diff --git a/.gitignore b/.gitignore index 3c9568e..0ab9e91 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ working_dir/* templates/.trestle/cache/ templates/.trestle/_trash/ +.venv diff --git a/Dockerfile b/Dockerfile index fe2aff8..6d19ad5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,9 +37,15 @@ RUN adduser \ # RUN --mount=type=cache,target=/root/.cache/pip \ # --mount=type=bind,source=requirements.txt,target=requirements.txt \ # python -m pip install -r requirements.txt -ARG TRESTLE_VERSION=3.4.0 +# ARG TRESTLE_VERSION=3.4.0 +# RUN --mount=type=cache,target=/root/.cache/pip \ +# python -m pip install "compliance-trestle==${TRESTLE_VERSION}" +# RUN apt-get update && apt-get install -y pandoc && apt-get clean +# remove below and uncomment above once more-jinja-tags branch has been merged and released +RUN apt-get update && apt-get install -y git pandoc && apt-get clean RUN --mount=type=cache,target=/root/.cache/pip \ - python -m pip install "compliance-trestle==${TRESTLE_VERSION}" + python -m pip install git+https://github.com/gsa-tts/compliance-trestle.git@77a6d5d0 +RUN apt-get remove -y git # Switch to the non-privileged user to run the application. USER appuser diff --git a/README.md b/README.md index 36006ab..0720ea0 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,10 @@ This repository contains the source code for the `ghcr.io/gsa-tts/trestle` Docke 1. Edit control statements within markdown files 1. [Assemble markdown contents into a provisional OSCAL SSP](#assemble-ssp-json-from-markdown) 1. Edit other sections of the SSPP within the smaller json files + 1. [Check your progress](#check-control-status) 1. [Assemble everything into a final OSCAL SSP (TODO: within a CI workflow)](#final-ssp-assembly) +1. [Update non-OSCAL SSP sections](#update-non-oscal-ssp-files) +1. [Render a human-readable SSPP (TODO: within a CI workflow)](#render-ssp) ### Pull down the trestle image and initialize a compliance trestle project @@ -42,10 +45,29 @@ This step will create `system-security-plans/SYSTEM_NAME/system-security-plan.js This script should be given the same list of Component Definitions that were passed to `generate-ssp-markdown` +### Check Control Status + +The `control-status` script will output a quick report of all of the `Implementation Status` lines for your controls. For instance, to report on the status of all controls except those marked as `implemented`: + +`control-status -i implemented` + + ### Final SSP Assembly `trestle assemble -n SYSTEM_NAME system-security-plan` +### Update non-OSCAL SSP files. + +Edit the files within `ssp-markdown` to populate data for the rendered SSP that can't yet be pulled from OSCAL. + +*Hint:* Use [jinja templates](https://oscal-compass.github.io/compliance-trestle/trestle_author_jinja/#custom-jinja-tags) `md_clean_include` and `mdsection_include` to populate content from other existing documents your team is using. + +### Render SSP + +Output the SSP as a markdown file and html file, both within `ssp-render` + +`render-ssp` + ### Import profile into working space: If you are using a `PROFILE_NAME` that does not ship with this docker container then you must first manually import it using: diff --git a/scripts/copy-profile b/scripts/copy-profile index 0b0deac..35bc50c 100755 --- a/scripts/copy-profile +++ b/scripts/copy-profile @@ -1,10 +1,17 @@ #! /usr/bin/env bash -set -e - if [ "$1" = "" ]; then echo "Usage: $0 PROFILE_NAME" exit 1 fi trestle import -f "/app/templates/profiles/$1/profile.json" -o "$1" + +set -e + +if [ -d "/app/templates/ssp-rendering/$1" ]; then + mkdir ssp-render + cp -r "/app/templates/ssp-rendering/$1/templates" ssp-render/ + cp -r /app/templates/ssp-rendering/img ssp-render/ + cp -r "/app/templates/ssp-rendering/$1/markdown" ssp-markdown +fi diff --git a/scripts/render-ssp b/scripts/render-ssp new file mode 100755 index 0000000..c2a83af --- /dev/null +++ b/scripts/render-ssp @@ -0,0 +1,76 @@ +#! /usr/bin/env bash + +usage=" +$0: generate a human-readable SSP document + +Usage: + $0 -h + $0 -t TEMPLATE_FILE [-o OUTPUT] [-n SYSTEM_NAME] [-p PROFILE_NAME] + +Options: +-h: show help and exit +-t: SSP Template file. Defaults to ssp-render/templates/gsa_template.md.jinja +-o: Output markdown document. Defaults to ssp-render/SYSTEM_NAME_ssp.md +-n: System Name. Defaults to 'system-name' value in trestle-config.yaml +-p: Profile Name. Defaults to 'profile' value in trestle-config.yaml + +Notes: +* Will load defaults from trestle-config.yaml file, if present +" + +set -e + +source /app/bin/functions.sh +system_name=$(yaml_parse_value 'trestle-config.yaml' 'system-name') +profile=$(yaml_parse_value 'trestle-config.yaml' 'profile') +template="ssp-render/templates/gsa_template.md.jinja" +output="" + +while getopts "ht:o:n:p:" opt; do + case "$opt" in + t) + template=${OPTARG} + ;; + o) + output=${OPTARG} + ;; + p) + profile=${OPTARG} + ;; + n) + system_name=${OPTARG} + ;; + h) + echo "$usage" + exit 0 + ;; + esac +done + +if [ "$template" = "" ]; then + echo "$usage" + exit 1 +fi + +if [ "$profile" = "" ]; then + echo "$usage" + exit 1 +fi + +if [ "$system_name" = "" ]; then + echo "$usage" + exit 1 +fi + +if [ "$output" = "" ]; then + output="ssp-render/${system_name}_ssp.md" +fi + +if [ ! -f "$template" ]; then + echo "The template file: $template could not be found" + exit 1 +fi + +trestle author jinja -i "$template" -ssp "$system_name" -p "$profile" -o "$output" -lut ssp-markdown/ssp_data.yaml -elp gsa -bf "[.]" -vap "$system_name Assigned:" -vnap "Assignment:" + +pandoc "$output" --from markdown -t html -s -o "$output.html" --metadata title="${system_name} SSP" diff --git a/templates/component-definitions/devtools_cloud_gov/component-definition.json b/templates/component-definitions/devtools_cloud_gov/component-definition.json index cd24315..56633e5 100644 --- a/templates/component-definitions/devtools_cloud_gov/component-definition.json +++ b/templates/component-definitions/devtools_cloud_gov/component-definition.json @@ -1,9 +1,9 @@ { "component-definition": { - "uuid": "d8c6b192-f2c1-4434-8307-d8aed1826fe6", + "uuid": "6372eeac-753c-4d32-be21-9867a0f3e59a", "metadata": { "title": "Cloud.gov Best Practices for DevTools-based applications.", - "last-modified": "2024-08-15T01:28:29.538446+00:00", + "last-modified": "2024-08-28T17:13:07.537368+00:00", "version": "0.0.1", "oscal-version": "1.1.2" }, @@ -73,7 +73,9 @@ "set-parameters": [ { "param-id": "gov.cloud.org-name", - "values": ["TODO - cloud.gov org name"] + "values": [ + "TODO - cloud.gov org name" + ] }, { "param-id": "gov.cloud.space-names", @@ -98,7 +100,7 @@ { "statement-id": "sc-7_smt.a", "uuid": "7980db8d-2517-4c1d-a1ac-ab28bceefc35", - "description": "SSH access to production spaces: {{ insert: param, gov.cloud.space-names }} within Cloud.gov organization {{ insert: param, gov.cloud.org-name }} has been disabled.", + "description": "SSH access to production spaces has been disabled.", "props": [ { "name": "Rule_Id", @@ -141,7 +143,7 @@ { "statement-id": "si-4_smt.b", "uuid": "30e83cb4-8214-491b-85d8-ce85b1a58e9d", - "description": "SSH Access has been disabled to production spaces {{ insert: param, gov.cloud.space-names }} in organization {{ insert: param, gov.cloud.org-name }} to limit potential unauthorized use.", + "description": "SSH Access has been disabled to production spaces to limit potential unauthorized use.", "props": [ { "name": "Rule_Id", diff --git a/templates/profiles/lato/profile.json b/templates/profiles/lato/profile.json index 1e35689..10d2b94 100644 --- a/templates/profiles/lato/profile.json +++ b/templates/profiles/lato/profile.json @@ -50,6 +50,9 @@ ] } ], + "merge": { + "as-is": true + }, "modify": { "set-parameters": [ { @@ -974,4 +977,4 @@ "alters": [] } } -} \ No newline at end of file +} diff --git a/templates/ssp-rendering/img/gsa_it_logo.png b/templates/ssp-rendering/img/gsa_it_logo.png new file mode 100644 index 0000000..0664b92 Binary files /dev/null and b/templates/ssp-rendering/img/gsa_it_logo.png differ diff --git a/templates/ssp-rendering/lato/markdown/aws.md b/templates/ssp-rendering/lato/markdown/aws.md new file mode 100644 index 0000000..ee459a0 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/aws.md @@ -0,0 +1,71 @@ +# 10.10.1 List of AWS Services Used + + +Table 10-5. AWS Services + +| AWS Service Name | Approval Status (FedRAMP and/or OCISO Approved) | Brief Description of Use(s) | +| ---------------- | ----------------------------------------------- | --------------------------- | + +# 10.10.2 Identity and Access Control Management + + +# 10.10.3 Separation of Workloads + + +# 10.10.4 Cloud Network Design + + +# 10.10.5 Network Security and Microsegmentation + + +# 10.10.6 Data Encryption in Transit + + +# 10.10.7 Data Encryption at Rest + + +# 10.10.8 S3 Bucket Security + + +# 10.10.9 Key Management Service (KMS) Key Monitoring and Governance + + +# 10.10.10 Governance and Management of AWS Accounts + + +# 10.10.11 Uses of Cloud Native Security Services + + +# 10.10.12 Continuous Monitoring and Assessment of AWS Security Posture + diff --git a/templates/ssp-rendering/lato/markdown/containers.md b/templates/ssp-rendering/lato/markdown/containers.md new file mode 100644 index 0000000..1e990ab --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/containers.md @@ -0,0 +1,49 @@ +# 10.9.1 Container Image Build and Management + + +# 10.9.2 Container Image Scanning + + +# 10.9.3 Container Image Registry + + +# 10.9.4 Dockerfile Usage + + +# 10.9.5 Logs and Log Integration from Containers + + +# 10.9.6 Hardening of Container Infrastructure + + +# 10.9.7 Privilege Management in Cluster and Containers + + +# 10.9.8 Container Network Security + + +# 10.9.9 Container Orchestration (Elastic Container Service (ECS), Elastic Kubernetes Service (EKS), Fargate, Kubernetes, etc.) + + +# 10.9.10 Monitoring and Alerting + diff --git a/templates/ssp-rendering/lato/markdown/devsecops.md b/templates/ssp-rendering/lato/markdown/devsecops.md new file mode 100644 index 0000000..09dbd7b --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/devsecops.md @@ -0,0 +1,49 @@ +# 10.8.1 Code Version Control and Code Management + + +# 10.8.2 Infrastructure-As-Code (IAC) Implementataion + + +# 10.8.3 Pipeline Design + + +# 10.8.4 Code Scanning + + +# 10.8.5 Dependency Scanning + + +# 10.8.6 Image Management + + +# 10.8.7 Secret and Key Management + + +# 10.8.8 Artifact Management + + +# 10.8.9 Code Change and Release Management + + +# 10.8.10 Serverless Design (if applicable) + diff --git a/templates/ssp-rendering/lato/markdown/ipv6.md b/templates/ssp-rendering/lato/markdown/ipv6.md new file mode 100644 index 0000000..6971173 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/ipv6.md @@ -0,0 +1,7 @@ + + + diff --git a/templates/ssp-rendering/lato/markdown/ssp_data.yaml b/templates/ssp-rendering/lato/markdown/ssp_data.yaml new file mode 100644 index 0000000..2887bbb --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/ssp_data.yaml @@ -0,0 +1 @@ +system_type: "[Major Information System/Minor Application/Subsystem]" diff --git a/templates/ssp-rendering/lato/markdown/system_data_nature.md b/templates/ssp-rendering/lato/markdown/system_data_nature.md new file mode 100644 index 0000000..fabc2a4 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/system_data_nature.md @@ -0,0 +1,8 @@ + diff --git a/templates/ssp-rendering/lato/markdown/system_environment_description.md b/templates/ssp-rendering/lato/markdown/system_environment_description.md new file mode 100644 index 0000000..69fe9d3 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/system_environment_description.md @@ -0,0 +1,6 @@ + diff --git a/templates/ssp-rendering/lato/markdown/table_10_1.md b/templates/ssp-rendering/lato/markdown/table_10_1.md new file mode 100644 index 0000000..693feee --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_10_1.md @@ -0,0 +1,9 @@ + + +Table 10-1. Asset Physical and Virtual Components + +| Component Name | OS/Make | Operational Environment | Location (Physical or Virtual) | +| -------------- | ------- | ----------------------- | ------------------------------ | +| | | | | diff --git a/templates/ssp-rendering/lato/markdown/table_10_2.md b/templates/ssp-rendering/lato/markdown/table_10_2.md new file mode 100644 index 0000000..4273dcb --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_10_2.md @@ -0,0 +1,43 @@ + + +Table 10-2. External Service + +| Service Element | Response | +| --------------- | -------- | +| System Name | | +| Connection Type | | +| Data Description | | +| Data Sensitivity | | +| Level of Vendor Dependency | | +| Alternative Exists? | | +| Is API over HTTPS? | | +| API Connection Security | | +| API Connection Type | | +| Authentication and Authorization | | +| MFA | | +| Role-based Access Control | | +| Audit Logs Available | | +| Encryption in Transit | | +| Encryption in Storage | | diff --git a/templates/ssp-rendering/lato/markdown/table_10_3.md b/templates/ssp-rendering/lato/markdown/table_10_3.md new file mode 100644 index 0000000..b2f90d3 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_10_3.md @@ -0,0 +1,8 @@ + + +Table 10-3. Software Components + +| Software Component/Name | Function | Version | Patch Level | Virtual (Yes/No) | +| ----------------------- | -------- | ------- | ----------- | ---------------- | diff --git a/templates/ssp-rendering/lato/markdown/table_10_4.md b/templates/ssp-rendering/lato/markdown/table_10_4.md new file mode 100644 index 0000000..3440702 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_10_4.md @@ -0,0 +1,10 @@ + + +The table below lists the Ports, Protocols, and Serivces enabled in this information system. TCP ports are indicated with a T and UDP prots are indicated with a U. + +Table 10-4. Ports, Protocols, and Services + +| Direction (Inbound, Outbound, or Bi-Directional) | Boundary Crossings (Y/N) | Source | Destination | Ports (T or U) | Protocols | Services | Purpose | Encrypted (Y/N) | Data Sensitivity | +| ------------------------------------------------ | ------------------------ | ------ | ----------- | -------------- | --------- | -------- | ------- | --------------- | ---------------- | diff --git a/templates/ssp-rendering/lato/markdown/table_11_1.md b/templates/ssp-rendering/lato/markdown/table_11_1.md new file mode 100644 index 0000000..026e42a --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_11_1.md @@ -0,0 +1,8 @@ + + +Table 11-1. System Interconnections + +| System Name | Organization | Type of System (Major Information System/Minor Application/Subsystem) | Agreement Type (ISA,MOU) | Date of Agreement | FIPS 199 Security Category of System | A&A Status of System | Name and Title of AO | +| ----------- | ------------ | --------------------------------------------------------------------- | ------------------------ | ----------------- | ------------------------------------ | -------------------- | -------------------- | diff --git a/templates/ssp-rendering/lato/markdown/table_11_2.md b/templates/ssp-rendering/lato/markdown/table_11_2.md new file mode 100644 index 0000000..2bc159c --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_11_2.md @@ -0,0 +1,8 @@ + + +Table 11-2. Connection Details of Interconnected Systems + +| System Name | Organization | Point of Contact and Phone Number | Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer, etc.) | Data Direction (incoming, outgoing, or both) | Information Being Transmitted | Prots or Circuit # | +| ----------- | ------------ | --------------------------------- | ------------------------------------------------------------------------------ | -------------------------------------------- | ----------------------------- | ------------------ | diff --git a/templates/ssp-rendering/lato/markdown/table_8_2.md b/templates/ssp-rendering/lato/markdown/table_8_2.md new file mode 100644 index 0000000..d9820d0 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_8_2.md @@ -0,0 +1,12 @@ + + +Table 8-2. Systems Receiving Controls + +| Receiving System Name (FISMA System Identifier) | Receiving System Owner | Control Identifier, Name | Common/Hybrid | +| --------------------- | ---------------------- | ------------------------ | ------------- | +| | | | | +| | | | | diff --git a/templates/ssp-rendering/lato/markdown/table_9_1.md b/templates/ssp-rendering/lato/markdown/table_9_1.md new file mode 100644 index 0000000..50355ac --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_9_1.md @@ -0,0 +1,9 @@ + + +Table 9-1. System Locations + +| Primary | Secondary (if applicable) | +| ------- | ------------------------- | +| cloud.gov | | diff --git a/templates/ssp-rendering/lato/markdown/table_9_2.md b/templates/ssp-rendering/lato/markdown/table_9_2.md new file mode 100644 index 0000000..c18858b --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_9_2.md @@ -0,0 +1,11 @@ + + +Table 9-2. System Assets + +| Asset Type | Description of Function or Service Provided | +| ---------- | ------------------------------------------- | +{% for component in ssp.system_implementation.components %} +| {{ component.title }} | {{ component.description }} | +{% endfor %} diff --git a/templates/ssp-rendering/lato/markdown/table_9_3.md b/templates/ssp-rendering/lato/markdown/table_9_3.md new file mode 100644 index 0000000..99c77ea --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_9_3.md @@ -0,0 +1,8 @@ + + +Table 9-3. System URLs + +| System Component | Application URL | Internal, External, or Both | MFA Authentication Method | +| ---------------- | --------------- | --------------------------- | ------------------------- | diff --git a/templates/ssp-rendering/lato/markdown/table_9_4.md b/templates/ssp-rendering/lato/markdown/table_9_4.md new file mode 100644 index 0000000..189184c --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/table_9_4.md @@ -0,0 +1,10 @@ + + +Table 9-4. User Roles and Privileges + +| Role | Internal or External | Privileged (P), Non-Privileged (NP), or No Logical Access (NLA) | Sensitivity Level | Authorized Privileges | Functions Performed | MFA Authentication Method | +| ---- | -------------------- | --------------------------------------------------------------- | ----------------- | --------------------- | ------------------- | ------------------------- | + +**Note:** User roles typically align with Active Directory, LDAP, Role-based Access Controls (RBAC), NIS, UNIX groups, and/or UNIX netgroups. diff --git a/templates/ssp-rendering/lato/markdown/user_access_descriptions.md b/templates/ssp-rendering/lato/markdown/user_access_descriptions.md new file mode 100644 index 0000000..4af9d94 --- /dev/null +++ b/templates/ssp-rendering/lato/markdown/user_access_descriptions.md @@ -0,0 +1,14 @@ +# Privileged User Access + + +# Non-Privileged User Access + + +# Vendor Considerations + diff --git a/templates/ssp-rendering/lato/templates/approvals.md b/templates/ssp-rendering/lato/templates/approvals.md new file mode 100644 index 0000000..b4c3d41 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/approvals.md @@ -0,0 +1,49 @@ + +# Approvals + +**System Owner** +
+
+
+
+

+{% set owners = ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "system-owner") | list %} +{% if owners | count > 0 %} +{{ owners[0].name }} +{% else %} +[Name] +{% endif %} +
+System Owner + +**Information System Security Officer** +
+
+
+
+

+{% set isso = ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-officer") | list %} +{% if isso | count > 0 %} +{{ isso[0].name }} +{% else %} +[Name] +{% endif %} +
+Information System Security Officer + +**Information System Security Manager** +
+
+
+
+

+{% set issm = ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-manager") | list %} +{% if issm | count > 0 %} +{{ issm[0].name }} +{% else %} +[Name] +{% endif %} +
+Information System Security Manager + +
diff --git a/templates/ssp-rendering/lato/templates/frontmatter.md b/templates/ssp-rendering/lato/templates/frontmatter.md new file mode 100644 index 0000000..91d41b5 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/frontmatter.md @@ -0,0 +1,46 @@ +
+ +# U.S. General Services Administration + +# {{ ssp.system_characteristics.system_name }} ({{ ssp.system_characteristics.system_name_short }}) +# Lightweight Security Authorization Process +# System Security and Privacy Plan (SSPP) +# {% md_datestamp format='%B %d, %Y' %} + +![GSAIT Logo](./img/gsa_it_logo.png) + +
+ +
+ +Document Prepared By + + +{% for party in ssp_interface.get_parties_for_role(ssp.metadata.responsible_parties, "prepared-by") %} + + + + +{% set address = ssp_interface.first_array_entry(party.addresses) %} +{% set addr_lines = ssp_interface.safe_retrieval(address, "addr_lines", []) %} + + + + + + + + +{% endfor %} + +
{{ party.type.value.title() }} Name{{ party.name }}
Address Line 1{{ addr_lines[0] }}
Address Line 2{{ addr_lines[1] }}
City, State Zip{{ ssp_interface.safe_retrieval(address, "city") }}, {{ ssp_interface.safe_retrieval(address, "state") }} {{ ssp_interface.safe_retrieval(address, "postal_code") }}
+ +
+ +Document Revision History + +| Date | Comments | Version | Author | +| ---- | -------- | ------- | ------ | +| | | | | + +
diff --git a/templates/ssp-rendering/lato/templates/gsa_template.md.jinja b/templates/ssp-rendering/lato/templates/gsa_template.md.jinja new file mode 100644 index 0000000..5d3c60d --- /dev/null +++ b/templates/ssp-rendering/lato/templates/gsa_template.md.jinja @@ -0,0 +1,76 @@ + + +{% md_clean_include 'ssp-render/templates/frontmatter.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/guidance.md' %} + +# Table of Contents + + + +
+ +{% md_clean_include 'ssp-render/templates/approvals.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_1.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_2.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_3.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_4.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_5.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_6.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_7.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_8.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_9.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_10.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_11.md' heading_level=1 %} + +{% md_clean_include 'ssp-render/templates/section_12.md' heading_level=1 %} + +# 13 Minimum Security Controls + + + +{% for group in catalog_interface.get_all_groups_from_catalog() +%} +## {{ group.title }} {{ group.class }} \({{ group.id|upper }}\) + +{% for control in catalog_interface.get_sorted_controls_in_group(group.id) %} +{{ ssp_md_writer.get_control_statement(control.id, 2) }} + +#### {{ control_interface.get_label(control) }} Summary information +{{ ssp_md_writer.get_fedramp_control_tables(control.id, 2, true) }} + +#### What is the solution and how is it implemented? +{{ ssp_md_writer.get_control_response(control.id, 3, true)}} +{% endfor %} +{% endfor %} diff --git a/templates/ssp-rendering/lato/templates/guidance.md b/templates/ssp-rendering/lato/templates/guidance.md new file mode 100644 index 0000000..815206d --- /dev/null +++ b/templates/ssp-rendering/lato/templates/guidance.md @@ -0,0 +1,32 @@ + diff --git a/templates/ssp-rendering/lato/templates/partials/poc_contact_table.md b/templates/ssp-rendering/lato/templates/partials/poc_contact_table.md new file mode 100644 index 0000000..1d3ebe7 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/partials/poc_contact_table.md @@ -0,0 +1,30 @@ + + + + + + + + + +{% set organization = ssp_interface.get_party_by_uuid(ssp_interface.first_array_entry(party.member_of_organizations)) %} + + + + + + + + + + + + +
Name{{ party.name }}
Title{{ control_interface.get_prop(party, 'title') }}
Organization{{ ssp_interface.safe_retrieval(organization, "name") }}
Address +{% if organization and organization.addresses %} +{% set address = ssp_interface.first_array_entry(organization.addresses) %} +{% if address %} +{{ ssp_interface.safe_retrieval(address, 'addr_lines', []) | join(' ') }} {{ address.city }}, {{ address.state }} {{ address.postal_code }} +{% endif %} +{% endif %} +
Phone Number{{ ssp_interface.first_array_entry(party.telephone_numbers, "number") }}
Email Address{{ ssp_interface.first_array_entry(party.email_addresses, "__root__") }}
diff --git a/templates/ssp-rendering/lato/templates/section_1.md b/templates/ssp-rendering/lato/templates/section_1.md new file mode 100644 index 0000000..a4ddbff --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_1.md @@ -0,0 +1,12 @@ +# 1 Information System Name + +This System Security and Privacy Plan (SSPP) provides an overview of the security requirements for the {{ ssp.system_characteristics.system_name }} ({{ ssp.system_characteristics.system_name_short }}) and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed, or stored by the system. + +The security safeguards implemented for the {{ ssp.system_characteristics.system_name_short }} meet the policy and control requirements as set forth in this SSPP. All systems are subject to monitoring consistent with applicable laws, regulations, agency policies, procedures, and practices. + + +Table 1-1. Information System Name + +| Information System Name | Information System Abbreviation | +| ----------------------- | ------------------------------- | +| {{ ssp.system_characteristics.system_name }} | {{ ssp.system_characteristics.system_name_short }} | diff --git a/templates/ssp-rendering/lato/templates/section_10.md b/templates/ssp-rendering/lato/templates/section_10.md new file mode 100644 index 0000000..d5d55af --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_10.md @@ -0,0 +1,65 @@ +# 10 System Environment + +{% md_clean_include "ssp-markdown/system_environment_description.md" heading_level=2 %} + +## 10.1 Asset Inventory + +The following table identifies the virtual and physical components of the {{ ssp.system_characteristics.system_name_short }}. + +{% md_clean_include "ssp-markdown/table_10_1.md" heading_level=3 %} + +## 10.2 External Services + +The following table(s) identifies the external services supporting {{ ssp.system_characteristics.system_name_short }}. + +{% md_clean_include "ssp-markdown/table_10_2.md" heading_level=3 %} + +## 10.3 Software Inventory + +The following table lists the principal software components (e.g., operating system, database, web software, etc.) for {{ ssp.system_characteristics.system_name_short }}. + +{% md_clean_include "ssp-markdown/table_10_3.md" heading_level=3 %} + +## 10.4 Data Flow + + + +The Data Flow Diagram (DFD) below maps out the flow of information traveling within an information system and between infrormation systems. + +{% for diagram in ssp_interface.safe_retrieval(ssp.system_characteristics.data_flow, 'diagrams', []) %} +![{{diagram.caption}}]({{ ssp_interface.get_diagram_href(diagram) }}) +
Figure 10-{{loop.index}}. Data Flow Diagram +{% endfor %} + +## 10.5 System Data Nature + +{% md_clean_include "ssp-markdown/system_data_nature.md" heading_level=3 %} + +## 10.6 Ports, Protocols, and Services + +{% md_clean_include "ssp-markdown/table_10_4.md" heading_level=3 %} + +## 10.7 Transition to IPv6 + +{% md_clean_include "ssp-markdown/ipv6.md" heading_level=3 %} + +## 10.8 DevOps/DevSecOps Management + +{% md_clean_include "ssp-markdown/devsecops.md" heading_level=3 %} + +## 10.9 Container-Based Workload Management + +{% md_clean_include "ssp-markdown/containers.md" heading_level=3 %} + +## 10.10 AWS Management + +{% md_clean_include "ssp-markdown/aws.md" heading_level=3 %} diff --git a/templates/ssp-rendering/lato/templates/section_11.md b/templates/ssp-rendering/lato/templates/section_11.md new file mode 100644 index 0000000..ca6e782 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_11.md @@ -0,0 +1,9 @@ +# System Interconnections + + +{% md_clean_include "ssp-markdown/table_11_1.md" heading_level=2 %} +{% md_clean_include "ssp-markdown/table_11_2.md" heading_level=2 %} diff --git a/templates/ssp-rendering/lato/templates/section_12.md b/templates/ssp-rendering/lato/templates/section_12.md new file mode 100644 index 0000000..43f65f1 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_12.md @@ -0,0 +1,3 @@ +# 12 Applicable Laws and Regulations + +See Appendix B, References. diff --git a/templates/ssp-rendering/lato/templates/section_2.md b/templates/ssp-rendering/lato/templates/section_2.md new file mode 100644 index 0000000..5b6fedc --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_2.md @@ -0,0 +1,46 @@ +# 2 Information System Categorization + +The overall FIPS 199 information system security categorization is {{ ssp.system_characteristics.security_sensitivity_level }} + + + +## 2.1 Information Types +The following table identifies the information types and impact levels that are input, stored, processed, and/or output from the {{ ssp.system_characteristics.system_name_short }} environment. The security impact levels for confidentiality, integrity, and availability for each of the information types are expressed as low, moderate, or high. The security impact levels are based on the potential impact definitions for each of the security objectives (i.e., confidentiality, integrity, and availability) discussed in NIST SP 800-60 and FIPS 199 (Note: The information types found in NIST SP 800-60, Volumes I and II, Revision 1 are the same information types found in the Federal Enterprise Architecture (FEA) Consolidated Reference Model). Refer to Attachment 2 of this System Security and Privacy Plan for the detailed FIPS 199 Analysis supporting the summary determinations below. + +Table 2-1. Information Types + +| Information Type | Confidentiality | Integrity | Availability | +| ---------------- | --------------- | --------- | ------------ | +{% for info_type in ssp.system_characteristics.system_information.information_types %} +| {{ info_type.title }} | {{ info_type.confidentiality_impact.selected.__root__ }} | {{ info_type.integrity_impact.selected.__root__ }} | {{ info_type.availability_impact.selected.__root__ }} | +{% endfor %} + +## 2.2 Potential Impacts of Security Objectives + +Based on the information provided above, the potential impacts for each security objective, per FIPS 199, for the {{ ssp.system_characteristics.system_name_short }} environment is summarized in the table below. + +Table 2-2. Security Objective Impacts + +| Security Objective | Impact Level | +| ------------------ | ------------ | +| Confidentiality | {{ ssp.system_characteristics.security_impact_level.security_objective_confidentiality }} | +| Integrity | {{ ssp.system_characteristics.security_impact_level.security_objective_integrity }} | +| Availability | {{ ssp.system_characteristics.security_impact_level.security_objective_availability }} | + +## 2.3 Digital Identity Acceptance Statement + + + +Refer to Attachment 3 of this System Security and Privacy Plan for the completed GSA Digital Identity Acceptance Statement form supporting the summary determinations below. + +Table 2-3. Digital Identity Acceptance Statement Assurance Level Summary + +| Assurance Levels | Implemented Assurance Level | +| ---------------- | --------------------------- | +| Identity Assurance Level (IAL) | IAL{{ control_interface.get_prop(ssp.system_characteristics, 'identity-assurance-level') }} | +| Authentication Assurance Level (AAL) | AAL{{ control_interface.get_prop(ssp.system_characteristics, 'authenticator-assurance-level') }} | +| Federation Assurance Level (FAL) | FAL{{ control_interface.get_prop(ssp.system_characteristics, 'federation-assurance-level') }} | diff --git a/templates/ssp-rendering/lato/templates/section_3.md b/templates/ssp-rendering/lato/templates/section_3.md new file mode 100644 index 0000000..b987e70 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_3.md @@ -0,0 +1,7 @@ +# 3 Information System Owner + +The following individual is identified as the System Owner for this system. + +{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "system-owner") %} +{% include "ssp-render/templates/partials/poc_contact_table.md" +%} +{% endfor +%} diff --git a/templates/ssp-rendering/lato/templates/section_4.md b/templates/ssp-rendering/lato/templates/section_4.md new file mode 100644 index 0000000..41c6b44 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_4.md @@ -0,0 +1,7 @@ +# 4 Authorizing Official + +The Authorizing Official (AO) for this information system is identified below. + +{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "authorizing-official") %} +{% include "ssp-render/templates/partials/poc_contact_table.md" +%} +{% endfor +%} diff --git a/templates/ssp-rendering/lato/templates/section_5.md b/templates/ssp-rendering/lato/templates/section_5.md new file mode 100644 index 0000000..cf3c7a8 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_5.md @@ -0,0 +1,13 @@ +# 5 Assignment of Security Responsibility + +The Information System Security Manager (ISSM) has been appointed and is identified below. + +{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-manager") %} +{% include "ssp-render/templates/partials/poc_contact_table.md" +%} +{% endfor +%} + +The Information System Security Officer (ISSO) has been appointed and is identified below. + +{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "information-system-security-officer") %} +{% include "ssp-render/templates/partials/poc_contact_table.md" +%} +{% endfor +%} diff --git a/templates/ssp-rendering/lato/templates/section_6.md b/templates/ssp-rendering/lato/templates/section_6.md new file mode 100644 index 0000000..3527881 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_6.md @@ -0,0 +1,7 @@ +# 6 Other Designated Contacts + +The individual(s) identified below possess in-depth knowledge of this system and/or its functions and operation. + +{% for party in ssp_interface.get_parties_for_role(ssp.system_characteristics.responsible_parties, "system-poc-technical") %} +{% include "ssp-render/templates/partials/poc_contact_table.md" +%} +{% endfor +%} diff --git a/templates/ssp-rendering/lato/templates/section_7.md b/templates/ssp-rendering/lato/templates/section_7.md new file mode 100644 index 0000000..11418f9 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_7.md @@ -0,0 +1,12 @@ +# 7 Information System Operational Status + +The system is currently in the life-cycle phase noted in the following table. + +Table 7-1. System Operational Status + +| System Operational Status | Status Description | +| ------------------------- | ------------------ | +| {{"☒" if ssp.system_characteristics.status.state.value == "operational" else "☐"}} Operational | The system is operating and in production | +| {{"☒" if ssp.system_characteristics.status.state.value == "under-development" else "☐"}} Under Development | The system is being designed, developed, or implemented. | +| {{"☒" if ssp.system_characteristics.status.state.value == "under-major-modification" else "☐"}} Major Modification | The system is undergoing a major change, development, or transition. | +| {{"☒" if ssp.system_characteristics.status.state.value == "other" else "☐"}} Other | Explain: {{ "Edit the section_7.md template to explain the status" if ssp.system_characteristics.status.state.value == "other" else "" }} | diff --git a/templates/ssp-rendering/lato/templates/section_8.md b/templates/ssp-rendering/lato/templates/section_8.md new file mode 100644 index 0000000..a7d8ec1 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_8.md @@ -0,0 +1,33 @@ +# 8 Information System Type + +The {{ ssp.system_characteristics.system_name_short }} is a {{ gsa.system_type }} + + + +## 8.1 Systems Providing Controls to {{ ssp.system_characteristics.system_name_short }} + + + +The systems identified in the following table provide controls (common or hybrid) to {{ ssp.system_characteristics.system_name_short }}. List all systems providing controls, the controls they provide, and identify if it is provided as a Common or Hybrid control. + +Table 8-1. Systems Providing Controls + +| Providing System Name (FISMA System Identifier) | Providing System Owner | Control Identifier, Name | Common/Hybrid | +| --------------------- | ---------------------- | ------------------------ | ------------- | +{% for component in ssp.system_implementation.components %} +{% if component.type != "this-system" %} +| {{ component.title }} | | See section 13 | | +{% endif %} +{% endfor %} + +## 8.2 Systems Receiving Controls from {{ ssp.system_characteristics.system_name_short }} + +{{ ssp.system_characteristics.system_name_short }} provides the controls (common or hybrid) listed to the systems identified in the following table. List any controls provided to any systems and identify if it is provided as a Common or Hybrid control. + +{% md_clean_include 'ssp-markdown/table_8_2.md' heading_level=3 %} diff --git a/templates/ssp-rendering/lato/templates/section_9.md b/templates/ssp-rendering/lato/templates/section_9.md new file mode 100644 index 0000000..41f2e14 --- /dev/null +++ b/templates/ssp-rendering/lato/templates/section_9.md @@ -0,0 +1,65 @@ +# 9 General System Description + + + +{{ ssp.system_characteristics.description }} + +## 9.1 Information System Locations + +Physically, the {{ ssp.system_characteristics.system_name_short }} environment resides at the locations identified below. + +{% md_clean_include "ssp-markdown/table_9_1.md" heading_level=3 %} + +## 9.2 Information System Components and Boundaries + + + +The components of the {{ ssp.system_characteristics.system_name_short }} environment can be broken down into the following groups of asset types. The assets are also portrayed in the network diagram in Section 9.5. + +The controls described in Section 13 of this document may apply to some or all of these asset types. + +{% md_clean_include "ssp-markdown/table_9_2.md" %} + +## 9.3 Information System Web Site URL Addresses + +The following table lists the web site URL addresses for {{ ssp.system_characteristics.system_name_short }}. + +{% md_clean_include "ssp-markdown/table_9_3.md" heading_level=3 %} + +## 9.4 Types of Users + +{% md_clean_include "ssp-markdown/table_9_4.md" heading_level=3 %} + +{% md_clean_include "ssp-markdown/user_access_descriptions.md" heading_level=3 %} + +## 9.5 Network Architecture + +The following section provides a written description of the network architecture of {{ ssp.system_characteristics.system_name_short }}. + + + +{{ ssp.system_characteristics.authorization_boundary.description }} + +The following architectural diagram provides a visual depiction of the major hardware components of the {{ ssp.system_characteristics.system_name_short }}. + +{% for diagram in ssp_interface.safe_retrieval(ssp.system_characteristics.authorization_boundary, 'diagrams', []) %} +![{{diagram.caption}}]({{ ssp_interface.get_diagram_href(diagram) }}) +
Figure 9-{{loop.index}}. Network Diagram +{% endfor %}