d7165fb4200acb03f1c2402da73ce4c",
"sha256:91b8e218852ef6007c2b98cd861601c6a09f1aa32bbbb74fab5b1c33d4a1e410",
"sha256:9300fcbebf85f6339a02c6994b2eb3ff1b9c8c14f502058b5bf349d42447dcf5",
"sha256:9cabf4a7f05a776e7793e72793cd92cc865ea0e83a819f9ae4ecccb1b8aa6116",
"sha256:a1f5a63a6dfe19d719b1b6e6106561869d2efaca6167f84f5ab9347887d78b98",
"sha256:a4c805731c33a8db4b6ace45ce440c4ef5336e712508b4d9e1aafa617dc9907f",
"sha256:ae544c47bec47a86bc7d350f965d8b15540e27e5aa4f55170ac6a75e5f73b644",
"sha256:b97890e56a694486f772d36efd2ba31612739bc6f3caeee50e9e7e3ebd2fdd13",
"sha256:bb6ad4489af1bac6955d38ebcb95079a836af31e4c4f74aba1ca05bb9f6027bd",
"sha256:bedf309630209e78582ffacda64a21f96f3ed2e51fbf3962d4d488e503420254",
"sha256:c1ba1afb396148bbc70e9eaa8c06c1716fdddabaf86e7027c5988bae2a829ab6",
"sha256:c33602f93bfb67779f9c507e4d69451664524389546bacfe1bee13cae6dc7488",
"sha256:c4aac8e7103bf598373208f6299fa9a5cfd1fc571f2d40bf1dd1955a63d6eeb5",
"sha256:c6f981882aea41e021f72779ce2a4e87267458cc4d39ea990729e21ef18f0f8c",
"sha256:cc78cc83110d2f275ec1970e7a831f4e371ee92405332ebfe9860a715f8336e1",
"sha256:d49f3db871575e0426b12e2f32fdb25e579dea16486a26e5a0474af87cb1ab0a",
"sha256:dd3f9a40c16daf323cf913593083698caee97df2804aa36c4b3175d5ac1b92a2",
"sha256:e0bedafe4bc165ad0a56ac0bd7695df25c50f76961da29c050712596cf092d6d",
"sha256:e9069e1b01525a96e6ff49e25876d90d5a563bc31c658289a8772ae186552236"
],
"markers": "python_version >= '3.7'",
"version": "==1.10.2"
},
"pynacl": {
"hashes": [
"sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858",
"sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d",
"sha256:20f42270d27e1b6a29f54032090b972d97f0a1b0948cc52392041ef7831fee93",
"sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1",
"sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92",
"sha256:61f642bf2378713e2c2e1de73444a3778e5f0a38be6fee0fe532fe30060282ff",
"sha256:8ac7448f09ab85811607bdd21ec2464495ac8b7c66d146bf545b0f08fb9220ba",
"sha256:a36d4a9dda1f19ce6e03c9a784a2921a4b726b02e1c736600ca9c22029474394",
"sha256:a422368fc821589c228f4c49438a368831cb5bbc0eab5ebe1d7fac9dded6567b",
"sha256:e46dae94e34b085175f8abb3b0aaa7da40767865ac82c928eeb9e57e1ea8a543"
],
"markers": "python_version >= '3.6'",
"version": "==1.5.0"
},
"pyrsistent": {
"hashes": [
"sha256:aa2ae1c2e496f4d6777f869ea5de7166a8ccb9c2e06ebcf6c7ff1b670c98c5ef"
],
"markers": "python_version >= '2.7'",
"version": "==0.16.1"
},
"pysnooper": {
"hashes": [
"sha256:378f13d731a3e04d3d0350e5f295bdd0f1b49fc8a8b8bf2067fe1e5290bd20be",
"sha256:d17dc91cca1593c10230dce45e46b1d3ff0f8910f0c38e941edf6ba1260b3820"
],
"version": "==1.1.1"
},
"python-dotenv": {
"hashes": [
"sha256:1684eb44636dd462b66c3ee016599815514527ad99965de77f43e0944634a7e5",
"sha256:b77d08274639e3d34145dfa6c7008e66df0f04b7be7a75fd0d5292c191d79045"
],
"markers": "python_version >= '3.7'",
"version": "==0.21.0"
},
"python-frontmatter": {
"hashes": [
"sha256:766ae75f1b301ffc5fe3494339147e0fd80bc3deff3d7590a93991978b579b08",
"sha256:e98152e977225ddafea6f01f40b4b0f1de175766322004c826ca99842d19a7cd"
],
"version": "==1.0.0"
},
"pyyaml": {
"hashes": [
"sha256:01b45c0191e6d66c470b6cf1b9531a771a83c1c4208272ead47a3ae4f2f603bf",
"sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293",
"sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b",
"sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57",
"sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b",
"sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4",
"sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07",
"sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba",
"sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9",
"sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287",
"sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513",
"sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0",
"sha256:432557aa2c09802be39460360ddffd48156e30721f5e8d917f01d31694216782",
"sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0",
"sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92",
"sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f",
"sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2",
"sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc",
"sha256:81957921f441d50af23654aa6c5e5eaf9b06aba7f0a19c18a538dc7ef291c5a1",
"sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c",
"sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86",
"sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4",
"sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c",
"sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34",
"sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b",
"sha256:afa17f5bc4d1b10afd4466fd3a44dc0e245382deca5b3c353d8b757f9e3ecb8d",
"sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c",
"sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb",
"sha256:bfaef573a63ba8923503d27530362590ff4f576c626d86a9fed95822a8255fd7",
"sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737",
"sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3",
"sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d",
"sha256:d4b0ba9512519522b118090257be113b9468d804b19d63c71dbcf4a48fa32358",
"sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53",
"sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78",
"sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803",
"sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a",
"sha256:dbad0e9d368bb989f4515da330b88a057617d16b6a8245084f1b05400f24609f",
"sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174",
"sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"
],
"markers": "python_version >= '3.6'",
"version": "==6.0"
},
"requests": {
"hashes": [
"sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983",
"sha256:8fefa2a1a1365bf5520aac41836fbee479da67864514bdb821f31ce07ce65349"
],
"markers": "python_version >= '3.7' and python_version < '4'",
"version": "==2.28.1"
},
"rfc3986": {
"extras": [
"idna2008"
],
"hashes": [
"sha256:270aaf10d87d0d4e095063c65bf3ddbc6ee3d0b226328ce21e036f946e421835",
"sha256:a86d6e1f5b1dc238b218b012df0aa79409667bb209e58da56d0b94704e712a97"
],
"version": "==1.5.0"
},
"ruamel.yaml": {
"hashes": [
"sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7",
"sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
],
"markers": "python_version >= '3'",
"version": "==0.17.21"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:066f886bc90cc2ce44df8b5f7acfc6a7e2b2e672713f027136464492b0c34d7c",
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1070ba9dd7f9370d0513d649420c3b362ac2d687fe78c6e888f5b12bf8bc7bee",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:1b4139a6ffbca8ef60fdaf9b33dec05143ba746a6f0ae0f9d11d38239211d335",
"sha256:210c8fcfeff90514b7133010bf14e3bad652c8efde6b20e00c43854bf94fa5a6",
"sha256:221eca6f35076c6ae472a531afa1c223b9c29377e62936f61bc8e6e8bdc5f9e7",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:61bc5e5ca632d95925907c569daa559ea194a4d16084ba86084be98ab1cec1c6",
"sha256:6e7be2c5bcb297f5b82fee9c665eb2eb7001d1050deaba8471842979293a80b0",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:77df077d32921ad46f34816a9a16e6356d8100374579bc35e15bab5d4e9377de",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d3c620a54748a3d4cf0bcfe623e388407c8e85a4b06b8188e126302bcab93ea8",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
],
"markers": "python_version < '3.11' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
},
"semver": {
"hashes": [
"sha256:ced8b23dceb22134307c1b8abfa523da14198793d9787ac838e70e29e77458d4",
"sha256:fa0fe2722ee1c3f57eac478820c3a5ae2f624af8264cbdf9000c980ff7f75e3f"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.13.0"
},
"setuptools": {
"hashes": [
"sha256:2e24e0bec025f035a2e72cdd1961119f557d78ad331bb00ff82efb2ab8da8e82",
"sha256:7732871f4f7fa58fb6bdcaeadb0161b2bd046c85905dbaa066bdcbcc81953b57"
],
"markers": "python_version >= '3.7'",
"version": "==65.3.0"
},
"six": {
"hashes": [
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.16.0"
},
"sniffio": {
"hashes": [
"sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101",
"sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.0"
},
"toml": {
"hashes": [
"sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b",
"sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==0.10.2"
},
"tomli": {
"hashes": [
"sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc",
"sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"
],
"markers": "python_full_version < '3.11.0a7'",
"version": "==2.0.1"
},
"typed-ast": {
"hashes": [
"sha256:0261195c2062caf107831e92a76764c81227dae162c4f75192c0d489faf751a2",
"sha256:0fdbcf2fef0ca421a3f5912555804296f0b0960f0418c440f5d6d3abb549f3e1",
"sha256:183afdf0ec5b1b211724dfef3d2cad2d767cbefac291f24d69b00546c1837fb6",
"sha256:211260621ab1cd7324e0798d6be953d00b74e0428382991adfddb352252f1d62",
"sha256:267e3f78697a6c00c689c03db4876dd1efdfea2f251a5ad6555e82a26847b4ac",
"sha256:2efae9db7a8c05ad5547d522e7dbe62c83d838d3906a3716d1478b6c1d61388d",
"sha256:370788a63915e82fd6f212865a596a0fefcbb7d408bbbb13dea723d971ed8bdc",
"sha256:39e21ceb7388e4bb37f4c679d72707ed46c2fbf2a5609b8b8ebc4b067d977df2",
"sha256:3e123d878ba170397916557d31c8f589951e353cc95fb7f24f6bb69adc1a8a97",
"sha256:4879da6c9b73443f97e731b617184a596ac1235fe91f98d279a7af36c796da35",
"sha256:4e964b4ff86550a7a7d56345c7864b18f403f5bd7380edf44a3c1fb4ee7ac6c6",
"sha256:639c5f0b21776605dd6c9dbe592d5228f021404dafd377e2b7ac046b0349b1a1",
"sha256:669dd0c4167f6f2cd9f57041e03c3c2ebf9063d0757dc89f79ba1daa2bfca9d4",
"sha256:6778e1b2f81dfc7bc58e4b259363b83d2e509a65198e85d5700dfae4c6c8ff1c",
"sha256:683407d92dc953c8a7347119596f0b0e6c55eb98ebebd9b23437501b28dcbb8e",
"sha256:79b1e0869db7c830ba6a981d58711c88b6677506e648496b1f64ac7d15633aec",
"sha256:7d5d014b7daa8b0bf2eaef684295acae12b036d79f54178b92a2b6a56f92278f",
"sha256:98f80dee3c03455e92796b58b98ff6ca0b2a6f652120c263efdba4d6c5e58f72",
"sha256:a94d55d142c9265f4ea46fab70977a1944ecae359ae867397757d836ea5a3f47",
"sha256:a9916d2bb8865f973824fb47436fa45e1ebf2efd920f2b9f99342cb7fab93f72",
"sha256:c542eeda69212fa10a7ada75e668876fdec5f856cd3d06829e6aa64ad17c8dfe",
"sha256:cf4afcfac006ece570e32d6fa90ab74a17245b83dfd6655a6f68568098345ff6",
"sha256:ebd9d7f80ccf7a82ac5f88c521115cc55d84e35bf8b446fcd7836eb6b98929a3",
"sha256:ed855bbe3eb3715fca349c80174cfcfd699c2f9de574d40527b8429acae23a66"
],
"markers": "python_full_version >= '3.9.8'",
"version": "==1.5.4"
},
"typing-extensions": {
"hashes": [
"sha256:25642c956049920a5aa49edcdd6ab1e06d7e5d467fc00e0506c44ac86fbfca02",
"sha256:e6d2677a32f47fc7eb2795db1dd15c1f34eff616bcaf2cfb5e997f854fa1c4a6"
],
"markers": "python_version >= '3.7'",
"version": "==4.3.0"
},
"urllib3": {
"hashes": [
"sha256:3fa96cf423e6987997fc326ae8df396db2a8b7c667747d47ddd8ecba91f4a74e",
"sha256:b930dd878d5a8afb066a637fbb35144fe7901e3b209d1cd4f524bd0e9deee997"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5' and python_version < '4'",
"version": "==1.26.12"
}
},
"develop": {}
}

68
docs/compliance/README.md Normal file
View file

@ -0,0 +1,68 @@
# Compliance Template
A compliance documentation workflow using [OSCAL](https://pages.nist.gov/OSCAL/) with [Trestle](https://github.com/IBM/compliance-trestle) to generate a System Security Plan (SSP) using Markdown.
## Usage
### Background
For a little background on OSCAL please see the [glossary](glossary.md) and [control families](control-families.md) documentation.
### Make
We use the Makefile for our workflow. You will be primarily working in [dist/system-security-plans/ato](dist/system-security-plans/ato) where all the Markdown for our controls live. You will usually not need to run any Make commands while documenting. Just add your explanation on each control to the SSP Markdown. But the Make commands we have are:
- `make generate` to have `trestle` generate the corresponding control statement in Markdown. Use this if you need to add a control.
- `make generate-with-header` to have `trestle` generate the corresponding control statement in Markdown with the status headers.
- `make assemble` will generate the resulting OSCAL System Security Plan (SSP).
- `make status` will print out some basic metrics about control status bits.
### Suggested workflow
Here is a suggested compliance documentation workflow that uses [compliance-trestle](https://github.com/IBM/compliance-trestle):
- Add a control to the [profile](./profiles/ato/) that will be satisfied.
- Run `make generate` to have `trestle` generate the corresponding control statement in Markdown.
- This Markdown file will live in `dist/system-security-plans/`.
- Flesh out implementation detail stubs for that control.
- It is OK to leave a control implementation description blank initially.
- Backfill missing implementation descriptions as needed.
- If links to existing code are needed, consider linking to high level artifacts with a general description.
- Avoid linking directly to lines of code as these will change over time.
- (Optionally) Run `make assemble` to generate the resulting OSCAL System Security Plan (SSP).
- This is an optional step because nothing uses the OSCAL SSP yet.
### Status
To track compliance status, there's a header yaml file with a status list. The options are:
- `c-not-implemented`: this control has not been met or documented.
- `c-implemented`: this control has been met and documented.
- `c-inherited`: this control is inherited from cloud.gov or another system we use.
- `c-org-help-needed`: this control needs to be implemented at a higher level.
`make status` will print out some basic metrics about control status bits.
## Controls
Below are details about the controls, including additional parameters, notes, and control families.
### Parameters
A few controls require us to supply parameters to the control. These parameter choices are given in the official NIST catalog description. For instance, `sc-12.2` requires us to choose between `NIST FIPS-compliant` or `NSA-approved` symmetric keys.
To provide a parameter, edit the [profile](./profiles/ato/profile.json) and add the relevant parameter id to the `set-parameters` section, along with the value(s) that best fits the control. (Note that some controls allow more than one parameter.)
It is also possible to override the default parameters for a control, if needed.
Once new parameters are set in the profile, please run `make generate` to re-generate the control Markdown with the new parameters.
## Attribution
This is a copy with alternations from the 18F [compliance-template](https://github.com/GSA-TTS/compliance-template)
## Getting started for non-python devs
1. Install [pipenv](https://docs.pipenv.org/)
1. Run `pipenv install` to install dependencies from `Pipfile`
1. Run `pipenv shell` to start a shell with the correct virtual environment configured

0
docs/compliance/assessment-plans/.keep Normal file
View file

0
docs/compliance/assessment-results/.keep Normal file
View file

0
docs/compliance/catalogs/.keep Normal file
View file

0
docs/compliance/component-definitions/.keep Normal file
View file

51
docs/compliance/control-families.md Normal file
View file

@ -0,0 +1,51 @@
# Control Families
Below are a list of control families with relevant descriptions.
## `ac-`: Access Control
This family deals with account management, various levels of access to hardware and software, and access related notifications.
## `ar-`, `ra-`, `tr-`, and `ul`: Privacy Impact and Risk Assessment, Privacy Notice, and Infromation Sharing with Third Parties
These families contain controls around threat modeling, privacy impact, and vulnerability scanning. `ar` was the family name under rev. 4, and `ra` is the name under rev. 5, but these should be examined together when making changes that impact privacy or help reduce risk.
## `au-`: Audit and Accountability
These controls will deal with anything around logging for events, record keeping, and formatting of logs.
## `ca-`: Assessment, Authorization, and Monitoring
A little meta, but this family deals with how we actively document security and compliance, where we keep POAMs, how we conduct pen testing, etc.
## `cm-`: Configuration Management
This family documents how we restrict softare usage, where we store configuration, and adhere to "law of least functionality" throughout our system.
## `cp-`: Contingency Planning
This deals with how we handle our backups, disaster recovery, fallbacks, and any other sort of emergency planning.
## `di-`: Data Quality
There is only one control for `di` and it broadly deals with handling of PII at the organization level.
## `ia-`: Identification and Authentication
This family deals with restricting access to parts or whole of the system. You will find controls relating to MFA, account access, PIVs to access, etc. Unlike `ac-` controls, this deals with things like how we restrict admin access to our AWS accounts, which will probably be documented in the SSP.
## `sa-`: System and Services Acquisition
This family deals with how we document and monitoring the state of the system. Any information about static analysis and regular system testing will go here.
## `sc-`: System and Communications Protection
This family deals with a lot of hardware controls we can probably inherit from AWS. It also deals with network configuration though, which we will have to document. Things like DDoS protection, minimizing network access between hosts, and hardware separation are documented here.
## `si-`: System and Information Integrity
This family will contain things like any software scanning for security issues and necessary patches. It also deals with how we handle errors and sanitize user inputs.
## `sr-`: Supply Chain Risk Management
This family potentially has the most entangled set of controls with other systems in our boundary and will take communication with security and compliance partners to help understand how changes to this system impact SCRM. The controls here range from setting up a SCRM team to how we scan our software to mitigate risk.

0
docs/compliance/dist/assessment-plans/.keep vendored Normal file
View file

0
docs/compliance/dist/assessment-results/.keep vendored Normal file
View file

0
docs/compliance/dist/catalogs/.keep vendored Normal file
View file

0
docs/compliance/dist/component-definitions/.keep vendored Normal file
View file

0
docs/compliance/dist/plan-of-action-and-milestones/.keep vendored Normal file
View file

0
docs/compliance/dist/profiles/.keep vendored Normal file
View file

0
docs/compliance/dist/system-security-plans/.keep vendored Normal file
View file

79
docs/compliance/dist/system-security-plans/ato/ac-1.md vendored Normal file
View file

@ -0,0 +1,79 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-1 - \[catalog\] Policy and Procedures
## Control Statement
- \[a\] Develop, document, and disseminate to organization-defined personnel or roles:
- \[1\] No value found access control policy that:
- \[a\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- \[b\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- \[2\] Procedures to facilitate the implementation of the access control policy and the associated access controls;
- \[b\] Designate an official to manage the development, documentation, and dissemination of the access control policy and procedures; and
- \[c\] Review and update the current access control:
- \[1\] Policy frequency and following events ; and
- \[2\] Procedures frequency and following events.
## Control guidance
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
## Control assessment-objective
an access control policy is developed and documented;
the access control policy is disseminated to personnel or roles;
access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
the access control procedures are disseminated to personnel or roles;
the No value found access control policy addresses purpose;
the No value found access control policy addresses scope;
the No value found access control policy addresses roles;
the No value found access control policy addresses responsibilities;
the No value found access control policy addresses management commitment;
the No value found access control policy addresses coordination among organizational entities;
the No value found access control policy addresses compliance;
the No value found access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the official is designated to manage the development, documentation, and dissemination of the access control policy and procedures;
the current access control policy is reviewed and updated frequency;
the current access control policy is reviewed and updated following events;
the current access control procedures are reviewed and updated frequency;
the current access control procedures are reviewed and updated following events.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-1_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-1_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ac-1_smt.c
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-11.1.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-11.1 - \[catalog\] Pattern-hiding Displays
## Control Statement
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
## Control guidance
The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
## Control assessment-objective
information previously visible on the display is concealed, via device lock, with a publicly viewable image.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-11.1
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/ac-11.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-11 - \[catalog\] Device Lock
## Control Statement
- \[a\] Prevent further access to the system by No value found ; and
- \[b\] Retain the device lock until the user reestablishes access using established identification and authentication procedures.
## Control guidance
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
## Control assessment-objective
further access to the system is prevented by No value found;
device lock is retained until the user re-establishes access using established identification and authentication procedures.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-11_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-11_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-12.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-12 - \[catalog\] Session Termination
## Control Statement
Automatically terminate a user session after conditions or trigger events.
## Control guidance
Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a users logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
## Control assessment-objective
a user session is automatically terminated after conditions or trigger events.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-12
______________________________________________________________________

47
docs/compliance/dist/system-security-plans/ato/ac-14.md vendored Normal file
View file

@ -0,0 +1,47 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-14 - \[catalog\] Permitted Actions Without Identification or Authentication
## Control Statement
- \[a\] Identify user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
- \[b\] Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
## Control guidance
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none."
## Control assessment-objective
user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;
user actions not requiring identification or authentication are documented in the security plan for the system;
a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-14_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-14_smt.b
______________________________________________________________________

32
docs/compliance/dist/system-security-plans/ato/ac-17.1.md vendored Normal file
View file

@ -0,0 +1,32 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-17.1 - \[catalog\] Monitoring and Control
## Control Statement
Employ automated mechanisms to monitor and control remote access methods.
## Control guidance
Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a).
## Control assessment-objective
automated mechanisms are employed to monitor remote access methods;
automated mechanisms are employed to control remote access methods.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-17.1
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-17.2.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-17.2 - \[catalog\] Protection of Confidentiality and Integrity Using Encryption
## Control Statement
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
## Control guidance
Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.
## Control assessment-objective
cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-17.2
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-17.3.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-17.3 - \[catalog\] Managed Access Control Points
## Control Statement
Route remote accesses through authorized and managed network access control points.
## Control guidance
Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.
## Control assessment-objective
remote accesses are routed through authorized and managed network access control points.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-17.3
______________________________________________________________________

49
docs/compliance/dist/system-security-plans/ato/ac-17.4.md vendored Normal file
View file

@ -0,0 +1,49 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-17.4 - \[catalog\] Privileged Commands and Access
## Control Statement
- \[a\] Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: organization-defined needs ; and
- \[b\] Document the rationale for remote access in the security plan for the system.
## Control guidance
Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.
## Control assessment-objective
the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
the execution of privileged commands via remote access is authorized only for the following needs: needs requiring remote access;
access to security-relevant information via remote access is authorized only for the following needs: needs requiring remote access;
the rationale for remote access is documented in the security plan for the system.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item ac-17.4_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item ac-17.4_smt.b
______________________________________________________________________

48
docs/compliance/dist/system-security-plans/ato/ac-17.md vendored Normal file
View file

@ -0,0 +1,48 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-17 - \[catalog\] Remote Access
## Control Statement
- \[a\] Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
- \[b\] Authorize each type of remote access to the system prior to allowing such connections.
## Control guidance
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3).
## Control assessment-objective
usage restrictions are established and documented for each type of remote access allowed;
configuration/connection requirements are established and documented for each type of remote access allowed;
implementation guidance is established and documented for each type of remote access allowed;
each type of remote access to the system is authorized prior to allowing such connections.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-17_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-17_smt.b
______________________________________________________________________

32
docs/compliance/dist/system-security-plans/ato/ac-18.1.md vendored Normal file
View file

@ -0,0 +1,32 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-18.1 - \[catalog\] Authentication and Encryption
## Control Statement
Protect wireless access to the system using authentication of No value found and encryption.
## Control guidance
Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.
## Control assessment-objective
wireless access to the system is protected using authentication of No value found;
wireless access to the system is protected using encryption.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-18.1
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-18.3.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-18.3 - \[catalog\] Disable Wireless Networking
## Control Statement
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
## Control guidance
Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.
## Control assessment-objective
when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-18.3
______________________________________________________________________

48
docs/compliance/dist/system-security-plans/ato/ac-18.md vendored Normal file
View file

@ -0,0 +1,48 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-18 - \[catalog\] Wireless Access
## Control Statement
- \[a\] Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
- \[b\] Authorize each type of wireless access to the system prior to allowing such connections.
## Control guidance
Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.
## Control assessment-objective
configuration requirements are established for each type of wireless access;
connection requirements are established for each type of wireless access;
implementation guidance is established for each type of wireless access;
each type of wireless access to the system is authorized prior to allowing such connections.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-18_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-18_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-19.5.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-19.5 - \[catalog\] Full Device or Container-based Encryption
## Control Statement
Employ No value found to protect the confidentiality and integrity of information on mobile devices.
## Control guidance
Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.
## Control assessment-objective
No value found is employed to protect the confidentiality and integrity of information on mobile devices.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-19.5
______________________________________________________________________

52
docs/compliance/dist/system-security-plans/ato/ac-19.md vendored Normal file
View file

@ -0,0 +1,52 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-19 - \[catalog\] Access Control for Mobile Devices
## Control Statement
- \[a\] Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
- \[b\] Authorize the connection of mobile devices to organizational systems.
## Control guidance
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled.
## Control assessment-objective
configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
the connection of mobile devices to organizational systems is authorized.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-19_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-19_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-2.1.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2.1 - \[catalog\] Automated System Account Management
## Control Statement
Support the management of system accounts using automated mechanisms.
## Control guidance
Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.
## Control assessment-objective
the management of system accounts is supported using automated mechanisms.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-2.1
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-2.13.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2.13 - \[catalog\] Disable Accounts for High-risk Individuals
## Control Statement
Disable accounts of individuals within time period of discovery of significant risks.
## Control guidance
Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
## Control assessment-objective
accounts of individuals are disabled within time period of discovery of significant risks.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-2.13
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-2.2.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2.2 - \[catalog\] Automated Temporary and Emergency Account Management
## Control Statement
Automatically No value found temporary and emergency accounts after time period.
## Control guidance
Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.
## Control assessment-objective
temporary and emergency accounts are automatically No value found after time period.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-2.2
______________________________________________________________________

66
docs/compliance/dist/system-security-plans/ato/ac-2.3.md vendored Normal file
View file

@ -0,0 +1,66 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2.3 - \[catalog\] Disable Accounts
## Control Statement
Disable accounts within time period when the accounts:
- \[a\] Have expired;
- \[b\] Are no longer associated with a user or individual;
- \[c\] Are in violation of organizational policy; or
- \[d\] Have been inactive for time period.
## Control guidance
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
## Control assessment-objective
accounts are disabled within time period when the accounts have expired;
accounts are disabled within time period when the accounts are no longer associated with a user or individual;
accounts are disabled within time period when the accounts are in violation of organizational policy;
accounts are disabled within time period when the accounts have been inactive for time period.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item ac-2.3_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item ac-2.3_smt.b
______________________________________________________________________
## Implementation (c)
Add control implementation description here for item ac-2.3_smt.c
______________________________________________________________________
## Implementation (d)
Add control implementation description here for item ac-2.3_smt.d
______________________________________________________________________

35
docs/compliance/dist/system-security-plans/ato/ac-2.4.md vendored Normal file
View file

@ -0,0 +1,35 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2.4 - \[catalog\] Automated Audit Actions
## Control Statement
Automatically audit account creation, modification, enabling, disabling, and removal actions.
## Control guidance
Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6).
## Control assessment-objective
account creation is automatically audited;
account modification is automatically audited;
account enabling is automatically audited;
account disabling is automatically audited;
account removal actions are automatically audited.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-2.4
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-2.5.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2.5 - \[catalog\] Inactivity Logout
## Control Statement
Require that users log out when time period of expected inactivity or description of when to log out.
## Control guidance
Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11).
## Control assessment-objective
users are required to log out when time period of expected inactivity or description of when to log out.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-2.5
______________________________________________________________________

166
docs/compliance/dist/system-security-plans/ato/ac-2.md vendored Normal file
View file

@ -0,0 +1,166 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-2 - \[catalog\] Account Management
## Control Statement
- \[a\] Define and document the types of accounts allowed and specifically prohibited for use within the system;
- \[b\] Assign account managers;
- \[c\] Require prerequisites and criteria for group and role membership;
- \[d\] Specify:
- \[1\] Authorized users of the system;
- \[2\] Group and role membership; and
- \[3\] Access authorizations (i.e., privileges) and attributes (as required) for each account;
- \[e\] Require approvals by personnel or roles for requests to create accounts;
- \[f\] Create, enable, modify, disable, and remove accounts in accordance with policy, procedures, prerequisites, and criteria;
- \[g\] Monitor the use of accounts;
- \[h\] Notify account managers and personnel or roles within:
- \[1\] time period when accounts are no longer required;
- \[2\] time period when users are terminated or transferred; and
- \[3\] time period when system usage or need-to-know changes for an individual;
- \[i\] Authorize access to the system based on:
- \[1\] A valid access authorization;
- \[2\] Intended system usage; and
- \[3\] attributes (as required);
- \[j\] Review accounts for compliance with account management requirements frequency;
- \[k\] Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
- \[l\] Align account management processes with personnel termination and transfer processes.
## Control guidance
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.
Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.
Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.
## Control assessment-objective
account types allowed for use within the system are defined and documented;
account types specifically prohibited for use within the system are defined and documented;
account managers are assigned;
prerequisites and criteria for group and role membership are required;
authorized users of the system are specified;
group and role membership are specified;
access authorizations (i.e., privileges) are specified for each account;
attributes (as required) are specified for each account;
approvals are required by personnel or roles for requests to create accounts;
accounts are created in accordance with policy, procedures, prerequisites, and criteria;
accounts are enabled in accordance with policy, procedures, prerequisites, and criteria;
accounts are modified in accordance with policy, procedures, prerequisites, and criteria;
accounts are disabled in accordance with policy, procedures, prerequisites, and criteria;
accounts are removed in accordance with policy, procedures, prerequisites, and criteria;
the use of accounts is monitored;
account managers and personnel or roles are notified within time period when accounts are no longer required;
account managers and personnel or roles are notified within time period when users are terminated or transferred;
account managers and personnel or roles are notified within time period when system usage or the need to know changes for an individual;
access to the system is authorized based on a valid access authorization;
access to the system is authorized based on intended system usage;
access to the system is authorized based on attributes (as required);
accounts are reviewed for compliance with account management requirements frequency;
a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
account management processes are aligned with personnel termination processes;
account management processes are aligned with personnel transfer processes.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-2_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-2_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ac-2_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item ac-2_smt.d
______________________________________________________________________
## Implementation e.
Add control implementation description here for item ac-2_smt.e
______________________________________________________________________
## Implementation f.
Add control implementation description here for item ac-2_smt.f
______________________________________________________________________
## Implementation g.
Add control implementation description here for item ac-2_smt.g
______________________________________________________________________
## Implementation h.
Add control implementation description here for item ac-2_smt.h
______________________________________________________________________
## Implementation i.
Add control implementation description here for item ac-2_smt.i
______________________________________________________________________
## Implementation j.
Add control implementation description here for item ac-2_smt.j
______________________________________________________________________
## Implementation k.
Add control implementation description here for item ac-2_smt.k
______________________________________________________________________
## Implementation l.
Add control implementation description here for item ac-2_smt.l
______________________________________________________________________

48
docs/compliance/dist/system-security-plans/ato/ac-20.1.md vendored Normal file
View file

@ -0,0 +1,48 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-20.1 - \[catalog\] Limits on Authorized Use
## Control Statement
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
- \[a\] Verification of the implementation of controls on the external system as specified in the organizations security and privacy policies and security and privacy plans; or
- \[b\] Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
## Control guidance
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
## Control assessment-objective
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organizations security and privacy policies and security and privacy plans (if applicable);
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item ac-20.1_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item ac-20.1_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-20.2.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-20.2 - \[catalog\] Portable Storage Devices — Restricted Use
## Control Statement
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using restrictions.
## Control guidance
Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.
## Control assessment-objective
the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using restrictions.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-20.2
______________________________________________________________________

54
docs/compliance/dist/system-security-plans/ato/ac-20.md vendored Normal file
View file

@ -0,0 +1,54 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-20 - \[catalog\] Use of External Systems
## Control Statement
- \[a\] No value found , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
- \[1\] Access the system from external systems; and
- \[2\] Process, store, or transmit organization-controlled information using external systems; or
- \[b\] Prohibit the use of prohibited types of external systems.
## Control guidance
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).
For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
External systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
## Control assessment-objective
No value found is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);
No value found is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);
the use of prohibited types of external systems is prohibited (if applicable).
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-20_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-20_smt.b
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/ac-21.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-21 - \[catalog\] Information Sharing
## Control Statement
- \[a\] Enable authorized users to determine whether access authorizations assigned to a sharing partner match the informations access and use restrictions for information-sharing circumstances ; and
- \[b\] Employ automated mechanisms to assist users in making information sharing and collaboration decisions.
## Control guidance
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
## Control assessment-objective
authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the informations access and use restrictions for information-sharing circumstances;
automated mechanisms are employed to assist users in making information-sharing and collaboration decisions.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-21_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-21_smt.b
______________________________________________________________________

65
docs/compliance/dist/system-security-plans/ato/ac-22.md vendored Normal file
View file

@ -0,0 +1,65 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-22 - \[catalog\] Publicly Accessible Content
## Control Statement
- \[a\] Designate individuals authorized to make information publicly accessible;
- \[b\] Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
- \[c\] Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
- \[d\] Review the content on the publicly accessible system for nonpublic information frequency and remove such information, if discovered.
## Control guidance
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.
## Control assessment-objective
designated individuals are authorized to make information publicly accessible;
authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
the content on the publicly accessible system is reviewed for non-public information frequency;
non-public information is removed from the publicly accessible system, if discovered.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-22_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-22_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ac-22_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item ac-22_smt.d
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-3.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-3 - \[catalog\] Access Enforcement
## Control Statement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
## Control guidance
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family.
## Control assessment-objective
approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-3
______________________________________________________________________

33
docs/compliance/dist/system-security-plans/ato/ac-4.md vendored Normal file
View file

@ -0,0 +1,33 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-4 - \[catalog\] Information Flow Enforcement
## Control Statement
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on information flow control policies.
## Control guidance
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).
## Control assessment-objective
approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on information flow control policies.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-4
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/ac-5.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-5 - \[catalog\] Separation of Duties
## Control Statement
- \[a\] Identify and document duties of individuals ; and
- \[b\] Define system access authorizations to support separation of duties.
## Control guidance
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12).
## Control assessment-objective
duties of individuals are identified and documented;
system access authorizations to support separation of duties are defined.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-5_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-5_smt.b
______________________________________________________________________

50
docs/compliance/dist/system-security-plans/ato/ac-6.1.md vendored Normal file
View file

@ -0,0 +1,50 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6.1 - \[catalog\] Authorize Access to Security Functions
## Control Statement
Authorize access for individuals and roles to:
- \[a\] organization-defined security functions (deployed in hardware, software, and firmware) ; and
- \[b\] security-relevant information.
## Control guidance
Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.
## Control assessment-objective
access is authorized for individuals and roles to security functions (deployed in hardware);
access is authorized for individuals and roles to security functions (deployed in software);
access is authorized for individuals and roles to security functions (deployed in firmware);
access is authorized for individuals and roles to security-relevant information.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item ac-6.1_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item ac-6.1_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-6.10.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6.10 - \[catalog\] Prohibit Non-privileged Users from Executing Privileged Functions
## Control Statement
Prevent non-privileged users from executing privileged functions.
## Control guidance
Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3).
## Control assessment-objective
non-privileged users are prevented from executing privileged functions.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-6.10
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-6.2.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6.2 - \[catalog\] Non-privileged Access for Nonsecurity Functions
## Control Statement
Require that users of system accounts (or roles) with access to security functions or security-relevant information use non-privileged accounts or roles, when accessing nonsecurity functions.
## Control guidance
Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
## Control assessment-objective
users of system accounts (or roles) with access to security functions or security-relevant information are required to use non-privileged accounts or roles when accessing non-security functions.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-6.2
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-6.5.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6.5 - \[catalog\] Privileged Accounts
## Control Statement
Restrict privileged accounts on the system to personnel or roles.
## Control guidance
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.
## Control assessment-objective
privileged accounts on the system are restricted to personnel or roles.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-6.5
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/ac-6.7.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6.7 - \[catalog\] Review of User Privileges
## Control Statement
- \[a\] Review frequency the privileges assigned to roles and classes to validate the need for such privileges; and
- \[b\] Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
## Control guidance
The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.
## Control assessment-objective
privileges assigned to roles and classes are reviewed frequency to validate the need for such privileges;
privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item ac-6.7_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item ac-6.7_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-6.9.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6.9 - \[catalog\] Log Use of Privileged Functions
## Control Statement
Log the execution of privileged functions.
## Control guidance
The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.
## Control assessment-objective
the execution of privileged functions is logged.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-6.9
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ac-6.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-6 - \[catalog\] Least Privilege
## Control Statement
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
## Control guidance
Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.
## Control assessment-objective
the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ac-6
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/ac-7.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-7 - \[catalog\] Unsuccessful Logon Attempts
## Control Statement
- \[a\] Enforce a limit of number consecutive invalid logon attempts by a user during a time period ; and
- \[b\] Automatically No value found when the maximum number of unsuccessful attempts is exceeded.
## Control guidance
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
## Control assessment-objective
a limit of number consecutive invalid logon attempts by a user during time period is enforced;
automatically No value found when the maximum number of unsuccessful attempts is exceeded.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-7_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-7_smt.b
______________________________________________________________________

70
docs/compliance/dist/system-security-plans/ato/ac-8.md vendored Normal file
View file

@ -0,0 +1,70 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ac-8 - \[catalog\] System Use Notification
## Control Statement
- \[a\] Display system use notification to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
- \[1\] Users are accessing a U.S. Government system;
- \[2\] System usage may be monitored, recorded, and subject to audit;
- \[3\] Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
- \[4\] Use of the system indicates consent to monitoring and recording;
- \[b\] Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
- \[c\] For publicly accessible systems:
- \[1\] Display system use information conditions , before granting further access to the publicly accessible system;
- \[2\] Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
- \[3\] Include a description of the authorized uses of the system.
## Control guidance
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
## Control assessment-objective
system use notification is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the system use notification states that users are accessing a U.S. Government system;
the system use notification states that system usage may be monitored, recorded, and subject to audit;
the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
the system use notification states that use of the system indicates consent to monitoring and recording;
the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
for publicly accessible systems, system use information conditions is displayed before granting further access to the publicly accessible system;
for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
for publicly accessible systems, a description of the authorized uses of the system is included.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ac-8_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ac-8_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ac-8_smt.c
______________________________________________________________________

79
docs/compliance/dist/system-security-plans/ato/at-1.md vendored Normal file
View file

@ -0,0 +1,79 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# at-1 - \[catalog\] Policy and Procedures
## Control Statement
- \[a\] Develop, document, and disseminate to organization-defined personnel or roles:
- \[1\] No value found awareness and training policy that:
- \[a\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- \[b\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- \[2\] Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
- \[b\] Designate an official to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
- \[c\] Review and update the current awareness and training:
- \[1\] Policy frequency and following events ; and
- \[2\] Procedures frequency and following events.
## Control guidance
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
## Control assessment-objective
an awareness and training policy is developed and documented;
the awareness and training policy is disseminated to personnel or roles;
awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
the awareness and training procedures are disseminated to personnel or roles.
the No value found awareness and training policy addresses purpose;
the No value found awareness and training policy addresses scope;
the No value found awareness and training policy addresses roles;
the No value found awareness and training policy addresses responsibilities;
the No value found awareness and training policy addresses management commitment;
the No value found awareness and training policy addresses coordination among organizational entities;
the No value found awareness and training policy addresses compliance; and
the No value found awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and
the official is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;
the current awareness and training policy is reviewed and updated frequency;
the current awareness and training policy is reviewed and updated following events;
the current awareness and training procedures are reviewed and updated frequency;
the current awareness and training procedures are reviewed and updated following events.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item at-1_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item at-1_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item at-1_smt.c
______________________________________________________________________

32
docs/compliance/dist/system-security-plans/ato/at-2.2.md vendored Normal file
View file

@ -0,0 +1,32 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# at-2.2 - \[catalog\] Insider Threat
## Control Statement
Provide literacy training on recognizing and reporting potential indicators of insider threat.
## Control guidance
Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.
## Control assessment-objective
literacy training on recognizing potential indicators of insider threat is provided;
literacy training on reporting potential indicators of insider threat is provided.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control at-2.2
______________________________________________________________________

34
docs/compliance/dist/system-security-plans/ato/at-2.3.md vendored Normal file
View file

@ -0,0 +1,34 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# at-2.3 - \[catalog\] Social Engineering and Mining
## Control Statement
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
## Control guidance
Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.
## Control assessment-objective
literacy training on recognizing potential and actual instances of social engineering is provided;
literacy training on reporting potential and actual instances of social engineering is provided;
literacy training on recognizing potential and actual instances of social mining is provided;
literacy training on reporting potential and actual instances of social mining is provided.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control at-2.3
______________________________________________________________________

75
docs/compliance/dist/system-security-plans/ato/at-2.md vendored Normal file
View file

@ -0,0 +1,75 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# at-2 - \[catalog\] Literacy Training and Awareness
## Control Statement
- \[a\] Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
- \[1\] As part of initial training for new users and organization-defined frequency thereafter; and
- \[2\] When required by system changes or following organization-defined events;
- \[b\] Employ the following techniques to increase the security and privacy awareness of system users awareness techniques;
- \[c\] Update literacy training and awareness content frequency and following events ; and
- \[d\] Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
## Control guidance
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
## Control assessment-objective
security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
security literacy training is provided to system users (including managers, senior executives, and contractors) frequency thereafter;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) frequency thereafter;
security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following events;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following events;
awareness techniques are employed to increase the security and privacy awareness of system users;
literacy training and awareness content is updated frequency;
literacy training and awareness content is updated following events;
lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item at-2_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item at-2_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item at-2_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item at-2_smt.d
______________________________________________________________________

66
docs/compliance/dist/system-security-plans/ato/at-3.md vendored Normal file
View file

@ -0,0 +1,66 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# at-3 - \[catalog\] Role-based Training
## Control Statement
- \[a\] Provide role-based security and privacy training to personnel with the following roles and responsibilities: organization-defined roles and responsibilities:
- \[1\] Before authorizing access to the system, information, or performing assigned duties, and frequency thereafter; and
- \[2\] When required by system changes;
- \[b\] Update role-based training content frequency and following events ; and
- \[c\] Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
## Control guidance
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.
Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
## Control assessment-objective
role-based security training is provided to roles and responsibilities before authorizing access to the system, information, or performing assigned duties;
role-based privacy training is provided to roles and responsibilities before authorizing access to the system, information, or performing assigned duties;
role-based security training is provided to roles and responsibilities frequency thereafter;
role-based privacy training is provided to roles and responsibilities frequency thereafter;
role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
role-based training content is updated frequency;
role-based training content is updated following events;
lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item at-3_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item at-3_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item at-3_smt.c
______________________________________________________________________

47
docs/compliance/dist/system-security-plans/ato/at-4.md vendored Normal file
View file

@ -0,0 +1,47 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# at-4 - \[catalog\] Training Records
## Control Statement
- \[a\] Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
- \[b\] Retain individual training records for time period.
## Control guidance
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.
## Control assessment-objective
information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
individual training records are retained for time period.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item at-4_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item at-4_smt.b
______________________________________________________________________

79
docs/compliance/dist/system-security-plans/ato/au-1.md vendored Normal file
View file

@ -0,0 +1,79 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-1 - \[catalog\] Policy and Procedures
## Control Statement
- \[a\] Develop, document, and disseminate to organization-defined personnel or roles:
- \[1\] No value found audit and accountability policy that:
- \[a\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- \[b\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- \[2\] Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
- \[b\] Designate an official to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
- \[c\] Review and update the current audit and accountability:
- \[1\] Policy frequency and following events ; and
- \[2\] Procedures frequency and following events.
## Control guidance
Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
## Control assessment-objective
an audit and accountability policy is developed and documented;
the audit and accountability policy is disseminated to personnel or roles;
audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
the audit and accountability procedures are disseminated to personnel or roles;
the No value found of the audit and accountability policy addresses purpose;
the No value found of the audit and accountability policy addresses scope;
the No value found of the audit and accountability policy addresses roles;
the No value found of the audit and accountability policy addresses responsibilities;
the No value found of the audit and accountability policy addresses management commitment;
the No value found of the audit and accountability policy addresses coordination among organizational entities;
the No value found of the audit and accountability policy addresses compliance;
the No value found of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
the official is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;
the current audit and accountability policy is reviewed and updated frequency;
the current audit and accountability policy is reviewed and updated following events;
the current audit and accountability procedures are reviewed and updated frequency;
the current audit and accountability procedures are reviewed and updated following events.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-1_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-1_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item au-1_smt.c
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/au-11.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-11 - \[catalog\] Audit Record Retention
## Control Statement
Retain audit records for time period to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
## Control guidance
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.
## Control assessment-objective
audit records are retained for time period to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control au-11
______________________________________________________________________

55
docs/compliance/dist/system-security-plans/ato/au-12.md vendored Normal file
View file

@ -0,0 +1,55 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-12 - \[catalog\] Audit Record Generation
## Control Statement
- \[a\] Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on system components;
- \[b\] Allow personnel or roles to select the event types that are to be logged by specific components of the system; and
- \[c\] Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).
## Control guidance
Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.
## Control assessment-objective
audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by system components;
personnel or roles is/are allowed to select the event types that are to be logged by specific components of the system;
audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-12_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-12_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item au-12_smt.c
______________________________________________________________________

78
docs/compliance/dist/system-security-plans/ato/au-2.md vendored Normal file
View file

@ -0,0 +1,78 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-2 - \[catalog\] Event Logging
## Control Statement
- \[a\] Identify the types of events that the system is capable of logging in support of the audit function: event types;
- \[b\] Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
- \[c\] Specify the following event types for logging within the system: organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type;
- \[d\] Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
- \[e\] Review and update the event types selected for logging frequency.
## Control guidance
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.
To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.
Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.
## Control assessment-objective
event types that the system is capable of logging are identified in support of the audit logging function;
the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
event types (subset of AU-02_ODP[01]) are specified for logging within the system;
the specified event types are logged within the system frequency or situation;
a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
the event types selected for logging are reviewed and updated frequency.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-2_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-2_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item au-2_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item au-2_smt.d
______________________________________________________________________
## Implementation e.
Add control implementation description here for item au-2_smt.e
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/au-3.1.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-3.1 - \[catalog\] Additional Audit Information
## Control Statement
Generate audit records containing the following additional information: additional information.
## Control guidance
The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.
## Control assessment-objective
generated audit records contain the following additional information.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control au-3.1
______________________________________________________________________

84
docs/compliance/dist/system-security-plans/ato/au-3.md vendored Normal file
View file

@ -0,0 +1,84 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-3 - \[catalog\] Content of Audit Records
## Control Statement
Ensure that audit records contain information that establishes the following:
- \[a\] What type of event occurred;
- \[b\] When the event occurred;
- \[c\] Where the event occurred;
- \[d\] Source of the event;
- \[e\] Outcome of the event; and
- \[f\] Identity of any individuals, subjects, or objects/entities associated with the event.
## Control guidance
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.
## Control assessment-objective
audit records contain information that establishes what type of event occurred;
audit records contain information that establishes when the event occurred;
audit records contain information that establishes where the event occurred;
audit records contain information that establishes the source of the event;
audit records contain information that establishes the outcome of the event;
audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-3_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-3_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item au-3_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item au-3_smt.d
______________________________________________________________________
## Implementation e.
Add control implementation description here for item au-3_smt.e
______________________________________________________________________
## Implementation f.
Add control implementation description here for item au-3_smt.f
______________________________________________________________________

28
docs/compliance/dist/system-security-plans/ato/au-4.md vendored Normal file
View file

@ -0,0 +1,28 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
---
# au-4 - \[catalog\] Audit Log Storage Capacity
## Control Statement
Allocate audit log storage capacity to accommodate audit log retention requirements.
## Control guidance
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.
## Control assessment-objective
audit log storage capacity is allocated to accommodate audit log retention requirements.
______________________________________________________________________
## What is the solution and how is it implemented?
cloud.gov ensures sufficient capacity for application logging from tenant applications.
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/au-5.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-5 - \[catalog\] Response to Audit Logging Process Failures
## Control Statement
- \[a\] Alert personnel or roles within time period in the event of an audit logging process failure; and
- \[b\] Take the following additional actions: additional actions.
## Control guidance
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.
## Control assessment-objective
personnel or roles are alerted in the event of an audit logging process failure within time period;
additional actions are taken in the event of an audit logging process failure.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-5_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-5_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/au-6.1.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-6.1 - \[catalog\] Automated Process Integration
## Control Statement
Integrate audit record review, analysis, and reporting processes using automated mechanisms.
## Control guidance
Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.
## Control assessment-objective
audit record review, analysis, and reporting processes are integrated using automated mechanisms.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control au-6.1
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/au-6.3.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-6.3 - \[catalog\] Correlate Audit Record Repositories
## Control Statement
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
## Control guidance
Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.
## Control assessment-objective
audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control au-6.3
______________________________________________________________________

55
docs/compliance/dist/system-security-plans/ato/au-6.md vendored Normal file
View file

@ -0,0 +1,55 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-6 - \[catalog\] Audit Record Review, Analysis, and Reporting
## Control Statement
- \[a\] Review and analyze system audit records frequency for indications of inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity;
- \[b\] Report findings to personnel or roles ; and
- \[c\] Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
## Control guidance
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
## Control assessment-objective
system audit records are reviewed and analyzed frequency for indications of inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity;
findings are reported to personnel or roles;
the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-6_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-6_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item au-6_smt.c
______________________________________________________________________

32
docs/compliance/dist/system-security-plans/ato/au-7.1.md vendored Normal file
View file

@ -0,0 +1,32 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-7.1 - \[catalog\] Automatic Processing
## Control Statement
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: fields within audit records.
## Control guidance
Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
## Control assessment-objective
the capability to process, sort, and search audit records for events of interest based on fields within audit records are provided;
the capability to process, sort, and search audit records for events of interest based on fields within audit records are implemented.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control au-7.1
______________________________________________________________________

50
docs/compliance/dist/system-security-plans/ato/au-7.md vendored Normal file
View file

@ -0,0 +1,50 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-7 - \[catalog\] Audit Record Reduction and Report Generation
## Control Statement
Provide and implement an audit record reduction and report generation capability that:
- \[a\] Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and
- \[b\] Does not alter the original content or time ordering of audit records.
## Control guidance
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
## Control assessment-objective
an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;
an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-7_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-7_smt.b
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/au-8.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-8 - \[catalog\] Time Stamps
## Control Statement
- \[a\] Use internal system clocks to generate time stamps for audit records; and
- \[b\] Record time stamps for audit records that meet granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
## Control guidance
Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.
## Control assessment-objective
internal system clocks are used to generate timestamps for audit records;
timestamps are recorded for audit records that meet granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-8_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-8_smt.b
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/au-9.4.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-9.4 - \[catalog\] Access by Subset of Privileged Users
## Control Statement
Authorize access to management of audit logging functionality to only subset of privileged users or roles.
## Control guidance
Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.
## Control assessment-objective
access to management of audit logging functionality is authorized only to subset of privileged users or roles.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control au-9.4
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/au-9.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# au-9 - \[catalog\] Protection of Audit Information
## Control Statement
- \[a\] Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
- \[b\] Alert personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
## Control guidance
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
## Control assessment-objective
audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
personnel or roles are alerted upon detection of unauthorized access, modification, or deletion of audit information.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item au-9_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item au-9_smt.b
______________________________________________________________________

79
docs/compliance/dist/system-security-plans/ato/ca-1.md vendored Normal file
View file

@ -0,0 +1,79 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-1 - \[catalog\] Policy and Procedures
## Control Statement
- \[a\] Develop, document, and disseminate to organization-defined personnel or roles:
- \[1\] No value found assessment, authorization, and monitoring policy that:
- \[a\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- \[b\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- \[2\] Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;
- \[b\] Designate an official to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
- \[c\] Review and update the current assessment, authorization, and monitoring:
- \[1\] Policy frequency and following events ; and
- \[2\] Procedures frequency and following events.
## Control guidance
Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
## Control assessment-objective
an assessment, authorization, and monitoring policy is developed and documented;
the assessment, authorization, and monitoring policy is disseminated to personnel or roles;
assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
the assessment, authorization, and monitoring procedures are disseminated to personnel or roles;
the No value found assessment, authorization, and monitoring policy addresses purpose;
the No value found assessment, authorization, and monitoring policy addresses scope;[03] SELECTED PARAMETER(S)> assessment, authorization, and monitoring policy addresses scope;
the No value found assessment, authorization, and monitoring policy addresses roles;[03] SELECTED PARAMETER(S)> assessment, authorization, and monitoring policy addresses roles;
the No value found assessment, authorization, and monitoring policy addresses responsibilities;
the No value found assessment, authorization, and monitoring policy addresses management commitment;
the No value found assessment, authorization, and monitoring policy addresses coordination among organizational entities;
the No value found assessment, authorization, and monitoring policy addresses compliance;
the No value found assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
the official is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;
the current assessment, authorization, and monitoring policy is reviewed and updated frequency;
the current assessment, authorization, and monitoring policy is reviewed and updated following events;
the current assessment, authorization, and monitoring procedures are reviewed and updated frequency;
the current assessment, authorization, and monitoring procedures are reviewed and updated following events.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-1_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-1_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ca-1_smt.c
______________________________________________________________________

35
docs/compliance/dist/system-security-plans/ato/ca-2.1.md vendored Normal file
View file

@ -0,0 +1,35 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-2.1 - \[catalog\] Independent Assessors
## Control Statement
Employ independent assessors or assessment teams to conduct control assessments.
## Control guidance
Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.
Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.
When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.
## Control assessment-objective
independent assessors or assessment teams are employed to conduct control assessments.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ca-2.1
______________________________________________________________________

99
docs/compliance/dist/system-security-plans/ato/ca-2.md vendored Normal file
View file

@ -0,0 +1,99 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-2 - \[catalog\] Control Assessments
## Control Statement
- \[a\] Select the appropriate assessor or assessment team for the type of assessment to be conducted;
- \[b\] Develop a control assessment plan that describes the scope of the assessment including:
- \[1\] Controls and control enhancements under assessment;
- \[2\] Assessment procedures to be used to determine control effectiveness; and
- \[3\] Assessment environment, assessment team, and assessment roles and responsibilities;
- \[c\] Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
- \[d\] Assess the controls in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
- \[e\] Produce a control assessment report that document the results of the assessment; and
- \[f\] Provide the results of the control assessment to individuals or roles.
## Control guidance
Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.
Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.
Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.
Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2).
## Control assessment-objective
an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;
a control assessment report is produced that documents the results of the assessment;
the results of the control assessment are provided to individuals or roles.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-2_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-2_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ca-2_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item ca-2_smt.d
______________________________________________________________________
## Implementation e.
Add control implementation description here for item ca-2_smt.e
______________________________________________________________________
## Implementation f.
Add control implementation description here for item ca-2_smt.f
______________________________________________________________________

62
docs/compliance/dist/system-security-plans/ato/ca-3.md vendored Normal file
View file

@ -0,0 +1,62 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-3 - \[catalog\] Information Exchange
## Control Statement
- \[a\] Approve and manage the exchange of information between the system and other systems using No value found;
- \[b\] Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
- \[c\] Review and update the agreements frequency.
## Control guidance
System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.
Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.
## Control assessment-objective
the exchange of information between the system and other systems is approved and managed using No value found;
the interface characteristics are documented as part of each exchange agreement;
security requirements are documented as part of each exchange agreement;
privacy requirements are documented as part of each exchange agreement;
controls are documented as part of each exchange agreement;
responsibilities for each system are documented as part of each exchange agreement;
the impact level of the information communicated is documented as part of each exchange agreement;
agreements are reviewed and updated frequency.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-3_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-3_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ca-3_smt.c
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/ca-5.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-5 - \[catalog\] Plan of Action and Milestones
## Control Statement
- \[a\] Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
- \[b\] Update existing plan of action and milestones frequency based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
## Control guidance
Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.
## Control assessment-objective
a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
existing plan of action and milestones are updated frequency based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-5_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-5_smt.b
______________________________________________________________________

79
docs/compliance/dist/system-security-plans/ato/ca-6.md vendored Normal file
View file

@ -0,0 +1,79 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-6 - \[catalog\] Authorization
## Control Statement
- \[a\] Assign a senior official as the authorizing official for the system;
- \[b\] Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
- \[c\] Ensure that the authorizing official for the system, before commencing operations:
- \[1\] Accepts the use of common controls inherited by the system; and
- \[2\] Authorizes the system to operate;
- \[d\] Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
- \[e\] Update the authorizations frequency.
## Control guidance
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.
Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.
## Control assessment-objective
a senior official is assigned as the authorizing official for the system;
a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
before commencing operations, the authorizing official for the system authorizes the system to operate;
the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
the authorizations are updated frequency.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-6_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-6_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ca-6_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item ca-6_smt.d
______________________________________________________________________
## Implementation e.
Add control implementation description here for item ca-6_smt.e
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/ca-7.1.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-7.1 - \[catalog\] Independent Assessment
## Control Statement
Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.
## Control guidance
Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.
## Control assessment-objective
independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control ca-7.1
______________________________________________________________________

58
docs/compliance/dist/system-security-plans/ato/ca-7.4.md vendored Normal file
View file

@ -0,0 +1,58 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-7.4 - \[catalog\] Risk Monitoring
## Control Statement
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
- \[a\] Effectiveness monitoring;
- \[b\] Compliance monitoring; and
- \[c\] Change monitoring.
## Control guidance
Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.
## Control assessment-objective
risk monitoring is an integral part of the continuous monitoring strategy;
effectiveness monitoring is included in risk monitoring;
compliance monitoring is included in risk monitoring;
change monitoring is included in risk monitoring.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item ca-7.4_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item ca-7.4_smt.b
______________________________________________________________________
## Implementation (c)
Add control implementation description here for item ca-7.4_smt.c
______________________________________________________________________

99
docs/compliance/dist/system-security-plans/ato/ca-7.md vendored Normal file
View file

@ -0,0 +1,99 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-7 - \[catalog\] Continuous Monitoring
## Control Statement
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
- \[a\] Establishing the following system-level metrics to be monitored: system-level metrics;
- \[b\] Establishing frequencies for monitoring and frequencies for assessment of control effectiveness;
- \[c\] Ongoing control assessments in accordance with the continuous monitoring strategy;
- \[d\] Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
- \[e\] Correlation and analysis of information generated by control assessments and monitoring;
- \[f\] Response actions to address results of the analysis of control assessment and monitoring information; and
- \[g\] Reporting the security and privacy status of the system to organization-defined personnel or roles organization-defined frequency.
## Control guidance
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4).
## Control assessment-objective
a system-level continuous monitoring strategy is developed;
system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: system-level metrics;
system-level continuous monitoring includes established frequencies for monitoring;
system-level continuous monitoring includes established frequencies for assessment of control effectiveness;
system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
system-level continuous monitoring includes reporting the security status of the system to personnel or roles frequency;
system-level continuous monitoring includes reporting the privacy status of the system to personnel or roles frequency.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-7_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-7_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ca-7_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item ca-7_smt.d
______________________________________________________________________
## Implementation e.
Add control implementation description here for item ca-7_smt.e
______________________________________________________________________
## Implementation f.
Add control implementation description here for item ca-7_smt.f
______________________________________________________________________
## Implementation g.
Add control implementation description here for item ca-7_smt.g
______________________________________________________________________

67
docs/compliance/dist/system-security-plans/ato/ca-9.md vendored Normal file
View file

@ -0,0 +1,67 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# ca-9 - \[catalog\] Internal System Connections
## Control Statement
- \[a\] Authorize internal connections of system components to the system;
- \[b\] Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
- \[c\] Terminate internal system connections after conditions ; and
- \[d\] Review frequency the continued need for each internal connection.
## Control guidance
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.
## Control assessment-objective
internal connections of system components to the system are authorized;
for each internal connection, the interface characteristics are documented;
for each internal connection, the security requirements are documented;
for each internal connection, the privacy requirements are documented;
for each internal connection, the nature of the information communicated is documented;
internal system connections are terminated after conditions;
the continued need for each internal connection is reviewed frequency.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item ca-9_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item ca-9_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item ca-9_smt.c
______________________________________________________________________
## Implementation d.
Add control implementation description here for item ca-9_smt.d
______________________________________________________________________

79
docs/compliance/dist/system-security-plans/ato/cm-1.md vendored Normal file
View file

@ -0,0 +1,79 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-1 - \[catalog\] Policy and Procedures
## Control Statement
- \[a\] Develop, document, and disseminate to organization-defined personnel or roles:
- \[1\] No value found configuration management policy that:
- \[a\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- \[b\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- \[2\] Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
- \[b\] Designate an official to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
- \[c\] Review and update the current configuration management:
- \[1\] Policy frequency and following events ; and
- \[2\] Procedures frequency and following events.
## Control guidance
Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
## Control assessment-objective
a configuration management policy is developed and documented;
the configuration management policy is disseminated to personnel or roles;
configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
the configuration management procedures are disseminated to personnel or roles;
the No value found of the configuration management policy addresses purpose;
the No value found of the configuration management policy addresses scope;
the No value found of the configuration management policy addresses roles;
the No value found of the configuration management policy addresses responsibilities;
the No value found of the configuration management policy addresses management commitment;
the No value found of the configuration management policy addresses coordination among organizational entities;
the No value found of the configuration management policy addresses compliance;
the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the official is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;
the current configuration management policy is reviewed and updated frequency;
the current configuration management policy is reviewed and updated following events;
the current configuration management procedures are reviewed and updated frequency;
the current configuration management procedures are reviewed and updated following events.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item cm-1_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item cm-1_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item cm-1_smt.c
______________________________________________________________________

55
docs/compliance/dist/system-security-plans/ato/cm-10.md vendored Normal file
View file

@ -0,0 +1,55 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-10 - \[catalog\] Software Usage Restrictions
## Control Statement
- \[a\] Use software and associated documentation in accordance with contract agreements and copyright laws;
- \[b\] Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
- \[c\] Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
## Control guidance
Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.
## Control assessment-objective
software and associated documentation are used in accordance with contract agreements and copyright laws;
the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item cm-10_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item cm-10_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item cm-10_smt.c
______________________________________________________________________

55
docs/compliance/dist/system-security-plans/ato/cm-11.md vendored Normal file
View file

@ -0,0 +1,55 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-11 - \[catalog\] User-installed Software
## Control Statement
- \[a\] Establish policies governing the installation of software by users;
- \[b\] Enforce software installation policies through the following methods: methods ; and
- \[c\] Monitor policy compliance frequency.
## Control guidance
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
## Control assessment-objective
policies governing the installation of software by users are established;
software installation policies are enforced through methods;
compliance with policies is monitored frequency.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item cm-11_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item cm-11_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item cm-11_smt.c
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/cm-12.1.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-12.1 - \[catalog\] Automated Tools to Support Information Location
## Control Statement
Use automated tools to identify information by information type on system components to ensure controls are in place to protect organizational information and individual privacy.
## Control guidance
The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions.
## Control assessment-objective
automated tools are used to identify information by information type on system components to ensure that controls are in place to protect organizational information and individual privacy.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control cm-12.1
______________________________________________________________________

59
docs/compliance/dist/system-security-plans/ato/cm-12.md vendored Normal file
View file

@ -0,0 +1,59 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-12 - \[catalog\] Information Location
## Control Statement
- \[a\] Identify and document the location of information and the specific system components on which the information is processed and stored;
- \[b\] Identify and document the users who have access to the system and system components where the information is processed and stored; and
- \[c\] Document changes to the location (i.e., system or system components) where the information is processed and stored.
## Control guidance
Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17)).
## Control assessment-objective
the location of information is identified and documented;
the specific system components on which information is processed are identified and documented;
the specific system components on which information is stored are identified and documented;
the users who have access to the system and system components where information is processed are identified and documented;
the users who have access to the system and system components where information is stored are identified and documented;
changes to the location (i.e., system or system components) where information is processed are documented;
changes to the location (i.e., system or system components) where information is stored are documented.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item cm-12_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item cm-12_smt.b
______________________________________________________________________
## Implementation c.
Add control implementation description here for item cm-12_smt.c
______________________________________________________________________

34
docs/compliance/dist/system-security-plans/ato/cm-2.2.md vendored Normal file
View file

@ -0,0 +1,34 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-2.2 - \[catalog\] Automation Support for Accuracy and Currency
## Control Statement
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using automated mechanisms.
## Control guidance
Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities.
## Control assessment-objective
the currency of the baseline configuration of the system is maintained using automated mechanisms;
the completeness of the baseline configuration of the system is maintained using automated mechanisms;
the accuracy of the baseline configuration of the system is maintained using automated mechanisms;
the availability of the baseline configuration of the system is maintained using automated mechanisms.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control cm-2.2
______________________________________________________________________

31
docs/compliance/dist/system-security-plans/ato/cm-2.3.md vendored Normal file
View file

@ -0,0 +1,31 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-2.3 - \[catalog\] Retention of Previous Configurations
## Control Statement
Retain number of previous versions of baseline configurations of the system to support rollback.
## Control guidance
Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation.
## Control assessment-objective
number of previous baseline configuration version(s) of the system is/are retained to support rollback.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control cm-2.3
______________________________________________________________________

46
docs/compliance/dist/system-security-plans/ato/cm-2.7.md vendored Normal file
View file

@ -0,0 +1,46 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-2.7 - \[catalog\] Configure Systems and Components for High-risk Areas
## Control Statement
- \[a\] Issue systems or system components with configurations to individuals traveling to locations that the organization deems to be of significant risk; and
- \[b\] Apply the following controls to the systems or components when the individuals return from travel: controls.
## Control guidance
When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family.
## Control assessment-objective
systems or system components with configurations are issued to individuals traveling to locations that the organization deems to be of significant risk;
controls are applied to the systems or system components when the individuals return from travel.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation (a)
Add control implementation description here for item cm-2.7_smt.a
______________________________________________________________________
## Implementation (b)
Add control implementation description here for item cm-2.7_smt.b
______________________________________________________________________

53
docs/compliance/dist/system-security-plans/ato/cm-2.md vendored Normal file
View file

@ -0,0 +1,53 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-2 - \[catalog\] Baseline Configuration
## Control Statement
- \[a\] Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
- \[b\] Review and update the baseline configuration of the system:
- \[1\] frequency;
- \[2\] When required due to circumstances ; and
- \[3\] When system components are installed or upgraded.
## Control guidance
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
## Control assessment-objective
a current baseline configuration of the system is developed and documented;
a current baseline configuration of the system is maintained under configuration control;
the baseline configuration of the system is reviewed and updated frequency;
the baseline configuration of the system is reviewed and updated when required due to circumstances;
the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
______________________________________________________________________
## What is the solution and how is it implemented?
<!-- Please leave this section blank and enter implementation details in the parts below. -->
______________________________________________________________________
## Implementation a.
Add control implementation description here for item cm-2_smt.a
______________________________________________________________________
## Implementation b.
Add control implementation description here for item cm-2_smt.b
______________________________________________________________________

33
docs/compliance/dist/system-security-plans/ato/cm-3.2.md vendored Normal file
View file

@ -0,0 +1,33 @@
---
implementation-status:
- c-not-implemented
control-origination:
- c-inherited-cloud-gov
- c-inherited-cisa
- c-common-control
- c-system-specific-control
---
# cm-3.2 - \[catalog\] Testing, Validation, and Documentation of Changes
## Control Statement
Test, validate, and document changes to the system before finalizing the implementation of the changes.
## Control guidance
Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.
## Control assessment-objective
changes to the system are tested before finalizing the implementation of the changes;
changes to the system are validated before finalizing the implementation of the changes;
changes to the system are documented before finalizing the implementation of the changes.
______________________________________________________________________
## What is the solution and how is it implemented?
Add control implementation description here for control cm-3.2
______________________________________________________________________

Some files were not shown because too many files have changed in this diff Show more