From 7c2062a34e17be2c4ef2ec2e0f861020cc878a2c Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Mon, 25 Nov 2024 12:41:26 -0500 Subject: [PATCH] Adding Config class (#23) * Adding config class * Adding click commands. * Updating load_template_args to use Config class. * Removing YamlInclude from secrender. * Adding tests. * Fix for CA. * Updating README and add CA files. * Updating statuses. * Updating responsibility matrix. --- README.md | 102 ++++- appendices/configuration-management.md | 1 + appendices/risk-management.md | 2 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 0 components/Contractor/component.yaml | 2 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 0 components/Drupal/component.yaml | 2 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 0 components/Ilias/component.yaml | 2 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 0 components/Project/component.yaml | 2 +- configuration.yaml | 14 - docs/controls.md | 175 +++++---- docs/controls/AC.md | 127 +++--- docs/controls/AT.md | 39 +- docs/controls/AU.md | 116 ++++-- docs/controls/CA.md | 54 ++- docs/controls/CM.md | 55 ++- docs/controls/CP.md | 38 +- docs/controls/IA.md | 209 ++++++---- docs/controls/IR.md | 62 ++- docs/controls/MA.md | 25 +- docs/controls/MP.md | 17 +- docs/controls/PE.md | 35 +- docs/controls/PL.md | 77 +++- docs/controls/PS.md | 60 ++- docs/controls/RA.md | 57 ++- docs/controls/SA.md | 184 +++++++-- docs/controls/SC.md | 50 ++- docs/controls/SI.md | 67 +++- docs/responsibility_matrix.csv | 59 ++- keys/status.yaml | 2 +- poetry.lock | 361 +++++++++--------- pyproject.toml | 2 +- .../Contractor/AC-ACCESS_CONTROL.yaml | 12 +- .../Contractor/AT-AWARENESS_AND_TRAINING.yaml | 8 +- .../AU-AUDIT_AND_ACCOUNTABILITY.yaml | 16 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 12 +- .../CM-CONFIGURATION_MANAGEMENT.yaml | 12 +- .../Contractor/CP-CONTINGENCY_PLANNING.yaml | 12 +- .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 10 +- .../Contractor/IR-INCIDENT_RESPONSE.yaml | 14 +- .../components/Contractor/MA-MAINTENANCE.yaml | 6 +- .../Contractor/MP-MEDIA_PROTECTION.yaml | 2 +- .../components/Contractor/PL-PLANNING.yaml | 6 +- .../Contractor/PS-PERSONNEL_SECURITY.yaml | 12 +- .../Contractor/RA-RISK_ASSESSMENT.yaml | 4 +- .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 12 +- ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 12 +- .../SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml | 12 +- .../components/Contractor/component.yaml | 2 +- .../components/Drupal/AC-ACCESS_CONTROL.yaml | 8 +- .../Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 4 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 2 +- .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 12 +- ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 4 +- templates/components/Drupal/component.yaml | 2 +- .../components/Ilias/AC-ACCESS_CONTROL.yaml | 4 +- .../Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 4 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 2 +- .../Ilias/CM-CONFIGURATION_MANAGEMENT.yaml | 6 +- .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 10 +- .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 2 +- ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 4 +- .../SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml | 4 +- templates/components/Ilias/component.yaml | 2 +- .../components/Project/AC-ACCESS_CONTROL.yaml | 18 +- .../Project/AT-AWARENESS_AND_TRAINING.yaml | 8 +- .../Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 4 +- ...ESSMENT_AUTHORIZATION_AND_MONITORING.yaml} | 8 +- .../Project/CM-CONFIGURATION_MANAGEMENT.yaml | 10 +- .../Project/CP-CONTINGENCY_PLANNING.yaml | 4 +- .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 20 +- .../Project/IR-INCIDENT_RESPONSE.yaml | 12 +- .../components/Project/MA-MAINTENANCE.yaml | 6 +- templates/components/Project/PL-PLANNING.yaml | 6 +- .../Project/PS-PERSONNEL_SECURITY.yaml | 16 +- .../Project/RA-RISK_ASSESSMENT.yaml | 8 +- .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 14 +- ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 10 +- .../SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml | 6 +- templates/components/Project/component.yaml | 2 +- tests/test_ssptoolkit.py | 18 +- tools/creatematrix/creatematrix.py | 4 + tools/helpers/config.py | 84 ++++ tools/helpers/secrender.py | 2 - tools/helpers/ssptoolkit.py | 15 +- 87 files changed, 1699 insertions(+), 808 deletions(-) rename components/Contractor/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (100%) rename components/Drupal/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (100%) rename components/Ilias/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (100%) rename components/Project/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (100%) rename templates/components/Contractor/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (95%) rename templates/components/Drupal/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (92%) rename templates/components/Ilias/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (92%) rename templates/components/Project/{CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml => CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml} (93%) create mode 100644 tools/helpers/config.py diff --git a/README.md b/README.md index 54f404d..0e36d04 100644 --- a/README.md +++ b/README.md @@ -56,13 +56,13 @@ Create/update the frontmatter, components and appendices using [templates](templ #### Example -```bash +```shell poetry run createfiles -t templates ``` #### Usage -```bash +```shell Usage: createfiles [OPTIONS] Options: @@ -76,7 +76,7 @@ Options: Generate markdown versions of the RMF control implementation family files in the `docs/controls/` directory: #### Example -```bash +```shell poetry run makefamilies ``` @@ -85,12 +85,12 @@ poetry run makefamilies Generate Standard Operating Procedure (SOP) docs (from `components/` and `keys/sop.yaml`) in the `docs/sop` directory #### Example -```bash +```shell poetry run sop -c components ``` #### Usage -```bash +```shell Usage: sop [OPTIONS] Options: @@ -105,7 +105,7 @@ Options: Generate System Security Plan (SSP) #### Example -```bash +```shell poetry run makessp ``` @@ -118,12 +118,12 @@ Generate Microsoft Word (.docx) versions of the control family, appendices, and [install Pandoc](https://pandoc.org/installing.html) page to learn how to install Pandoc locally. #### Example -```bash +```shell poetry run exportto -c docs/controls ``` #### Usage -```bash +```shell Usage: exportto [OPTIONS] Options: @@ -140,10 +140,94 @@ Generate a spreadsheet showing which, if any, components are responsible for addressing a given control. #### Example -```bash +```shell poetry run creatematrix ``` +### getconfig + +The `getconfig` command lets you read configuration data. There are two commands +that can be used with `getconfig`; `get-value` and `list-files`. + +#### Usage +```shell +Usage: getconfig [OPTIONS] COMMAND [ARGS]... + +Options: + --help Show this message and exit. + +Commands: + get-value + list-files +``` + +#### get-value + +`get-value` is used to get the value of a given key in the configuration dictionary. +For instance if you wanted to know the value of the `name_short` parameter in the +`Contractor` key file, you would run `poetry run getconfig get-value -f contractor -k name_short`. +If you omit the `--key/-k` parameter, for instance `poetry run getconfig get-value -f contractor` +this will output the entire contents of the key file formatted as YAML. + +#### Example + +Get a value for a given key in the `contractor.yaml` file: +```shell +poetry run getconfig get-value -f contractor -k name_short +``` + +Get the entire contents of the `contractor.yaml` file +```shell +poetry run getconfig get-value -f contractor +``` + +##### Usage +```shell +Usage: getconfig get-value [OPTIONS] + +Options: + -f, --file TEXT [required] + -k, --key TEXT The name of the configuration key whose value should be + shown. + --help Show this message and exit. +``` + +#### list-files + +The `list-files` command will list all the files loaded from the keys directory. +Most files are keyed using in the filename, for instance the values in the `contractor.yaml` +file would be accessible using the Jinja2 variable `{{ contractor.some_variable }}`, but a few +files have aliases which are used for their key, for instance `configuration-management.yaml` +is aliased to `cm`, so would be available as `{{ cm.some_variable }}`. `list-files` will show a +list of the files and their alias. + +##### Example + +```shell +poetry run getconfig list-files +``` + +##### Usage + +```shell +Usage: getconfig list-files [OPTIONS] + + List all the files loaded from the keys directory + +Options: + --help Show this message and exit. +``` + +##### Example results + +```shell +Key files and configuration keys: +--------------------------------- +contractor.yaml using alias contractor +regulations.yaml using alias regulations +justifications.yaml using alias justify +``` + ## OpenControl and OSCAL The SSP-Toolkit is currently in an extended format of OpenControl in which each component represents its controls in separate [RMF Control Family](https://nvd.nist.gov/800-53/Rev4) files. Use the [compliance-io](https://github.com/CivicActions/compliance-io) tools to convert the SSP-Toolkit to a [compliance-masonry](https://github.com/opencontrol/compliance-masonry)-friendly OpenControl directory and from that generate an [OSCAL component definition](https://pages.nist.gov/OSCAL/documentation/schema/implementation-layer/component/): diff --git a/appendices/configuration-management.md b/appendices/configuration-management.md index db3247b..a43cc7a 100644 --- a/appendices/configuration-management.md +++ b/appendices/configuration-management.md @@ -289,6 +289,7 @@ For many of the common configuration tasks, Hook Update Deploy Tools methods mak Records of these events are output to the terminal of the engineer deploying the code, and to Drupal Watchdog. + ## GitLab contribution guidelines Project is built and maintained by CivicActions, and the diff --git a/appendices/risk-management.md b/appendices/risk-management.md index dc093c2..2af8d2f 100644 --- a/appendices/risk-management.md +++ b/appendices/risk-management.md @@ -2,7 +2,7 @@ ## Client Project Full Name -March 2024 +August 2024 Version 3.4 CivicActions, Inc diff --git a/components/Contractor/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Contractor/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Contractor/component.yaml b/components/Contractor/component.yaml index 56e940b..3eae05e 100644 --- a/components/Contractor/component.yaml +++ b/components/Contractor/component.yaml @@ -4,7 +4,7 @@ satisfies: - AC-ACCESS_CONTROL.yaml - AT-AWARENESS_AND_TRAINING.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - CM-CONFIGURATION_MANAGEMENT.yaml - CP-CONTINGENCY_PLANNING.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/components/Drupal/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Drupal/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Drupal/component.yaml b/components/Drupal/component.yaml index cd64e94..e96c360 100644 --- a/components/Drupal/component.yaml +++ b/components/Drupal/component.yaml @@ -3,6 +3,6 @@ schema_version: 3.0.0 satisfies: - AC-ACCESS_CONTROL.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml - SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/components/Ilias/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Ilias/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Ilias/component.yaml b/components/Ilias/component.yaml index b1d0ad8..536806f 100644 --- a/components/Ilias/component.yaml +++ b/components/Ilias/component.yaml @@ -3,7 +3,7 @@ schema_version: 3.0.0 satisfies: - AC-ACCESS_CONTROL.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - CM-CONFIGURATION_MANAGEMENT.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml diff --git a/components/Project/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Project/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Project/component.yaml b/components/Project/component.yaml index dee7f7b..cc8a398 100644 --- a/components/Project/component.yaml +++ b/components/Project/component.yaml @@ -4,7 +4,7 @@ satisfies: - AC-ACCESS_CONTROL.yaml - AT-AWARENESS_AND_TRAINING.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - CM-CONFIGURATION_MANAGEMENT.yaml - CP-CONTINGENCY_PLANNING.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/configuration.yaml b/configuration.yaml index 39826b8..4e02dbc 100644 --- a/configuration.yaml +++ b/configuration.yaml @@ -8,17 +8,3 @@ system_security_plan: certification: name: FISMA Low Impact abbr: fisma-low-impact -status: !include keys/responsibility.yaml -poc: !include keys/poc.yaml -project: !include keys/project.yaml -artifact: !include keys/artifacts.yaml -contractor: !include keys/contractor.yaml -coop: !include keys/coop.yaml -information_system: !include keys/info_system.yaml -pia: !include keys/pia.yaml -risk: !include keys/risk.yaml -services: !include keys/services.yaml -regulations: !include keys/regulations.yaml -cm: !include keys/config-management.yaml -justify: !include keys/justifications.yaml -sop: !include keys/sop.yaml diff --git a/docs/controls.md b/docs/controls.md index ecd0699..9aa485f 100644 --- a/docs/controls.md +++ b/docs/controls.md @@ -1,143 +1,162 @@ * [AC: Access Control](controls/AC.md#ac-access-control) - * [AC-1: Access Control Policy And Procedures](controls/AC.md#ac-1-access-control-policy-and-procedures) + * [AC-1: Policy and Procedures](controls/AC.md#ac-1-policy-and-procedures) * [AC-2: Account Management](controls/AC.md#ac-2-account-management) * [AC-3: Access Enforcement](controls/AC.md#ac-3-access-enforcement) - * [AC-3 (9): Controlled Release](controls/AC.md#ac-3-9-controlled-release) - * [AC-6: Least Privilege](controls/AC.md#ac-6-least-privilege) - * [AC-7: Unsuccessful Login Attempts](controls/AC.md#ac-7-unsuccessful-login-attempts) + * [AC-3 (14): Individual Access](controls/AC.md#ac-3-14-individual-access) + * [AC-7: Unsuccessful Logon Attempts](controls/AC.md#ac-7-unsuccessful-logon-attempts) * [AC-8: System Use Notification](controls/AC.md#ac-8-system-use-notification) - * [AC-14: Permitted Actions Without Identification Or Authentication](controls/AC.md#ac-14-permitted-actions-without-identification-or-authentication) + * [AC-14: Permitted Actions Without Identification or Authentication](controls/AC.md#ac-14-permitted-actions-without-identification-or-authentication) * [AC-17: Remote Access](controls/AC.md#ac-17-remote-access) * [AC-18: Wireless Access](controls/AC.md#ac-18-wireless-access) - * [AC-19: Access Control For Mobile Devices](controls/AC.md#ac-19-access-control-for-mobile-devices) - * [AC-20: Use Of External Information Systems](controls/AC.md#ac-20-use-of-external-information-systems) + * [AC-19: Access Control for Mobile Devices](controls/AC.md#ac-19-access-control-for-mobile-devices) + * [AC-20: Use of External Systems](controls/AC.md#ac-20-use-of-external-systems) + * [AC-21: Information Sharing](controls/AC.md#ac-21-information-sharing) * [AC-22: Publicly Accessible Content](controls/AC.md#ac-22-publicly-accessible-content) +* [AT: Awareness And Training](controls/AT.md#at-awareness-and-training) + * [AT-1: Policy and Procedures](controls/AT.md#at-1-policy-and-procedures) + * [AT-2: Literacy Training and Awareness](controls/AT.md#at-2-literacy-training-and-awareness) + * [AT-2 (2): Insider Threat](controls/AT.md#at-2-2-insider-threat) + * [AT-3: Role-based Training](controls/AT.md#at-3-role-based-training) + * [AT-3 (5): Processing Personally Identifiable Information](controls/AT.md#at-3-5-processing-personally-identifiable-information) + * [AT-4: Training Records](controls/AT.md#at-4-training-records) * [AU: Audit And Accountability](controls/AU.md#au-audit-and-accountability) - * [AU-1: Audit And Accountability Policy And Procedures](controls/AU.md#au-1-audit-and-accountability-policy-and-procedures) - * [AU-2: Auditable Events](controls/AU.md#au-2-auditable-events) - * [AU-3: Content Of Audit Records](controls/AU.md#au-3-content-of-audit-records) - * [AU-4: Audit Storage Capacity](controls/AU.md#au-4-audit-storage-capacity) - * [AU-5: Response To Audit Processing Failures](controls/AU.md#au-5-response-to-audit-processing-failures) - * [AU-6: Audit Review, Analysis, And Reporting](controls/AU.md#au-6-audit-review,-analysis,-and-reporting) + * [AU-1: Policy and Procedures](controls/AU.md#au-1-policy-and-procedures) + * [AU-2: Event Logging](controls/AU.md#au-2-event-logging) + * [AU-3: Content of Audit Records](controls/AU.md#au-3-content-of-audit-records) + * [AU-4: Audit Log Storage Capacity](controls/AU.md#au-4-audit-log-storage-capacity) + * [AU-5: Response to Audit Logging Process Failures](controls/AU.md#au-5-response-to-audit-logging-process-failures) + * [AU-6: Audit Record Review, Analysis, and Reporting](controls/AU.md#au-6-audit-record-review,-analysis,-and-reporting) * [AU-8: Time Stamps](controls/AU.md#au-8-time-stamps) - * [AU-9: Protection Of Audit Information](controls/AU.md#au-9-protection-of-audit-information) + * [AU-9: Protection of Audit Information](controls/AU.md#au-9-protection-of-audit-information) * [AU-11: Audit Record Retention](controls/AU.md#au-11-audit-record-retention) - * [AU-12: Audit Generation](controls/AU.md#au-12-audit-generation) + * [AU-12: Audit Record Generation](controls/AU.md#au-12-audit-record-generation) +* [CA: Assessment Authorization And Monitoring](controls/CA.md#ca-assessment-authorization-and-monitoring) + * [CA-1: Policy and Procedures](controls/CA.md#ca-1-policy-and-procedures) + * [CA-2: Control Assessments](controls/CA.md#ca-2-control-assessments) + * [CA-3: Information Exchange](controls/CA.md#ca-3-information-exchange) + * [CA-5: Plan of Action and Milestones](controls/CA.md#ca-5-plan-of-action-and-milestones) + * [CA-6: Authorization](controls/CA.md#ca-6-authorization) + * [CA-7: Continuous Monitoring](controls/CA.md#ca-7-continuous-monitoring) + * [CA-7 (4): Risk Monitoring](controls/CA.md#ca-7-4-risk-monitoring) + * [CA-9: Internal System Connections](controls/CA.md#ca-9-internal-system-connections) * [CM: Configuration Management](controls/CM.md#cm-configuration-management) - * [CM-1: Configuration Management Policy And Procedures](controls/CM.md#cm-1-configuration-management-policy-and-procedures) + * [CM-1: Policy and Procedures](controls/CM.md#cm-1-policy-and-procedures) * [CM-2: Baseline Configuration](controls/CM.md#cm-2-baseline-configuration) - * [CM-4: Security Impact Analysis](controls/CM.md#cm-4-security-impact-analysis) + * [CM-4: Impact Analyses](controls/CM.md#cm-4-impact-analyses) + * [CM-5: Access Restrictions for Change](controls/CM.md#cm-5-access-restrictions-for-change) * [CM-6: Configuration Settings](controls/CM.md#cm-6-configuration-settings) * [CM-7: Least Functionality](controls/CM.md#cm-7-least-functionality) - * [CM-8: Information System Component Inventory](controls/CM.md#cm-8-information-system-component-inventory) + * [CM-8: System Component Inventory](controls/CM.md#cm-8-system-component-inventory) * [CM-10: Software Usage Restrictions](controls/CM.md#cm-10-software-usage-restrictions) - * [CM-11: User-Installed Software](controls/CM.md#cm-11-user-installed-software) + * [CM-11: User-installed Software](controls/CM.md#cm-11-user-installed-software) * [CP: Contingency Planning](controls/CP.md#cp-contingency-planning) - * [CP-1: Contingency Planning Policy And Procedures](controls/CP.md#cp-1-contingency-planning-policy-and-procedures) + * [CP-1: Policy and Procedures](controls/CP.md#cp-1-policy-and-procedures) * [CP-2: Contingency Plan](controls/CP.md#cp-2-contingency-plan) * [CP-3: Contingency Training](controls/CP.md#cp-3-contingency-training) * [CP-4: Contingency Plan Testing](controls/CP.md#cp-4-contingency-plan-testing) - * [CP-9: Information System Backup](controls/CP.md#cp-9-information-system-backup) - * [CP-10: Information System Recovery And Reconstitution](controls/CP.md#cp-10-information-system-recovery-and-reconstitution) + * [CP-9: System Backup](controls/CP.md#cp-9-system-backup) + * [CP-10: System Recovery and Reconstitution](controls/CP.md#cp-10-system-recovery-and-reconstitution) * [IA: Identification And Authentication](controls/IA.md#ia-identification-and-authentication) - * [IA-1: Identification And Authentication Policy And Procedures](controls/IA.md#ia-1-identification-and-authentication-policy-and-procedures) - * [IA-2: Identification And Authentication (Organizational Users)](controls/IA.md#ia-2-identification-and-authentication-organizational-users) - * [IA-2 (1): Network Access To Privileged Accounts](controls/IA.md#ia-2-1-network-access-to-privileged-accounts) - * [IA-2 (12): Acceptance Of Piv Credentials](controls/IA.md#ia-2-12-acceptance-of-piv-credentials) + * [IA-1: Policy and Procedures](controls/IA.md#ia-1-policy-and-procedures) + * [IA-2: Identification and Authentication (organizational Users)](controls/IA.md#ia-2-identification-and-authentication-organizational-users) + * [IA-2 (1): Multi-factor Authentication to Privileged Accounts](controls/IA.md#ia-2-1-multi-factor-authentication-to-privileged-accounts) + * [IA-2 (2): Multi-factor Authentication to Non-privileged Accounts](controls/IA.md#ia-2-2-multi-factor-authentication-to-non-privileged-accounts) + * [IA-2 (8): Access to Accounts — Replay Resistant](controls/IA.md#ia-2-8-access-to-accounts-—-replay-resistant) + * [IA-2 (12): Acceptance of PIV Credentials](controls/IA.md#ia-2-12-acceptance-of-piv-credentials) * [IA-4: Identifier Management](controls/IA.md#ia-4-identifier-management) * [IA-5: Authenticator Management](controls/IA.md#ia-5-authenticator-management) - * [IA-5 (1): Password-Based Authentication](controls/IA.md#ia-5-1-password-based-authentication) - * [IA-5 (11): Hardware Token-Based Authentication](controls/IA.md#ia-5-11-hardware-token-based-authentication) - * [IA-6: Authenticator Feedback](controls/IA.md#ia-6-authenticator-feedback) + * [IA-5 (1): Password-based Authentication](controls/IA.md#ia-5-1-password-based-authentication) + * [IA-6: Authentication Feedback](controls/IA.md#ia-6-authentication-feedback) * [IA-7: Cryptographic Module Authentication](controls/IA.md#ia-7-cryptographic-module-authentication) - * [IA-8: Identification And Authentication (Non-Organizational Users)](controls/IA.md#ia-8-identification-and-authentication-non-organizational-users) - * [IA-8 (1): Acceptance Of Piv Credentials From Other Agencies](controls/IA.md#ia-8-1-acceptance-of-piv-credentials-from-other-agencies) - * [IA-8 (2): Acceptance Of Third-Party Credentials](controls/IA.md#ia-8-2-acceptance-of-third-party-credentials) - * [IA-8 (3): Use Of Ficam-Approved Products](controls/IA.md#ia-8-3-use-of-ficam-approved-products) - * [IA-8 (4): Use Of Ficam-Issued Profiles](controls/IA.md#ia-8-4-use-of-ficam-issued-profiles) + * [IA-8: Identification and Authentication (non-organizational Users)](controls/IA.md#ia-8-identification-and-authentication-non-organizational-users) + * [IA-8 (1): Acceptance of PIV Credentials from Other Agencies](controls/IA.md#ia-8-1-acceptance-of-piv-credentials-from-other-agencies) + * [IA-8 (2): Acceptance of External Authenticators](controls/IA.md#ia-8-2-acceptance-of-external-authenticators) + * [IA-8 (4): Use of Defined Profiles](controls/IA.md#ia-8-4-use-of-defined-profiles) + * [IA-11: Re-authentication](controls/IA.md#ia-11-re-authentication) * [IR: Incident Response](controls/IR.md#ir-incident-response) - * [IR-1: Incident Response Policy And Procedures](controls/IR.md#ir-1-incident-response-policy-and-procedures) + * [IR-1: Policy and Procedures](controls/IR.md#ir-1-policy-and-procedures) * [IR-2: Incident Response Training](controls/IR.md#ir-2-incident-response-training) * [IR-4: Incident Handling](controls/IR.md#ir-4-incident-handling) * [IR-5: Incident Monitoring](controls/IR.md#ir-5-incident-monitoring) * [IR-6: Incident Reporting](controls/IR.md#ir-6-incident-reporting) - * [IR-7: Incident Resonse Assistance](controls/IR.md#ir-7-incident-resonse-assistance) + * [IR-7: Incident Response Assistance](controls/IR.md#ir-7-incident-response-assistance) * [IR-8: Incident Response Plan](controls/IR.md#ir-8-incident-response-plan) * [MA: Maintenance](controls/MA.md#ma-maintenance) - * [MA-1: System Maintenance Policy And Procedures](controls/MA.md#ma-1-system-maintenance-policy-and-procedures) + * [MA-1: Policy and Procedures](controls/MA.md#ma-1-policy-and-procedures) * [MA-2: Controlled Maintenance](controls/MA.md#ma-2-controlled-maintenance) - * [MA-4: Non-Local Maintenance](controls/MA.md#ma-4-non-local-maintenance) + * [MA-4: Nonlocal Maintenance](controls/MA.md#ma-4-nonlocal-maintenance) * [MA-5: Maintenance Personnel](controls/MA.md#ma-5-maintenance-personnel) * [MP: Media Protection](controls/MP.md#mp-media-protection) - * [MP-1: Media Protection Policy And Procedures](controls/MP.md#mp-1-media-protection-policy-and-procedures) + * [MP-1: Policy and Procedures](controls/MP.md#mp-1-policy-and-procedures) * [MP-2: Media Access](controls/MP.md#mp-2-media-access) * [MP-6: Media Sanitization](controls/MP.md#mp-6-media-sanitization) * [MP-7: Media Use](controls/MP.md#mp-7-media-use) * [PE: Physical And Environmental Protection](controls/PE.md#pe-physical-and-environmental-protection) - * [PE-1: Physical And Environmental Protection Policy And Procedures](controls/PE.md#pe-1-physical-and-environmental-protection-policy-and-procedures) + * [PE-1: Policy and Procedures](controls/PE.md#pe-1-policy-and-procedures) * [PE-2: Physical Access Authorizations](controls/PE.md#pe-2-physical-access-authorizations) * [PE-3: Physical Access Control](controls/PE.md#pe-3-physical-access-control) * [PE-6: Monitoring Physical Access](controls/PE.md#pe-6-monitoring-physical-access) * [PE-8: Visitor Access Records](controls/PE.md#pe-8-visitor-access-records) * [PE-12: Emergency Lighting](controls/PE.md#pe-12-emergency-lighting) * [PE-13: Fire Protection](controls/PE.md#pe-13-fire-protection) - * [PE-14: Temperature And Humidity Controls](controls/PE.md#pe-14-temperature-and-humidity-controls) + * [PE-14: Environmental Controls](controls/PE.md#pe-14-environmental-controls) * [PE-15: Water Damage Protection](controls/PE.md#pe-15-water-damage-protection) - * [PE-16: Delivery And Removal](controls/PE.md#pe-16-delivery-and-removal) + * [PE-16: Delivery and Removal](controls/PE.md#pe-16-delivery-and-removal) * [PL: Planning](controls/PL.md#pl-planning) - * [PL-1: Security Planning Policy And Procedures](controls/PL.md#pl-1-security-planning-policy-and-procedures) - * [PL-2: System Security Plan](controls/PL.md#pl-2-system-security-plan) - * [PL-4: Rules Of Behavior](controls/PL.md#pl-4-rules-of-behavior) + * [PL-1: Policy and Procedures](controls/PL.md#pl-1-policy-and-procedures) + * [PL-2: System Security and Privacy Plans](controls/PL.md#pl-2-system-security-and-privacy-plans) + * [PL-4: Rules of Behavior](controls/PL.md#pl-4-rules-of-behavior) + * [PL-4 (1): Social Media and External Site/application Usage Restrictions](controls/PL.md#pl-4-1-social-media-and-external-site/application-usage-restrictions) + * [PL-10: Baseline Selection](controls/PL.md#pl-10-baseline-selection) + * [PL-11: Baseline Tailoring](controls/PL.md#pl-11-baseline-tailoring) * [PS: Personnel Security](controls/PS.md#ps-personnel-security) - * [PS-1: Personnel Security Policy And Procedures](controls/PS.md#ps-1-personnel-security-policy-and-procedures) + * [PS-1: Policy and Procedures](controls/PS.md#ps-1-policy-and-procedures) * [PS-2: Position Risk Designation](controls/PS.md#ps-2-position-risk-designation) * [PS-3: Personnel Screening](controls/PS.md#ps-3-personnel-screening) * [PS-4: Personnel Termination](controls/PS.md#ps-4-personnel-termination) * [PS-5: Personnel Transfer](controls/PS.md#ps-5-personnel-transfer) * [PS-6: Access Agreements](controls/PS.md#ps-6-access-agreements) - * [PS-7: Third-Party Personnel Security](controls/PS.md#ps-7-third-party-personnel-security) + * [PS-7: External Personnel Security](controls/PS.md#ps-7-external-personnel-security) * [PS-8: Personnel Sanctions](controls/PS.md#ps-8-personnel-sanctions) + * [PS-9: Position Descriptions](controls/PS.md#ps-9-position-descriptions) * [RA: Risk Assessment](controls/RA.md#ra-risk-assessment) - * [RA-1: Risk Assessment Policy And Procedures](controls/RA.md#ra-1-risk-assessment-policy-and-procedures) + * [RA-1: Policy and Procedures](controls/RA.md#ra-1-policy-and-procedures) * [RA-2: Security Categorization](controls/RA.md#ra-2-security-categorization) * [RA-3: Risk Assessment](controls/RA.md#ra-3-risk-assessment) - * [RA-5: Vulnerability Scanning](controls/RA.md#ra-5-vulnerability-scanning) + * [RA-3 (1): Supply Chain Risk Assessment](controls/RA.md#ra-3-1-supply-chain-risk-assessment) + * [RA-5: Vulnerability Monitoring and Scanning](controls/RA.md#ra-5-vulnerability-monitoring-and-scanning) + * [RA-5 (2): Update Vulnerabilities to Be Scanned](controls/RA.md#ra-5-2-update-vulnerabilities-to-be-scanned) + * [RA-5 (11): Public Disclosure Program](controls/RA.md#ra-5-11-public-disclosure-program) + * [RA-7: Risk Response](controls/RA.md#ra-7-risk-response) * [SA: System And Services Acquisition](controls/SA.md#sa-system-and-services-acquisition) - * [SA-1: System And Services Acquisition Policy And Procedures](controls/SA.md#sa-1-system-and-services-acquisition-policy-and-procedures) - * [SA-2: Allocation Of Resources](controls/SA.md#sa-2-allocation-of-resources) + * [SA-1: Policy and Procedures](controls/SA.md#sa-1-policy-and-procedures) + * [SA-2: Allocation of Resources](controls/SA.md#sa-2-allocation-of-resources) * [SA-3: System Development Life Cycle](controls/SA.md#sa-3-system-development-life-cycle) * [SA-4: Acquisition Process](controls/SA.md#sa-4-acquisition-process) - * [SA-4 (10): Use Of Approved Piv Products](controls/SA.md#sa-4-10-use-of-approved-piv-products) - * [SA-5: Information System Documentation](controls/SA.md#sa-5-information-system-documentation) - * [SA-9: External Information System Services](controls/SA.md#sa-9-external-information-system-services) + * [SA-4 (10): Use of Approved PIV Products](controls/SA.md#sa-4-10-use-of-approved-piv-products) + * [SA-5: System Documentation](controls/SA.md#sa-5-system-documentation) + * [SA-8: Security and Privacy Engineering Principles](controls/SA.md#sa-8-security-and-privacy-engineering-principles) + * [SA-8 (33): Minimization](controls/SA.md#sa-8-33-minimization) + * [SA-9: External System Services](controls/SA.md#sa-9-external-system-services) * [SC: System And Communications Protection](controls/SC.md#sc-system-and-communications-protection) - * [SC-1: System And Communications Protection Policy And Procedures](controls/SC.md#sc-1-system-and-communications-protection-policy-and-procedures) - * [SC-5: Denial Of Service Protection](controls/SC.md#sc-5-denial-of-service-protection) + * [SC-1: Policy and Procedures](controls/SC.md#sc-1-policy-and-procedures) + * [SC-5: Denial-of-service Protection](controls/SC.md#sc-5-denial-of-service-protection) * [SC-7: Boundary Protection](controls/SC.md#sc-7-boundary-protection) - * [SC-12: Cryptographic Key Establishment And Management](controls/SC.md#sc-12-cryptographic-key-establishment-and-management) + * [SC-12: Cryptographic Key Establishment and Management](controls/SC.md#sc-12-cryptographic-key-establishment-and-management) * [SC-13: Cryptographic Protection](controls/SC.md#sc-13-cryptographic-protection) - * [SC-15: Collaborative Computing Devices](controls/SC.md#sc-15-collaborative-computing-devices) - * [SC-20: Secure Name / Address Resolution Service](controls/SC.md#sc-20-secure-name-/-address-resolution-service) - * [SC-21: Secure Name / Address Resolution Service](controls/SC.md#sc-21-secure-name-/-address-resolution-service) - * [SC-22: Architecture And Provisioning For Name / Address Resolution Service](controls/SC.md#sc-22-architecture-and-provisioning-for-name-/-address-resolution-service) + * [SC-15: Collaborative Computing Devices and Applications](controls/SC.md#sc-15-collaborative-computing-devices-and-applications) + * [SC-20: Secure Name/address Resolution Service (authoritative Source)](controls/SC.md#sc-20-secure-name/address-resolution-service-authoritative-source) + * [SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)](controls/SC.md#sc-21-secure-name/address-resolution-service-recursive-or-caching-resolver) + * [SC-22: Architecture and Provisioning for Name/address Resolution Service](controls/SC.md#sc-22-architecture-and-provisioning-for-name/address-resolution-service) * [SC-39: Process Isolation](controls/SC.md#sc-39-process-isolation) -* [AT: Awareness And Training](controls/AT.md#at-awareness-and-training) - * [AT-1: Security Awareness And Training Policy And Procedures](controls/AT.md#at-1-security-awareness-and-training-policy-and-procedures) - * [AT-2: Security Awareness Training](controls/AT.md#at-2-security-awareness-training) - * [AT-3: Role-Based Security Training](controls/AT.md#at-3-role-based-security-training) - * [AT-4: Security Training Records](controls/AT.md#at-4-security-training-records) -* [CA: Assessment Authorization And Monitoring](controls/CA.md#ca-assessment-authorization-and-monitoring) - * [CA-1: Security Assessment And Authorization Policies And Procedures](controls/CA.md#ca-1-security-assessment-and-authorization-policies-and-procedures) - * [CA-2: Security Assessments](controls/CA.md#ca-2-security-assessments) - * [CA-3: System Interconnections](controls/CA.md#ca-3-system-interconnections) - * [CA-5: Plan Of Action And Milestones](controls/CA.md#ca-5-plan-of-action-and-milestones) - * [CA-6: Security Authorization](controls/CA.md#ca-6-security-authorization) - * [CA-7: Continuous Monitoring](controls/CA.md#ca-7-continuous-monitoring) - * [CA-9: Internal System Connections](controls/CA.md#ca-9-internal-system-connections) * [SI: System And Information Integrity](controls/SI.md#si-system-and-information-integrity) - * [SI-1: System And Information Integrity Policy And Procedures](controls/SI.md#si-1-system-and-information-integrity-policy-and-procedures) + * [SI-1: Policy and Procedures](controls/SI.md#si-1-policy-and-procedures) * [SI-2: Flaw Remediation](controls/SI.md#si-2-flaw-remediation) * [SI-3: Malicious Code Protection](controls/SI.md#si-3-malicious-code-protection) - * [SI-4: Information System Monitoring](controls/SI.md#si-4-information-system-monitoring) - * [SI-5: Security Alerts, Advisories, And Directives](controls/SI.md#si-5-security-alerts,-advisories,-and-directives) - * [SI-12: Information Output Handling And Retention](controls/SI.md#si-12-information-output-handling-and-retention) + * [SI-4: System Monitoring](controls/SI.md#si-4-system-monitoring) + * [SI-5: Security Alerts, Advisories, and Directives](controls/SI.md#si-5-security-alerts,-advisories,-and-directives) + * [SI-12: Information Management and Retention](controls/SI.md#si-12-information-management-and-retention) + * [SI-12 (1): Limit Personally Identifiable Information Elements](controls/SI.md#si-12-1-limit-personally-identifiable-information-elements) + * [SI-12 (2): Minimize Personally Identifiable Information in Testing, Training, and Research](controls/SI.md#si-12-2-minimize-personally-identifiable-information-in-testing,-training,-and-research) + * [SI-12 (3): Information Disposal](controls/SI.md#si-12-3-information-disposal) + * [SI-18: Personally Identifiable Information Quality Operations](controls/SI.md#si-18-personally-identifiable-information-quality-operations) diff --git a/docs/controls/AC.md b/docs/controls/AC.md index 8981ea8..e80e8ae 100644 --- a/docs/controls/AC.md +++ b/docs/controls/AC.md @@ -2,7 +2,7 @@ ## AC: Access Control -### AC-1: Access Control Policy And Procedures +### AC-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -24,6 +24,7 @@ CivicActions has developed, documented and disseminated to personnel an access c + ##### Project This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. @@ -31,6 +32,7 @@ This is Agency common control. More data about implementation can be obtained fr Access control policy and procedures are documented in the Project Full Name SSP. Access to Project operational information or system resources is limited to only authorized users, programs or processes. The Department enforces access control policies to protect the integrity of the Project Full Name. This Department reviews and updates this policy as necessary and it has been being updated, as necessary, since April 2008. + ### AC-2: Account Management ```text @@ -57,7 +59,7 @@ Access control policy and procedures are documented in the Project Full Name SSP - l. Align account management processes with personnel termination and transfer processes. ``` -**Status:** partial +**Status:** None ##### AWS @@ -65,6 +67,7 @@ Access control policy and procedures are documented in the Project Full Name SSP The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS account management. + #### a ##### AWS @@ -72,7 +75,8 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran In this architecture, the baseline AWS Identity and Access Management (IAM) groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) -#### a + + ##### Drupal @@ -87,7 +91,8 @@ Drupal provides the following information system account types to support organi - Administrator - This role has all permissions enabled by default. -#### a + + ##### Ilias @@ -98,7 +103,8 @@ Ilias provides user accounts for individuals who participate in visiting, contri - Administrator - This role has all permissions enabled by default. -#### a + + ##### Project @@ -110,7 +116,8 @@ The Project has implemented user account procedures to disable inactive user acc The Project system does not have guest or anonymous accounts. -#### a + + ##### SSH @@ -119,6 +126,7 @@ Operations, in collaboration with the Security Office, will set up privileged ac - System Administrator - user accounts that enjoy full system administrator (`sudo`) access + #### b ##### Contractor @@ -126,20 +134,23 @@ Operations, in collaboration with the Security Office, will set up privileged ac The CivicActions Project Manager assigns the "administrator" role for the management of all accounts issued to internal admin roles supporting the information system. Account requests are initiated by the Project Manager by completing a ticket request and the CivicActions Operation staff manages the account creation process. -#### b + + ##### Drupal Drupal defines a default set of roles; Anonymous, Authenticated, and Administrator, as well as providing for the creation of additional organizational-defined roles identified by Project Full Name -#### b + + ##### Project The system Owner has oversight over all permissions that the Project Manager and Operations Staff manages. + #### c ##### Project @@ -147,6 +158,7 @@ The system Owner has oversight over all permissions that the Project Manager and In accordance with Project Access Control Policy, Project group membership is determined according to the individual's position and role within the organization. A ticket request is used to request accounts and group membership. The request is authorized by the appropriate manager. + #### d ##### Contractor @@ -154,38 +166,44 @@ In accordance with Project Access Control Policy, Project group membership is de All accounts issued for application administrators and SSH are documented in CivicActions' ticketing system. Account request tickets contain details that explain the attributes for the account including authorized users of Drupal, system infrastructure, group and role membership, and access authorizations. -#### d + + ##### Drupal Drupal has a sophisticated permissions and role-based access control built-in. Each role within Drupal can only access the documents and controls for which their privilege allows. -#### d + + ##### Ilias Ilias' permissions and role-based access controls are built-in. Each role within Ilias can only access the pages and controls for which their privilege allows. -#### d + + ##### Project Project user privileges vary depending on the type of user role assigned. Only users with the role of Administrator have the ability to create and modify user roles for other users. + #### e ##### Contractor All accounts issued for the admin management of Application or SSH access must be approved by the System Owner or Project Manager who must create an account request. The CivicActions Operations staff applies appropriate account permissions and settings based on the job role and function documented within the request ticket using processes defined by the CivicActions' Security Office. -#### e + + ##### Project The System Owner approves, and CivicActions Operations set up the initial Administrator account for Project. Subsequent client access and related approvals are managed by CivicActions Operations in collaboration with the System Owner. + #### f ##### Contractor @@ -200,6 +218,7 @@ CivicActions Operations staff is responsible for the following account managemen - Removing accounts + #### g ##### AWS @@ -213,24 +232,28 @@ In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled, w - changes to the CloudTrail log configuration are detected -#### g + + ##### Contractor All CivicActions systems log the usage of information accounts. -#### g + + ##### Drupal Drupal monitors the usage of information accounts in the Watchdog log. -#### g + + ##### Ilias Ilias monitors the usage of information accounts in a log on the server. + #### h ##### Contractor @@ -238,6 +261,7 @@ Ilias monitors the usage of information accounts in a log on the server. In accordance with the CivicActions Access Control (AC-01) Policy when an account is no longer required, the Project Manager notifies the Operations Team to immediately disable all access. Users upon reassignment, change in roles, termination, or leaving employment are initially removed from all roles and groups, effectively denying them all access to privileged accounts. + #### i ##### Contractor @@ -245,7 +269,8 @@ In accordance with the CivicActions Access Control (AC-01) Policy when an accoun System accounts require access authorizations prior to accounts being created. The Project Manager must initiate an access request for an account to be created. CivicActions Operations staff reviews the request to ensure accuracy, including intended system usage and other attributes of the user access being requested. -#### i + + ##### Project @@ -254,6 +279,7 @@ the Administrator roles are empowered to designate and approve Administrators. + #### j ##### Contractor @@ -261,13 +287,15 @@ Administrators. All privileged accounts are reviewed by CivicActions Operations staff every 180 days. -#### j + + ##### Project Administrators are empowered to and responsible for reviewing their own accounts and determining whether the accounts should still be authorized. + #### k ##### Contractor @@ -275,13 +303,14 @@ Administrators are empowered to and responsible for reviewing their own accounts In accordance with standard security best practices and CivicActions policy, shared and reissued accounts for internal accounts of any kind are not created nor used for any purpose in any system. + ### AC-3: Access Enforcement ```text Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. ``` -**Status:** partial +**Status:** complete ##### AWS @@ -291,6 +320,7 @@ In this architecture, AWS Identify and Access Management (IAM) and Amazon Amazon + ##### Drupal Access control in Drupal is enforced by authentication via a unique username/password for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. @@ -299,6 +329,7 @@ The anonymous user role has the least access to the site of all roles. The websi + ##### Ilias Access control in Ilias is enforced by authentication via Shibboleth single sing on (SSO) for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. @@ -307,41 +338,21 @@ The anonymous user role has the least access to the site of all roles. The websi + ##### Project The Project Full Name ensures that assigned authorizations for controlling access to the system is enforced in accordance with the user definitions noted in Section 1.1.1 of the Project SSP. The technical support staff ensures that access to security functions and protected information is restricted to authorized personnel. Access will be controlled with access control list used on each instance. Members of one group cannot access resources defined for other groups unless explicitly permitted. -### AC-3 (9): Controlled Release -```text -Release information outside of the system only if: - - (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and - - (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. - -``` -**Status:** complete - - -##### Project - -The Project information system does not release information outside of the established system boundary. - - -### AC-6: Least Privilege +### AC-3 (14): Individual Access ```text -Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. +Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. ``` **Status:** incomplete - - -##### SSH - -SSH access is provided on a least privilege basis and analyzed on an ongoing basis, at least quarterly. Findings related to these audits of accounts are reported and reviewed by the Security Office and evaluated to determine roles that need to be revoked. - -### AC-7: Unsuccessful Login Attempts +### AC-7: Unsuccessful Logon Attempts ```text - a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and @@ -356,18 +367,21 @@ SSH access is provided on a least privilege basis and analyzed on an ongoing bas The Project system locks out users after three unsuccessful login attempts. The information system automatically locks the account permanently, unless an administrator unlocks the account before then, when the maximum number of unsuccessful attempts (3) is exceeded. + #### a ##### Drupal Drupal can be configured to lock an account after a specified number of invalid login attempts within a specified time period. The default for Drupal is 5 failed login attempts within six hours. + #### b ##### Drupal Lockdown following unsuccessful attempts is configurable by Drupal administrators to conform to defined requirements. When a user exceeds the limit of invalid login attempts, their account is automatically locked for a specified time and requires administrator action to unlock the account before the lockout period expires. + ### AC-8: System Use Notification ```text @@ -383,7 +397,7 @@ Lockdown following unsuccessful attempts is configurable by Drupal administrator - 3. Include a description of the authorized uses of the system. ``` -**Status:** incomplete +**Status:** partial ##### Ilias @@ -392,6 +406,7 @@ System Use Notification is inherited from the Project. + ##### Project A warning banner ensures that all persons attempting to gain access to the system know that the system and its information are “Authorized User Only” and that attempts to illegally log on to the system could lead to criminal prosecution. The warning message displayed notifies unauthorized users that they have accessed a U.S. Government computer system and continued, unauthorized use can be punishable by fines or imprisonment. Each device logged into will display a system use notification message before the log in window is displayed. The system use notification banner will remain on the screen until the user takes an explicit action to log on to the device. The following is the notification banner displayed on all system instances: @@ -405,7 +420,8 @@ A warning banner ensures that all persons attempting to gain access to the syste - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." -### AC-14: Permitted Actions Without Identification Or Authentication + +### AC-14: Permitted Actions Without Identification or Authentication ```text - a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and @@ -421,11 +437,13 @@ The anonymous user role has the least access to the site of all roles. The websi + ##### Project The Project Full Name allows the general public user to read the web pages, do searches on the resource database and to review online forum information without identification and authentication for the public web site. Program and Privilege users cannot access the Project system without identification or authentication. + #### a ##### Drupal @@ -433,6 +451,7 @@ The Project Full Name allows the general public user to read the web pages, do s The anonymous user role has the least access to the site of all roles. Drupal sites can be configured to allow actions identified by Project Full Name + ### AC-17: Remote Access ```text @@ -450,11 +469,13 @@ The CivicActions Access Control (AC) policy defines policy for remote usage rest + ##### Project The Project Full Name permits remote access for privileged functions to support operational needs. The technical staff documents, monitors, and controls all methods of remote access to the information system including remote access for privileged functions. Privileged user access is only permitted through the use of Secure Shell (SSH) where the user will authenticate to the device through this secure channel. Virtual Private Networking (VPN) is not enabled in any form within the Project accreditation boundary. + ### AC-18: Wireless Access ```text @@ -470,7 +491,8 @@ The Project Full Name permits remote access for privileged functions to support This control is not applicable. The system does not provide wireless access points. -### AC-19: Access Control For Mobile Devices + +### AC-19: Access Control for Mobile Devices ```text - a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and @@ -485,7 +507,8 @@ This control is not applicable. The system does not provide wireless access poin This control is not applicable. The system does not maintain a facility in which mobile device access limitations are required. -### AC-20: Use Of External Information Systems + +### AC-20: Use of External Systems ```text - a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions], Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: @@ -502,6 +525,15 @@ This control is not applicable. The system does not maintain a facility in which This control is not applicable. The system does not connect with external information systems. + +### AC-21: Information Sharing + +```text + - a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and + - b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. + +``` +**Status:** incomplete ### AC-22: Publicly Accessible Content ```text @@ -519,6 +551,7 @@ This control is not applicable. The system does not connect with external inform The Client Full Name grants certain Project support staff members the authority to post publicly accessible content. These individuals must complete Project system security training before being granted access to the Project and before they can post publicly accessible content within the Project Full Name. Furthermore, each authorized individual must follow the procedures delineated within the “Using Drupal” Instruction to ensure they are following a verifiable procedure throughout the entire process. This covers the Project Discussion Lists administration areas, Project Quarterly Reporting and training tools, and Drupal Content Management systems. Public content is only edited via the Drupal Content Management System. All other content is only viewable by Project system users and protected by hardened access controls. + #### b ##### Project @@ -526,6 +559,7 @@ The Client Full Name grants certain Project support staff members the authority It is the Project responsibility to train authorized Project individuals ensuring publicly accessible information does not contain nonpublic information. + #### c ##### Project @@ -535,6 +569,7 @@ Authorized Project individuals review the proposed content of information prior Project Users have been authorized for creation of publicly accessible content with publishing authority from an Administrator role. The publishing authority ensures the information being published does not contain nonpublic information. + #### d ##### Project diff --git a/docs/controls/AT.md b/docs/controls/AT.md index 6635083..5ac8ef6 100644 --- a/docs/controls/AT.md +++ b/docs/controls/AT.md @@ -2,7 +2,7 @@ ## AT: Awareness and Training -### AT-1: Security Awareness And Training Policy And Procedures +### AT-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,12 +26,14 @@ CivicActions has developed, documented and disseminated to personnel awareness a + ##### Project Security awareness and training policy and procedures are formally documented in None, which provides the roles and responsibilities as it pertains to security awareness and training. The Department will ensure all users, including managers and senior executives, are exposed to basic information system security awareness materials before authorizing access to the system and at least annually thereafter. Client documents and monitors all individual information system security training activities including basic security awareness training. OMB reviews and updates the policy as necessary. -### AT-2: Security Awareness Training + +### AT-2: Literacy Training and Awareness ```text - a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): @@ -58,6 +60,7 @@ Client personnel and contractor employees involved with the management, operatio workstations. + #### a ##### Contractor @@ -69,6 +72,7 @@ Annual Knowledge Survey (i.e., Security Awareness Training): All employees are r Ad Hoc Security Awareness: The CivicActions' Security Office oversees the approximately bi-monthly distribution of security awareness tips and articles to all CivicActions employees. This can include general tips as well as articles tailored to the specific requirements of CivicActions users. + #### b ##### Contractor @@ -76,6 +80,7 @@ Ad Hoc Security Awareness: The CivicActions' Security Office oversees the approx In the event of a major system change, the Project Manager is responsible for delivering additional training to impacted personnel. Specific training types, mediums, and delivery methods are dependent upon the nature of the system change. + #### c ##### Contractor @@ -83,7 +88,15 @@ In the event of a major system change, the Project Manager is responsible for de CivicActions provides annual security awareness training to its personnel. -### AT-3: Role-Based Security Training + +### AT-2 (2): Insider Threat + +```text +Provide literacy training on recognizing and reporting potential indicators of insider threat. + +``` +**Status:** incomplete +### AT-3: Role-based Training ```text - a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: @@ -101,6 +114,7 @@ CivicActions provides annual security awareness training to its personnel. Completion of role-based training is an annual requirement for personnel in roles with significant information security responsibilities that require specialized role-based training. Role-based cybersecurity training is developed and implemented to meet identified training needs and competencies associated with the various target audiences/functional roles (federal and contractor employees) that comprise the Client workforce, as is identified in and required by the FISMA and OMB A-130, Appendix III. The appropriate content of security training is determined based on the assigned roles and responsibilities of individuals and the specific security requirements of the Department, PO and the information systems to which personnel have authorized access. Annual training requirements may be met by completing one or more course(s) within the Department’s learning management systems, participating in instructor-led training provided by the OCIO, or completing an external role-based course or courses offered within their specific functional area of expertise. + #### a ##### Contractor @@ -108,6 +122,7 @@ Completion of role-based training is an annual requirement for personnel in role CivicActions personnel with security responsibilities are required to complete role-based security training before being provided with access to the information system. The CivicActions' Security Office is responsible for creating the content of the training. The role-based training is provided and tracked by the CivicActions Security Office. + #### b ##### Contractor @@ -115,6 +130,7 @@ CivicActions personnel with security responsibilities are required to complete r The Project Manager in collaboration with CivicActions Security Office determines whether a change to the information system requires any modifications and updates to the security awareness training program and if so, works with the CivicActions' Security Office to implement the change. + #### c ##### Contractor @@ -122,7 +138,15 @@ The Project Manager in collaboration with CivicActions Security Office determine CivicActions Security Office provides users with security responsibilities role-based security training on an annual basis. The training is provided and tracked by the CivicActions Security Office. -### AT-4: Security Training Records + +### AT-3 (5): Processing Personally Identifiable Information + +```text +Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. + +``` +**Status:** incomplete +### AT-4: Training Records ```text - a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and @@ -137,13 +161,15 @@ CivicActions Security Office provides users with security responsibilities role- The CivicActions' Security Office tracks all security awareness training within the organization and ensures that all employees have successfully completed training when required. The training records are stored and tracked in a spreadsheet maintained by the CivicActions Security Office. -#### a + + ##### Project Client documents and monitors all individual information system security training activities including basic security awareness training. New users are required to take security training within 30 days of hire. This information is kept in the appropriate personnel files to verify users have met the training requirements. Training requirement notifications are sent to individuals as deadline for re-training approaches. + #### b ##### Contractor @@ -151,7 +177,8 @@ Client documents and monitors all individual information system security trainin Training records are tracked and maintained by the CivicActions Security Office. Records are maintained permanently. -#### b + + ##### Project diff --git a/docs/controls/AU.md b/docs/controls/AU.md index 666e28a..8f0e55d 100644 --- a/docs/controls/AU.md +++ b/docs/controls/AU.md @@ -2,7 +2,7 @@ ## AU: Audit and Accountability -### AU-1: Audit And Accountability Policy And Procedures +### AU-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -16,7 +16,7 @@ - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** incomplete +**Status:** complete ##### Contractor @@ -26,12 +26,14 @@ CivicActions has developed, documented and disseminated to personnel an audit an + ##### Project The Project maintains a record of system activity by application process and by user activity. Audit and accountability policy and procedures are documented within the Project SSP. Security software features are used to automatically generate and store security audit log records for use in monitoring security-related events on all multi-user systems. The Client reviews and updates this policy as necessary and it was last updated in April 2008. Additional information is contained within the None. -### AU-2: Auditable Events + +### AU-2: Event Logging ```text - a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; @@ -41,7 +43,7 @@ The Project maintains a record of system activity by application process and by - e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. ``` -**Status:** partial +**Status:** None #### a ##### AWS @@ -54,28 +56,40 @@ In this architecture, the following audit methods log all security-relevant user - Amazon RDS MySQL error logging -#### a + + ##### Contractor CivicActions' Security Policy provides information about auditing and logging of CivicActions internal users and end-user activity on the servers and within the system application. -#### a + + ##### Drupal Drupal's Watchdog log are configured to track all relevant auditable events as defined by Client -- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These requests include pages, theme files, and static media files. -- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by general server issues, including capacity problems, .htaccess problems, and missing files. +- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These + requests include pages, theme files, and static media files. + +- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by + general server issues, including capacity problems, .htaccess problems, and missing files. + - Drupal page request log: Records all Drupal page loads on your website. -- Drupal Watchdog log: Records Drupal-related actions on your website. The Watchdog log is recorded on your database if you have enabled the syslog module. -- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to complete. -- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues reported here are usually caused by a website’s code, configuration, or content. +- Drupal Watchdog log: Records Drupal-related actions on your website. The Watchdog log is recorded on + your database if you have enabled the syslog module. + +- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to + complete. + +- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues + reported here are usually caused by a website’s code, configuration, or content. + + -#### a ##### Ilias @@ -88,6 +102,7 @@ Transaction logs are generated by the Apache web server, Ilias CMS, MySQL databa - PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues reported here are usually caused by a website’s code, configuration, or content. + #### b ##### Contractor @@ -95,12 +110,14 @@ Transaction logs are generated by the Apache web server, Ilias CMS, MySQL databa Auditable events may change due to changes in the threat environment. CivicActions teams collaborate internally and also communicate with customers and partner organizations to identify and select auditable events. The teams that participate in this process are described in control SA-3(b). -#### b + + ##### Ilias All security-related issues and events, including requests for server log analysis, are recorded in CivicActions' JIRA tracking system. + #### c ##### AWS @@ -113,13 +130,15 @@ In this architecture, the following audit methods provide data on activities occ - Amazon RDS MySQL error logging -#### c + + ##### Ilias CivicActions has extensive experience and specialization as a host of websites that are built using the Ilias web learning platform. Should the need for additional logging become evident, we have the ability to do so by modifying the website's source code to insert additional Ilias logging hooks. + #### d ##### AWS @@ -132,7 +151,8 @@ In this architecture, the following audit methods log all security-relevant even - Amazon RDS MySQL error logging -#### d + + ##### Drupal @@ -161,11 +181,13 @@ Information captured in the transaction logs includes, but is not limited to, th - PHP error logs: Captures any errors logged during execution of the PHP programming language. -#### d + + ##### Ilias -Information captured in the transaction logs includes, but is not limited to, the following auditable events: +Information captured in the transaction logs includes, but is not limited to, the following auditable +events: - Failed login attempts - Successful login attempts - New user account creation @@ -181,7 +203,8 @@ Information captured in the transaction logs includes, but is not limited to, th language. -### AU-3: Content Of Audit Records + +### AU-3: Content of Audit Records ```text Ensure that audit records contain information that establishes the following: @@ -193,7 +216,7 @@ Ensure that audit records contain information that establishes the following: - f. Identity of any individuals, subjects, or objects/entities associated with the event. ``` -**Status:** partial +**Status:** None ##### AWS @@ -228,6 +251,7 @@ AWS logging information: + ##### Drupal The logs collected for Drupal sites include the following types of information: @@ -238,12 +262,15 @@ The logs collected for Drupal sites include the following types of information: - HTTP status code returned - Username - Drupal Watchdog message (if applicable) -- Unique numerical ID of the content being modified (for content creation, modification and deletion events) +- Unique numerical ID of the content being modified (for content creation, modification and deletion + events) + When auditing a Drupal incident, the CivicActions developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. + ##### Ilias The logs collected for Ilias sites include the following types of information: @@ -255,13 +282,14 @@ The logs collected for Ilias sites include the following types of information: When auditing an Ilias incident, CivicActions' developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. -### AU-4: Audit Storage Capacity + +### AU-4: Audit Log Storage Capacity ```text Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. ``` -**Status:** partial +**Status:** complete ##### AWS @@ -276,19 +304,21 @@ In this architecture, logs track dynamic capacity growth to accommodate organiza + ##### Contractor CivicActions ensures adequate storage capability requirements listed in AU-11 for all events from the application, database, and hosting environment. -### AU-5: Response To Audit Processing Failures + +### AU-5: Response to Audit Logging Process Failures ```text - a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and - b. Take the following additional actions: [Assignment: organization-defined additional actions]. ``` -**Status:** partial +**Status:** complete ##### Contractor @@ -296,6 +326,7 @@ CivicActions ensures adequate storage capability requirements listed in AU-11 fo When notified (e.g., via CloudWatch) of an auditing failure, CivicActions Operations staff will review the causes and take corrective action. + #### a ##### AWS @@ -311,7 +342,8 @@ AWS built-in features include customer alerting of AWS CloudTrail and other serv - AWS internal Incident Response and corporate communications processes -### AU-6: Audit Review, Analysis, And Reporting + +### AU-6: Audit Record Review, Analysis, and Reporting ```text - a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; @@ -331,6 +363,7 @@ CivicActions security audit data is collected by the AWS CloudWatch monitoring a - Adherence to logging standards identified in this procedure + #### b ##### Contractor @@ -338,6 +371,7 @@ CivicActions security audit data is collected by the AWS CloudWatch monitoring a Any significant findings observed during the inspection are reported to CivicActions' Security Office. If these are considered to constitute a security incident, then the Incident Response process is invoked as described in the implementation of the Incident Response Plan (IR-8). + ### AU-8: Time Stamps ```text @@ -345,7 +379,7 @@ Any significant findings observed during the inspection are reported to CivicAct - b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. ``` -**Status:** partial +**Status:** complete ##### Project @@ -353,6 +387,7 @@ Any significant findings observed during the inspection are reported to CivicAct The Project system clocks are synchronized system-wide and provide time stamps with audit records. + #### a ##### AWS @@ -365,6 +400,7 @@ AWS includes the Amazon Time Sync Service. Running over Network Time Protocol (N - Amazon RDS MySQL error logging + #### b ##### AWS @@ -379,14 +415,15 @@ The Amazon Time Sync Service provides accurate time stamp data to the following Time stamps are recorded as specified in the ISO 8601 standard. ISO 8601 represents local time (with the location unspecified), as UTC, or as an offset from UTC. -### AU-9: Protection Of Audit Information + +### AU-9: Protection of Audit Information ```text - a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and - b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. ``` -**Status:** partial +**Status:** Planned ##### AWS @@ -396,18 +433,20 @@ Access to audit data and tools is determined by access control policies for IAM + ##### Contractor CivicActions ensures that audit logs are created, stored and maintained. Developers who have been assigned as members of the CivicActions Security Office are the only CivicActions personnel with logical permission to access and review audit logs. + ### AU-11: Audit Record Retention ```text Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. ``` -**Status:** partial +**Status:** complete ##### AWS @@ -417,12 +456,14 @@ AWS CloudTrail logs are stored in an Amazon S3 bucket, which dynamically allocat + ##### Contractor CivicActions audits events from the application, database, and hosting environment, and retains these records for at least 180 days. -### AU-12: Audit Generation + +### AU-12: Audit Record Generation ```text - a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; @@ -430,23 +471,25 @@ CivicActions audits events from the application, database, and hosting environme - c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. ``` -**Status:** partial +**Status:** complete #### a ##### AWS -In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled, but initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) do not have auditing enabled within the OS, as these are for example purposes only. +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled, but initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) do not have auditing enabled within the OS, as these are for example purposes only. AWS built-in features of logging mechanisms provide the audit record generation capability for the auditable events defined in AU-2a. by logging all security-relevant IAM user and API activities which address AWS infrastructure components (AWS Products and services), ELB -#### a + + ##### Contractor CivicActions ensures audit records are generated for its web and event logs as required in AU-2 and AU-3 for servers, application, database, and network components. + #### b ##### AWS @@ -456,13 +499,15 @@ In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Bal AWS built-in features of Identity and Access Management (IAM) allows policy to be applied to privileged users for administrator/audit access, allowing them to modify Amazon CloudWatch alarms, AWS Config rules, and Amazon S3 bucket logging to select the CloudTrail and Amazon S3 events that are to cause notification, alerting and automated reaction. -#### b + + ##### Contractor The selected auditable events described in AU-2 are coordinated by CivicActions internal admins and client security/operations officers for each component of the production system. + #### c ##### AWS @@ -483,7 +528,8 @@ AWS logging information: - Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html -#### c + + ##### Contractor diff --git a/docs/controls/CA.md b/docs/controls/CA.md index d7ee9ed..6d9e9cb 100644 --- a/docs/controls/CA.md +++ b/docs/controls/CA.md @@ -2,7 +2,7 @@ ## CA: Assessment Authorization and Monitoring -### CA-1: Security Assessment And Authorization Policies And Procedures +### CA-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,6 +26,7 @@ CivicActions has developed, documented and disseminated to personnel a certifica + ##### Project Project follows the None. The Project System Security Policy (SSP) provides guidance on all aspects of security for the protection of Project information technology resources. @@ -33,7 +34,8 @@ Project follows the None. The Project System Security Policy (SSP) provides guid Project will periodically review and update the SSP when there is a significant change to the regulatory, operational, or technical environment. -### CA-2: Security Assessments + +### CA-2: Control Assessments ```text - a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; @@ -55,7 +57,8 @@ Project will periodically review and update the SSP when there is a significant CivicActions will develop a security assessment plan (SAP) that describes the security controls and control enhancements under assessment, assessment procedures used to determine effectiveness, the assessment environment, the assessment team, and the assessment roles and responsibilities. -#### a + + ##### Project @@ -66,6 +69,7 @@ The Project Full Name follows the None. The Project Full Name will conduct annua 3. Assessment environment, assessment team, and assessment roles and responsibilities + #### b ##### Contractor @@ -75,6 +79,7 @@ CivicActions will assess the security controls in their system and its environme All controls assigned and documented in this System Security Plan (SSP) will be tested at least annually or when there is a major change to the system. + #### c ##### Contractor @@ -82,13 +87,15 @@ All controls assigned and documented in this System Security Plan (SSP) will be CivicActions will produce a security assessment report that documents the results of the assessment. The Security Assessment Report must contain the results of the assessment, and may also contain recommendations and suggestions for plans of actions and milestones (POA&Ms). -#### c + + ##### Project The Project Authorizing Official or Designated Representative will create a Security Assessment Report (SAR). A full assessment shall be conducted by an independent third party assessor at least every three years. + #### d ##### Contractor @@ -104,7 +111,8 @@ CivicActions will provide the results of the security control assessment to the - Incident Response Plan -### CA-3: System Interconnections + +### CA-3: Information Exchange ```text - a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, nondisclosure agreements, [Assignment: organization-defined type of agreement]]; @@ -120,7 +128,8 @@ CivicActions will provide the results of the security control assessment to the This control is not applicable. CivicActions systems do not have system interconnections. The only communication conducted to CivicActions' systems is through the Internet. -### CA-5: Plan Of Action And Milestones + +### CA-5: Plan of Action and Milestones ```text - a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and @@ -147,12 +156,14 @@ POA&Ms are tracked throughout the lifecycle of the system until its mitigation. + ##### Project The Project follows the None procedures in managing POA&Ms. -### CA-6: Security Authorization + +### CA-6: Authorization ```text - a. Assign a senior official as the authorizing official for the system; @@ -174,6 +185,7 @@ The Project follows the None. The Project system received its first three-year s ATO re-assessment will be performed every three years or when there is a major change to the application, in which a senior organizational official will sign and approve the security accreditation. + ### CA-7: Continuous Monitoring ```text @@ -188,7 +200,7 @@ Develop a system-level continuous monitoring strategy and implement continuous m [Assignment: organization-defined frequency]. ``` -**Status:** partial +**Status:** None #### a ##### Contractor @@ -200,19 +212,22 @@ CivicActions implements a continuous monitoring strategy that incorporates confi - Log analysis is managed by feeding logs to a Graylog dashboard for analysis. -#### a + + ##### Drupal CivicActions follows recommendations and best practices developed by the Drupal community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3. -#### a + + ##### Ilias CivicActions follows recommendations and best practices developed by the Ilias community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3. + #### b ##### Contractor @@ -222,6 +237,7 @@ Configuration management and log analysis is carried out in real time. OpenSCAP Quarterly review of the control assessments supporting the monitoring is conducted by CivicActions Operations in collaboration with the CivicActions Security Office. + #### c ##### Drupal @@ -229,12 +245,14 @@ Quarterly review of the control assessments supporting the monitoring is conduct CivicActions works closely with the Drupal security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. -#### c + + ##### Ilias CivicActions works closely with the Ilias security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. + #### d ##### Contractor @@ -242,6 +260,7 @@ CivicActions works closely with the Ilias security community and reviews securit CivicActions conducts or oversees continuous system security monitoring. + #### e ##### Contractor @@ -249,6 +268,7 @@ CivicActions conducts or oversees continuous system security monitoring. CivicActions Security reviews the results of the security scans and security assessments with associated JIRA and/or GitLab Issue tickets created to correlate and analyze security-related information generated from the monitoring tools becoming POA&M items for tracking. + #### f ##### Contractor @@ -256,6 +276,7 @@ CivicActions Security reviews the results of the security scans and security ass POA&M items are tracked by CivicActions Security through JIRA tickets with a security categorization assigned. The information included in the POA&M item include the severity, the due date, the weakness source identifier, and the plugin ID that identified the vulnerability. + #### g ##### Contractor @@ -263,6 +284,17 @@ POA&M items are tracked by CivicActions Security through JIRA tickets with a sec The security status of the system is reported up to the System Owner and Project Manager via the CivicActions Security Office to be reviewed alongside other security issues relating to the system. + +### CA-7 (4): Risk Monitoring + +```text +Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: + - (a) Effectiveness monitoring; + - (b) Compliance monitoring; and + - (c) Change monitoring. + +``` +**Status:** incomplete ### CA-9: Internal System Connections ```text diff --git a/docs/controls/CM.md b/docs/controls/CM.md index d3a5520..5061537 100644 --- a/docs/controls/CM.md +++ b/docs/controls/CM.md @@ -2,7 +2,7 @@ ## CM: Configuration Management -### CM-1: Configuration Management Policy And Procedures +### CM-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -27,11 +27,13 @@ Configuration changes are overseen by the Change Control Board (CCB) consisting + ##### Project The configuration management policy and procedures are formally documented in the Project Configuration Management Plan (CMP), which provides the roles and responsibilities as it pertains to physical and environmental protection. It defines responsibilities for the implementation and oversight of the guidance contained herein. Client reviews and updates the policy as necessary. + ### CM-2: Baseline Configuration ```text @@ -42,7 +44,7 @@ The configuration management policy and procedures are formally documented in th - 3. When system components are installed or upgraded. ``` -**Status:** partial +**Status:** complete ##### AWS @@ -54,6 +56,7 @@ All hardware is maintained by the AWS cloud. The system inherits hardware config + ##### Contractor A current baseline configuration is always available - stored as a tag in the Git repository - such that the site can be regenerated or rolled back should unauthorized or failing changes be applied. @@ -61,6 +64,7 @@ A current baseline configuration is always available - stored as a tag in the Gi + ##### Ilias The baseline configuration is maintained in Git and described in the Configuration Management Plan, which describes the change workflow and software configuration. In the context of Security Configuration Management, the baseline configuration is a collection of formally approved configuration state(s) of one or more configuration items ("features") that compose the system. The baseline configuration is used to restore and serves as the basis against which the next change or set of changes to the system is made. @@ -69,12 +73,14 @@ The features for the system are maintained in the website's source code, which i + ##### Project A CM process has been established and documented in the Project CMP. All updates are made in accordance with the procedures outlined in the CMP. The CM process establishes a baseline of hardware, software, firmware and documentation, as well as changes thereto, throughout the development and life cycle of the information system. CM ensures the control of the information system through its life cycle. It assures that additions, deletions, or changes made to the Project system do not unintentionally or unknowingly diminish security. If the change is major, the security of the system must be re-analyzed. -### CM-4: Security Impact Analysis + +### CM-4: Impact Analyses ```text Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. @@ -90,11 +96,20 @@ Security impact analysis is conducted and documented within the Change Request ( + ##### Project An Information Security Program is in place to ensure all security-centric impacts to the Project are properly analyzed and conducted by personnel with information security responsibilities (i.e., Project SSO, IT Security Officer, etc.). These individuals have the appropriate skills and technical expertise to analyze the changes to the Project and their associated security ramifications. In support of continuous monitoring and to ensure the Project system lifecycle is fully sustained, a risk assessment process, be it formal or informal, is performed when changes are occur. This ensures that Client Full Name understands the security impacts and can determine if additional security controls are required. + +### CM-5: Access Restrictions for Change + +```text +Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + +``` +**Status:** incomplete ### CM-6: Configuration Settings ```text @@ -104,7 +119,7 @@ An Information Security Program is in place to ensure all security-centric impac - d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. ``` -**Status:** complete +**Status:** partial #### a ##### Project @@ -112,6 +127,7 @@ An Information Security Program is in place to ensure all security-centric impac The Project is configured in compliance with the applicable baseline security standards. The Department and its technical support staff configure the security settings of all IT products to the most restrictive mode consistent with information system operational requirements. Project utilizes the NIST Special Publication 800-70 for guidance on configuration settings (checklists) for information technology products. When security setting checklist are not available from NIST for a particular device, good security engineering practices along with manufacture guidelines is used to develop the security settings. The CM Manager conducts configuration audits to ensure baseline compliance and documentation of hardware/software configurations throughout the system lifecycle. + #### b ##### Contractor @@ -119,13 +135,15 @@ The Project is configured in compliance with the applicable baseline security st CivicActions developers follow security best practices according to the guidelines set by the CivicActions Security Office. -#### b + + ##### Project Configuration settings are implemented, monitored, and controlled in accordance with the organizational Configuration Management Plan for the security configuration management processes and tools. + #### c ##### Project @@ -134,6 +152,7 @@ Currently, deviations do not exist for established configuration settings. In th The CivicActions CCB, identifies, approves, and documents exceptions to mandatory configuration settings for individual components within its cloud offering only when operationally necessary. All variances identified during the monthly and annual system testing scans that must be accepted for operational purposes are tracked. + #### d ##### Contractor @@ -141,6 +160,7 @@ The CivicActions CCB, identifies, approves, and documents exceptions to mandator All changes to the configuration settings are logged in the Git source code version control system, which records the identity of the developer who committed each change. Version control is enforced, with previous tagged code releases kept for rollback purposes. + ### CM-7: Least Functionality ```text @@ -148,7 +168,7 @@ All changes to the configuration settings are logged in the Git source code vers - b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. ``` -**Status:** partial +**Status:** complete #### a ##### AWS @@ -156,13 +176,15 @@ All changes to the configuration settings are logged in the Git source code vers In this architecture, only essential capabilities for a multi-tiered web service are configured. AWS Identity and Access Management (IAM) baseline Groups and Roles are configured to support restricted access to AWS resources by privileged users and non-person entities (Amazon EC2 systems operating with a role) authorized and assigned by the organization. -#### a + + ##### Project Services are limited to provide only essential capabilities. + #### b ##### AWS @@ -170,14 +192,16 @@ Services are limited to provide only essential capabilities. In this architecture, ports, protocols, and services are restricted to those that are required for a multi-tiered web service, via AWS security group rules. -#### b + + ##### Project The Project maintains strict default deny policy with access controls at the firewall, and on individual systems. Inbound access across the system boundary is only allowed on ports 22 (ssh), 80 (http) and 443 (https), with an additional port, 25 (smtp) open on the mail server. -### CM-8: Information System Component Inventory + +### CM-8: System Component Inventory ```text - a. Develop and document an inventory of system components that: @@ -189,7 +213,7 @@ The Project maintains strict default deny policy with access controls at the fir - b. Review and update the system component inventory [Assignment: organization-defined frequency]. ``` -**Status:** partial +**Status:** None ##### Ilias @@ -202,6 +226,7 @@ The inventory is reviewed monthly by CivicActions Product Engineering teams in a Website content is backed up daily using CPM snapshots. This allows CivicActions to build an inventory of the system on demand. + #### a ##### AWS @@ -214,6 +239,7 @@ AWS built-in features dynamically build and maintain an inventory of system comp 4. AWS built-in features provide all available information about all infrastructure system and network components to achieve effective component accountability. + #### b ##### AWS @@ -221,6 +247,7 @@ AWS built-in features dynamically build and maintain an inventory of system comp AWS built-in features provides a dynamically updated inventory of all infrastructure system and network components within the customer account. The AWS management console and AWS API calls support the capability for the organization to review the inventory. + ### CM-10: Software Usage Restrictions ```text @@ -229,7 +256,7 @@ AWS built-in features provides a dynamically updated inventory of all infrastruc - c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. ``` -**Status:** none +**Status:** None ##### Contractor @@ -239,11 +266,13 @@ Drupal is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are a + ##### Ilias Ilias is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. -### CM-11: User-Installed Software + +### CM-11: User-installed Software ```text - a. Establish [Assignment: organization-defined policies] governing the installation of software by users; @@ -259,6 +288,7 @@ Ilias is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are al All software installed in the system environment must be first approved via the CCB resulting in a Change Request (CR) being initiated and executed. Software installation on the computing nodes within the authorization boundary is restricted to administrators. All CivicActions internal administrators are informed of this during their initial training and as part of the rules of behavior document. + #### b ##### Contractor @@ -266,6 +296,7 @@ All software installed in the system environment must be first approved via the CivicActions enforces software installation policies through required acknowledgment and sign-off on acceptable use policy by CivicActions personnel. CivicActions Development is responsible for enforcing compliance with the acceptable use policy. + #### c ##### Contractor diff --git a/docs/controls/CP.md b/docs/controls/CP.md index 3b53edb..6904dce 100644 --- a/docs/controls/CP.md +++ b/docs/controls/CP.md @@ -2,7 +2,7 @@ ## CP: Contingency Planning -### CP-1: Contingency Planning Policy And Procedures +### CP-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,6 +26,7 @@ CivicActions has developed, documented and disseminated to personnel a contingen + ##### Project This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. @@ -33,6 +34,7 @@ This is Agency common control. More data about implementation can be obtained fr The Project and has developed a contingency planning policy consistent with NIST 800-34. Contingency planning procedures are formally documented within the Project Contingency Plan, which provides the roles and responsibilities as it pertains to contingency planning. The Project reviews and updates the policy as necessary and the policy was last updated in July 2012. + ### CP-2: Contingency Plan ```text @@ -67,6 +69,7 @@ CivicActions has developed a contingency plan for that addresses: 6. The ISCP is reviewed and approved by ISCP Director, Incident Commander (IC), CivicActions ISSO and the System Owner annually. + #### b ##### Contractor @@ -74,13 +77,15 @@ CivicActions has developed a contingency plan for that addresses: The CivicActions Information System Contingency Plan (ISCP) has been distributed to all CivicActions team members. The ISCP can be found in the CivicActions Handbook at . -#### b + + ##### Project The Project Information System Contingency Plan (ISCP) has been distributed to all members who have roles in Contingency Planning and Incident Response Team. Direction by the System Owner will update who is required to receive a copy of the contingency plan. The ISCP can be found in the Project GitHub wiki at . + #### c ##### Contractor @@ -88,6 +93,7 @@ The Project Information System Contingency Plan (ISCP) has been distributed to a The Information System Contingency Plan (ISCP) is closely integrated with the Incident Response Plan (IRP). Coordination is the responsibility of the ISCP Director and CivicActions Operations staff. + #### d ##### Contractor @@ -95,6 +101,7 @@ The Information System Contingency Plan (ISCP) is closely integrated with the In The ISCP Director and CivicActions' Security Office are responsible to review the ISCP annually and when a change to the system occurs. + #### e ##### Contractor @@ -102,6 +109,7 @@ The ISCP Director and CivicActions' Security Office are responsible to review th CivicActions Operations staff and ISCP Director are required to update the ISCP to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. + #### f ##### Contractor @@ -109,6 +117,7 @@ CivicActions Operations staff and ISCP Director are required to update the ISCP The ISCP requires that changes to the plan be communicated to those on the Incident Response/Contingency Plan Contact List. + #### g ##### Contractor @@ -116,6 +125,7 @@ The ISCP requires that changes to the plan be communicated to those on the Incid The ISCP is available on CivicActions GitHub repository. This repository provides the configuration management capabilities for the ISCP to be protected from unauthorized disclosure and modification. + ### CP-3: Contingency Training ```text @@ -134,6 +144,7 @@ The ISCP is available on CivicActions GitHub repository. This repository provide The ISCP stipulates that all CivicActions system assigned roles in the Contingency Plan Team are trained in their duties within three months of first being assigned a role in the CP, and then annually thereafter or when changes are required. CivicActions uses the Contingency Plan as described in controls CP-1 and CP-2 as a basis for personnel contingency training. + ### CP-4: Contingency Plan Testing ```text @@ -150,7 +161,8 @@ The ISCP stipulates that all CivicActions system assigned roles in the Contingen Real-world tests of the contingency plan will be held at least annually, with supplemental tests (checklist/table-top) as needed for specific scenarios. The ISCP Coordinator is responsible to facilitate annual testing exercises. The testing process for the ISCP includes a review of the ISCP, exercise, and identification of corrective actions and other improvements. -### CP-9: Information System Backup + +### CP-9: System Backup ```text - a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] @@ -160,7 +172,7 @@ Real-world tests of the contingency plan will be held at least annually, with su - d. Protect the confidentiality, integrity, and availability of backup information. ``` -**Status:** partial +**Status:** complete #### a ##### AWS @@ -168,13 +180,15 @@ Real-world tests of the contingency plan will be held at least annually, with su In this architecture, user data is limited to that which is stored in the Amazon RDS database. Amazon RDS is fully backed up by a daily snapshot as well as through transaction logging conducted by AWS as part of this managed service. Full database recovery from snapshot or point-in-time can be initiated from the Amazon RDS console/API. -#### a + + ##### Contractor CivicActions conducts system user-level information backup in accordance with requirements (at a minimum, incremental backups must be conducted at least weekly and full backups must be conducted at least monthly). + #### b ##### AWS @@ -182,13 +196,15 @@ CivicActions conducts system user-level information backup in accordance with re AWS built-in features automatically backs up system-level information limited to infrastructure CONFIGURATION information within the AWS account. While individual running Amazon EC2 instances and attached EBS volumes are NOT backed up, they can be reconstituted from Amazon Machine Images (AMIs) provided by AWS (which are backed up by AWS) and user data scripts included in CloudFormation templates. Once deployed, the CloudFormation template contents are backed up by AWS R488within the CloudFormation service. These AWS backups of AWS services are transparent to the customer as part of AWS backend processes. -#### b + + ##### Contractor System-level information for the application is replicated and backed up in the same way as user-level information as defined in CP-9(a). + #### c ##### AWS @@ -196,13 +212,15 @@ System-level information for the application is replicated and backed up in the AWS built-in features back up online administrator and developer documentation, limited to that which is published at https://aws.amazon.com/documentation. -#### c + + ##### Contractor System documentation is backed up from the GitHub repository on a daily basis with a minimum two-week retention period and off-site storage. + #### d ##### AWS @@ -210,14 +228,16 @@ System documentation is backed up from the GitHub repository on a daily basis wi AWS built-in features protect the confidentiality, integrity, and availability of information that AWS services back up. This information includes the service configuration information within an account, AWS online administrator and developer documentation, and AWS CloudFormation stacks for templates once deployed into an account. R612 -#### d + + ##### Contractor CivicActions employees must authenticate prior to being granted access to the GitHub repository. Roles and responsibilities within GitHub determine the proper level of access for the documentation being accessed. The folder structure of GitHub protects though permissions and ownership prohibiting users from accessing unauthorized documentation. -### CP-10: Information System Recovery And Reconstitution + +### CP-10: System Recovery and Reconstitution ```text Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. diff --git a/docs/controls/IA.md b/docs/controls/IA.md index a94e6b6..a1c4b7c 100644 --- a/docs/controls/IA.md +++ b/docs/controls/IA.md @@ -2,7 +2,7 @@ ## IA: Identification and Authentication -### IA-1: Identification And Authentication Policy And Procedures +### IA-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,12 +26,14 @@ CivicActions has developed, documented and disseminated to personnel an identifi + ##### Project The Project system owners/managers manage user identifiers by: (i) uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving authorization to issue a user identifier from an appropriate official; (iv) ensuring that the user identifier is issued to the intended party; (v) disabling user identifier after a reasonable period of inactivity as documented in its security procedures; and (vi) archiving user identifiers. Project reviews and updates this policy as necessary. -### IA-2: Identification And Authentication (Organizational Users) + +### IA-2: Identification and Authentication (organizational Users) ```text Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. @@ -45,7 +47,8 @@ Uniquely identify and authenticate organizational users and associate that uniqu AWS built-in features of Identity and Access Management (IAM) provides the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users operating within the AWS account and infrastructure, providing privileges based on the credentials, group memberships, and access policies assigned to them. The customer organization, at its discretion, provides individual user accounts and privileges to both organizational non-organizational users in addition to organizational users. -### IA-2 (1): Network Access To Privileged Accounts + +### IA-2 (1): Multi-factor Authentication to Privileged Accounts ```text Implement multi-factor authentication for access to privileged accounts. @@ -63,6 +66,7 @@ To access root (sudo) privileges an additional password is required. The passwor + ##### Drupal Drupal administrators and other roles with unrestricted access to live content and/or user accounts are required to use two-factor authentication. See artifact None @@ -70,12 +74,28 @@ Drupal administrators and other roles with unrestricted access to live content a + ##### Project The Project employs multi-factor authentication for privileged users. -### IA-2 (12): Acceptance Of Piv Credentials + +### IA-2 (2): Multi-factor Authentication to Non-privileged Accounts + +```text +Implement multi-factor authentication for access to non-privileged accounts. + +``` +**Status:** incomplete +### IA-2 (8): Access to Accounts — Replay Resistant + +```text +Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts, non-privileged accounts]. + +``` +**Status:** incomplete +### IA-2 (12): Acceptance of PIV Credentials ```text Accept and electronically verify Personal Identity Verification-compliant credentials. @@ -89,6 +109,7 @@ Accept and electronically verify Personal Identity Verification-compliant creden The Project system allows users to access the system using Common Access Cards (CAC). + ### IA-4: Identifier Management ```text @@ -99,7 +120,7 @@ Manage system identifiers by: - d. Preventing reuse of identifiers for [Assignment: organization-defined time period]. ``` -**Status:** partial +**Status:** None #### a ##### Contractor @@ -107,19 +128,22 @@ Manage system identifiers by: Access to the system is authorized by the System Owner or Project Manager for each role as described in AC-2. -#### a + + ##### Drupal Upon account creation, the Drupal software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted. -#### a + + ##### Ilias Upon account creation, the Ilias software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted. + #### b ##### Contractor @@ -129,19 +153,22 @@ User accounts are assigned a unique identifier in the form of a unique username, In accordance with CivicActions Identification and Authentication (IA) Policy outlined at , CivicActions internal users are uniquely identified by the creation of an organizational account with a username based on each user's first and last names. -#### b + + ##### Drupal When Drupal user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements. -#### b + + ##### Ilias When Ilias user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements. + #### c ##### Contractor @@ -149,37 +176,43 @@ When Ilias user accounts are created, users' email addresses are verified by sen User accounts are assigned a unique identifier in the form of a unique username, password and email address based on the system for allocating user accounts described in AC-2. -#### c + + ##### Drupal Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account. -#### c + + ##### Ilias Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account. + #### d ##### Contractor Account usernames may not be re-used for at least two years. -#### d + + ##### Drupal Drupal user's unique identifier (the numeric user ID, or UID) is never reused. -#### d + + ##### Ilias Ilias user's unique identifier (the numeric user ID, or UID) is never reused. + #### e ##### Contractor @@ -187,6 +220,7 @@ Ilias user's unique identifier (the numeric user ID, or UID) is never reused. All user accounts are required to change their passwords every 90 days. The website will automatically block the accounts of users who fail to change their password within that time period, after which the account may only be unblocked by a website Administrator or CivicActions Operations staff. + ### IA-5: Authenticator Management ```text @@ -202,7 +236,7 @@ Manage system authenticators by: - i. Changing authenticators for group or role accounts when membership to those accounts changes. ``` -**Status:** complete +**Status:** partial #### a ##### Drupal @@ -211,7 +245,8 @@ Refer to control AC-2 in this SSP for further details on account provisioning. CivicActions will create and maintain an initial Drupal Administrator (highest level of Drupal Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create. -#### a + + ##### Ilias @@ -219,13 +254,15 @@ Refer to control AC-2 in this SSP for further details on account provisioning. CivicActions will create and maintain an initial Ilias Administrator (highest level of Ilias Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create. -#### a + + ##### Project Authentication for Project internal personnel are created during the personnel assignment process where requests are made to the Project admin group for proper access levels. The Project admin group verifies the identity of the user. The website performs further verification by sending an email to the user's mailbox containing a single-use activation link which must be used to log in to the account for the first time and to create a password. + #### b ##### Drupal @@ -233,32 +270,37 @@ Authentication for Project internal personnel are created during the personnel a Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy. -#### b + + ##### Ilias Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy. -#### b + + ##### Project Project admins in collaboration with CivicActions Operations are responsible for provisioning and de-provisioning end user accounts in compliance with the authentication requirements described herein. + #### c ##### Drupal The system partially inherits this control from Drupal standard password strength mechanisms. -#### c + + ##### Ilias The system partially inherits this control from Ilias standard password strength mechanisms. -#### c + + ##### Project @@ -271,6 +313,7 @@ When entering a user account password upon initial login, all users must comply - Password must contain at least one lowercase character. + #### d ##### Drupal @@ -278,7 +321,8 @@ When entering a user account password upon initial login, all users must comply The system partially inherits this control from Drupal standard password management. All password creation/change/reset operations are recorded in the website's "Drupal Watchdog" logs. -#### d + + ##### Ilias @@ -286,7 +330,8 @@ The system partially inherits this control from Ilias standard password manageme All password creation/change/reset operations are recorded in the website's Ilias logs. -#### d + + ##### Project @@ -310,6 +355,7 @@ In accordance with Project site configuration, the following administrative proc any user account if they believe there is a reason to do so. + #### e ##### Drupal @@ -317,12 +363,14 @@ In accordance with Project site configuration, the following administrative proc Drupal requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database. -#### e + + ##### Ilias Ilias requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database. + #### f ##### Project @@ -334,6 +382,7 @@ Project authenticators follow these password lifetime restrictions: - Password reuse restriction = 10 + #### g ##### Project @@ -344,6 +393,7 @@ Project enforces password lifetime restrictions. The password lifetime settings - Maximum restriction of ninety (90) days before a password change is required. + #### h ##### Drupal @@ -351,12 +401,14 @@ Project enforces password lifetime restrictions. The password lifetime settings For all Drupal users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone. -#### h + + ##### Ilias For all Ilias users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone. + #### i ##### Contractor @@ -366,10 +418,12 @@ CivicActions users are required to take appropriate measures in the handling of - Not transmitting user names and passwords together in an unencrypted format - Not permitting the sending of passwords in an unencrypted format via email - Not listing passwords in tickets -- Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. +- Not writing down or storing passwords in a readable form in any physical or logical + location where they may be discoverable by unauthorized persons. + + -#### i ##### Drupal @@ -381,7 +435,8 @@ Drupal users are required to take appropriate measures in the handling of passwo - Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. -#### i + + ##### Ilias @@ -392,19 +447,22 @@ Ilias users are required to take appropriate measures in the handling of passwor - Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. + #### j ##### Drupal This control is not applicable due to the fact that group accounts are not created within the Drupal application per IA Policy. -#### j + + ##### Ilias This control is not applicable due to the fact that group accounts are not created within the Ilias application per IA Policy. -### IA-5 (1): Password-Based Authentication + +### IA-5 (1): Password-based Authentication ```text For password-based authentication: @@ -426,14 +484,16 @@ For password-based authentication: Project is responsible for provisioning and de-provisioning end user accounts, which must comply with the strict password policies that are enforced by the website's software configuration, as described in IA-5. + #### a ##### AWS -AWS built-in features of Identity and Access Management (IAM) provides minimum password complexity enforcement, but the characteristics to enforce must be manually configured by the customer. Refer to http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html +AWS built-in features of Identity and Access Management (IAM) provides minimum password complexity enforcement, but the characteristics to enforce must be manually configured by the customer. Refer to + + -#### a ##### Drupal @@ -441,7 +501,8 @@ Drupal supports the requirement for password-based authentication complexity. Ne Changing password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by CivicActions Change Control Board before being implemented. -#### a + + ##### Ilias @@ -449,6 +510,7 @@ Ilias supports the requirement for password-based authentication complexity. New Changing password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by {'name': 'CivicActions, Inc', 'name_short': 'CivicActions', 'address': {'street': '3527 Mt Diablo Blvd, Unit 269', 'city': 'Lafayette', 'state': 'CA', 'zip': 94549, 'country': None}, 'phone': '510-408-7510', 'website': 'www.civicactions.com', 'compliance_docs_url': 'https://github.com/CivicActions/compliance-docs', 'email_support': 'support@civicactions.com', 'security_policy_url': 'https://github.com/CivicActions/security-policy'}' Change Control Board before being implemented. + #### b ##### Drupal @@ -456,12 +518,14 @@ Changing password lifetime, length, reuse or strength requirements requires a co When required to change passwords, Drupal users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration. -#### b + + ##### Ilias When required to change passwords, Ilias users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration. + #### c ##### AWS @@ -469,43 +533,50 @@ When required to change passwords, Ilias users are required to change their auth AWS built-in features of AWS Identity and Access Management (IAM) and the AWS Console store passwords on AWS systems in a cryptographically-protected format and only support TLS connectivity to the console web site to protect passwords in transit via encryption. -#### c + + ##### Drupal All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. -#### c + + ##### Ilias All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + #### d ##### Drupal The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g). -#### d + + ##### Ilias The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g). + #### e ##### Drupal Password reuse is limited through software configuration. -#### e + + ##### Ilias Password reuse is limited through software configuration. + #### f ##### AWS @@ -513,48 +584,29 @@ Password reuse is limited through software configuration. AWS built-in features of AWS Identity and Access Management (IAM) provides the capability to require new password to be entered upon login. The customer organization, at its discretion, configures IAM to enforce that requirement. -#### f -##### Drupal -When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. - - -#### f -##### Ilias +##### Drupal When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. -### IA-5 (11): Hardware Token-Based Authentication -```text -``` -**Status:** partial -##### AWS - -AWS built-in features of AWS Identity and Access Management (IAM) provides the capability for Hardware MFA using Gemalto SafeNet IDProve 100 and 700 OTP Tokens which are compliant to OATH open standard (time based - 6 digits) Expected battery life is 3-5 years or approximately 15,000 - 20,000 clicks. These products are handheld devices that provide strong authentication by generating a unique password that is valid for only one attempt and for 30 seconds. - -It is the customer organization's responsibility to implement Hardware MFA. Refer to http://aws.amazon.com/iam/details/mfa/ and http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html - - - - -##### Project +##### Ilias -Project does not support physical hardware token-based authentication. Therefore this control is Not Applicable. +When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. -### IA-6: Authenticator Feedback +### IA-6: Authentication Feedback ```text Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. ``` -**Status:** partial +**Status:** None ##### AWS @@ -566,6 +618,7 @@ AWS built-in features obscure keystroke feedback for password input during AWS c + ##### Drupal Feedback of authentication information is obscured during the authentication process into the Drupal application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. @@ -573,17 +626,19 @@ Feedback of authentication information is obscured during the authentication pro + ##### Ilias Feedback of authentication information is obscured during the authentication process into the Ilias application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. + ### IA-7: Cryptographic Module Authentication ```text Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. ``` -**Status:** partial +**Status:** None ##### AWS @@ -593,6 +648,7 @@ AWS built-in features of AWS Identity and Access Management (IAM) authentication + ##### Drupal All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. @@ -600,10 +656,12 @@ All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorit + ##### Ilias All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + #### j ##### Contractor @@ -611,7 +669,8 @@ All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorith CivicActions systems employ authentication methods consistent with NIST FIPS 140-2 requirements. General public access to system web pages does not require cryptographic authentication. Privileged users accessing systems use the public-key cryptographic functionality of Secure Shell (SSH) to encrypt the exchange of information (including the password) between the remote user and the server. Where Transport Layer Security (TLS, aka SSL) is used, cryptographic modules will be configured in accordance with FIPS 140-2. -### IA-8: Identification And Authentication (Non-Organizational Users) + +### IA-8: Identification and Authentication (non-organizational Users) ```text Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. @@ -627,7 +686,8 @@ AWS built-in features of AWS Identity and Access Management (IAM) provide the ca The customer organization at its discretion provides user accounts and privileges to both organizational non-organizational users in addition to organizational users. -### IA-8 (1): Acceptance Of Piv Credentials From Other Agencies + +### IA-8 (1): Acceptance of PIV Credentials from Other Agencies ```text Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. @@ -641,7 +701,8 @@ Accept and electronically verify Personal Identity Verification-compliant creden Project allows the use of customer agency supplied Common Access Cards (CAC). -### IA-8 (2): Acceptance Of Third-Party Credentials + +### IA-8 (2): Acceptance of External Authenticators ```text - (a) Accept only external authenticators that are NIST-compliant; and @@ -656,9 +717,11 @@ Project allows the use of customer agency supplied Common Access Cards (CAC). Project does not utilize FICAM approved credentials. -### IA-8 (3): Use Of Ficam-Approved Products + +### IA-8 (4): Use of Defined Profiles ```text +Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. ``` **Status:** none @@ -666,18 +729,14 @@ Project does not utilize FICAM approved credentials. ##### Project -Project does not utilize FICAM approved products. +CivicActions does not utilize FICAM approved products or profiles. + -### IA-8 (4): Use Of Ficam-Issued Profiles +### IA-11: Re-authentication ```text -Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. +Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. ``` -**Status:** none - - -##### Project - -CivicActions does not utilize FICAM approved products or profiles. +**Status:** incomplete diff --git a/docs/controls/IR.md b/docs/controls/IR.md index a3bf147..eeb6b0e 100644 --- a/docs/controls/IR.md +++ b/docs/controls/IR.md @@ -2,7 +2,7 @@ ## IR: Incident Response -### IR-1: Incident Response Policy And Procedures +### IR-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -16,7 +16,7 @@ - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -26,6 +26,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Contractor CivicActions has developed, documented and disseminated to personnel an incident response planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in Incident Response (IR) Policy and Procedure that can be found in the CivicActions Compliance Docs GitHub repository at . @@ -33,6 +34,7 @@ CivicActions has developed, documented and disseminated to personnel an incident + ##### Project This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. @@ -44,6 +46,7 @@ Additionally, the IRP includes procedures to respond to waste, fraud, misuse, or The Project Incident Response Plan can be found in the CivicActions GitHub repository at + ### IR-2: Incident Response Training ```text @@ -54,7 +57,7 @@ The Project Incident Response Plan can be found in the CivicActions GitHub repos - b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -64,6 +67,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Contractor All CivicActions employees are required to participate in incident response training, as required by Incident Response Plan changes, and annually. The CivicActions Incident Response Plan () is the basis for the training and the incident response workflow created by the Security Office. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. @@ -71,11 +75,13 @@ All CivicActions employees are required to participate in incident response trai + ##### Project CivicActions Operations and users of the Project system with incident response responsibilities are required to participate in incident response training once the role is assumed within 10 days, as required by Project changes, and annually. The Incident Response Plan () is the basis for the training and the incident response workflow created by the Security team. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. + ### IR-4: Incident Handling ```text @@ -85,7 +91,7 @@ CivicActions Operations and users of the Project system with incident response r - d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -95,6 +101,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Project The Client Computer Security Officer (CSO) handles all incidents for the Project Full Name. @@ -104,6 +111,7 @@ The Client Full Name utilizes proven incident handling methodologies for securit Preparation activities includes all CivicActions and Project internal users are trained if their role includes incident response. Detection monitoring tools providing notification to incident response personnel for analysis and action. Containment, eradication and recovery activities include AWS and LAMP-stack inherited fixes and Project system administrators adjusting IP port blocking security groups and SELinux policies. + #### a ##### Contractor @@ -112,6 +120,7 @@ CivicActions has implemented an Incident Response Plan () require a team review session for approval. + ### IR-5: Incident Monitoring ```text Track and document incidents. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -142,6 +153,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Contractor CivicActions utilizes the JIRA ticketing tool for tracking and reporting of incident events from reporting to resolution and post- incident analysis. Initial reporting can come from continuous monitoring tools as well as client and public submissions made to support@civicactions.com. Jira processes the tickets for the public submissions and the CivicActions Support Team creates associated GitHub Issues. Internal incidents reported are processed within the GitHub Issue queue. Details of the handling procedures are included in the CivicActions Incident Response Plan () Response Process. @@ -149,11 +161,13 @@ CivicActions utilizes the JIRA ticketing tool for tracking and reporting of inci + ##### Project The Project utilizes network and host-based intrusion detection systems, monitoring the system and application logs for anomalous events. Incidents are tracked using the same ticketing system that is used to track all system-related changes and events. + ### IR-6: Incident Reporting ```text @@ -161,7 +175,7 @@ The Project utilizes network and host-based intrusion detection systems, monitor - b. Report incident information to [Assignment: organization-defined authorities]. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -171,6 +185,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Project If an incident involves suspicious activity, CivicActions Operations will contact the Project System Owner who may then contact the Project CSO. @@ -178,6 +193,7 @@ If an incident involves suspicious activity, CivicActions Operations will contac The CivicActions Computer Security Officer (CSO) handles all incidents for the Project. The CSO is prepared to report all incidents to the Client Full Name. + #### a ##### Contractor @@ -185,11 +201,14 @@ The CivicActions Computer Security Officer (CSO) handles all incidents for the P CivicActions personnel, as soon as an incident event is detected and/or communicated, are required to report the incident event to the CivicActions Security Office. Methods of detection and/or communication may include one or more of: - Through continuous monitoring tools (StatusCake, OSSEC, others). -- As a result of application notifications where CivicActions Security receives notifications (AIDE, OpsGenie, others). +- As a result of application notifications where CivicActions Security + receives notifications (AIDE, OpsGenie, others). + - Event logging described in AC-2 - Host-based alerts from the cloud infrastructure or platform. + #### b ##### Contractor @@ -197,18 +216,20 @@ CivicActions personnel, as soon as an incident event is detected and/or communic CivicActions personnel, as soon as the incident event is detected and/or communicated, are required to report the incident event to the CivicActions Security Office. -### IR-7: Incident Resonse Assistance + +### IR-7: Incident Response Assistance ```text Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. ``` -**Status:** In Place +**Status:** complete ##### AWS -The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident resonse assistance. +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response assistance. + @@ -218,6 +239,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran CivicActions Help Desk team provides first response assistance to any users of the system. Response time for external reporting of incidents through e-mail is one business day. Internal users are able to request support thought the same process or initiate the incident response workflow. Tickets created in the Jira (customer ticketing system) and GitLab (internal ticketing system) documents all details related to the incident to assist the Incident Response Teams in handling the incident. + ### IR-8: Incident Response Plan ```text @@ -239,7 +261,7 @@ CivicActions Help Desk team provides first response assistance to any users of t - e. Protect the incident response plan from unauthorized disclosure and modification. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -249,11 +271,13 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Project The Project Incident Response Plan () includes a comprehensive incident response program, which details the implementation of procedures and tools required for incident handling. The incident response program details the roles and responsibilities of Project/ CivicActions IR Team. The IR Team includes members from CivicActions Security and Operations teams. Incident response plays a pivotal role in monitoring, detecting and handling security incidents of the entire information system. The IRP details categorization of incidents in accordance with NIST 800-61 and accordingly documents and reports incidents. The IRP is reviewed annually and updated as needed by ISSO, with the assistance of the Incident Response Team. + #### a ##### Contractor @@ -262,12 +286,18 @@ Incident response plays a pivotal role in monitoring, detecting and handling sec 1. Provides CivicActions with procedures and tools required for incident handling; 2. Describes the structure and organization of the incident response capability; -3. Provides a high-level approach for how the incident response capability fits into CivicActions and the systems it maintains; +3. Provides a high-level approach for how the incident response capability fits into + CivicActions and the systems it maintains; + 4. Meets the mission, size, structure, and functions of CivicActions; 5. Defines reportable incidents; -6. Provides metrics for measuring the incident response capability and details categorization of incidents in accordance with NIST 800-61; +6. Provides metrics for measuring the incident response capability and details categorization + of incidents in accordance with NIST 800-61; + 7. Defines the roles and responsibilities of CivicActions IR Team; -8. Is reviewed annually and updated as needed by the CivicActions Security Office, with the assistance of the Incident Response Team. +8. Is reviewed annually and updated as needed by the CivicActions Security Office, + with the assistance of the Incident Response Team. + #### b @@ -279,6 +309,7 @@ The CivicActions Incident Response Plan is distributed to all CivicActions team Operations staff, and Drupal Engineering teams. + #### c ##### Contractor @@ -286,6 +317,7 @@ The CivicActions Incident Response Plan is distributed to all CivicActions team The CivicActions Security Office and the Incident Response team is responsible for reviewing the Incident Response Plan annually. The entire Incident Response Team will review the plan and update it as necessary. Ultimately, the Security Office has the final say and will approve all updates to the plan. + #### d ##### Contractor @@ -293,6 +325,7 @@ The CivicActions Security Office and the Incident Response team is responsible f The CivicActions Security Office is responsible for managing the IR Plan, including annual reviews and updates. The IR Plan is updated to reflect any changes to processes, systems or applications. In addition, any concerns or difficulties encountered during IR Plan implementation, execution, or testing are addressed in an update to the IR Plan. + #### e ##### Contractor @@ -300,6 +333,7 @@ The CivicActions Security Office is responsible for managing the IR Plan, includ Modifications to the IR Plan are conducted by the IR team the (CivicActions Security Office, Operations staff and Engineering teams) and communicated to the CivicActions team. + #### f ##### Contractor diff --git a/docs/controls/MA.md b/docs/controls/MA.md index addee39..a23de43 100644 --- a/docs/controls/MA.md +++ b/docs/controls/MA.md @@ -2,7 +2,7 @@ ## MA: Maintenance -### MA-1: System Maintenance Policy And Procedures +### MA-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -25,7 +25,8 @@ This System Maintenance control associated with hardware components within AWS i For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + @@ -37,6 +38,7 @@ CivicActions has developed, documented and disseminated to personnel a system ma + ##### Project System maintenance policy and procedures are formally documented in the Project SSP, which provides the roles and responsibilities as it pertains to software and systems maintenance and updates. The Project Full Name ensures that maintenance controls are developed, disseminated, reviewed, and updated as necessary. @@ -46,6 +48,7 @@ Physical and environmental protection is fully inherited from the AWS FedRAMP ce This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + ### MA-2: Controlled Maintenance ```text @@ -66,7 +69,8 @@ This System Maintenance control associated with hardware components within AWS i For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + @@ -82,7 +86,8 @@ The Project schedules, performs, and documents regular maintenance on the softwa - Twice-monthly OS updates/patches -### MA-4: Non-Local Maintenance + +### MA-4: Nonlocal Maintenance ```text - a. Approve and monitor nonlocal maintenance and diagnostic activities; @@ -101,7 +106,8 @@ This System Maintenance control associated with hardware components within AWS i For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + #### a @@ -111,6 +117,7 @@ Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Sum System maintenance is done from remote sites as there is no direct access to the server instances in the AWS cloud; this is the government-approved method of doing business. Approval, QA, and monitoring are conducted by the team performing the specific maintenance. + #### b ##### Contractor @@ -118,6 +125,7 @@ System maintenance is done from remote sites as there is no direct access to the Remote diagnostics tools, such as OSSEC, AIDE, fail2ban, and OpenSCAP are used to verify the integrity of files, perform log analysis, monitor login attempts and check for rootkits and other vulnerabilities. + #### c ##### Contractor @@ -125,6 +133,7 @@ Remote diagnostics tools, such as OSSEC, AIDE, fail2ban, and OpenSCAP are used t All nonlocal maintenance requires the same authentication requirements to perform the maintenance activities to access the system as defined in controls AC-3 and IA-2. SSH is used to secure all communications between the remote user and the components located in the AWS cloud. + #### d ##### Contractor @@ -132,6 +141,7 @@ All nonlocal maintenance requires the same authentication requirements to perfor CivicActions records for nonlocal maintenance is managed through JIRA tickets and the Git issue queue as well as normal system logs. CivicActions administrator activity to the system is also logged through the implementation of the AU-2 (Audit Events) and AU-3 (Content of Audit Records). + #### e ##### Contractor @@ -139,6 +149,7 @@ CivicActions records for nonlocal maintenance is managed through JIRA tickets an Any session for internal maintenance activities is terminated when the user completes their session, disconnects from the system, or logs out. In addition, sessions are terminated after 15 minutes of inactivity. + ### MA-5: Maintenance Personnel ```text @@ -156,7 +167,8 @@ This System Maintenance control associated with hardware components within AWS i For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + @@ -168,6 +180,7 @@ Maintenance of the system and applications can only be performed by personnel de + ##### Project Client maintains a list of authorized contract (CivicActions) personnel who perform maintenance and repair activities on the Project Project system components, and only these authorized personnel may perform the maintenance. All maintenance personnel have the required personnel security elements in place. diff --git a/docs/controls/MP.md b/docs/controls/MP.md index aa98629..332b79b 100644 --- a/docs/controls/MP.md +++ b/docs/controls/MP.md @@ -2,7 +2,7 @@ ## MP: Media Protection -### MP-1: Media Protection Policy And Procedures +### MP-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -16,7 +16,7 @@ - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** complete +**Status:** None ##### AWS @@ -25,7 +25,8 @@ This Media Protection control associated with hardware components within AWS is For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + @@ -37,11 +38,13 @@ CivicActions has developed, documented and disseminated to personnel a media pro + ##### Project This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. Media protection policy and procedures are fully inherited from AWS Cloud. + ### MP-2: Media Access ```text @@ -57,7 +60,8 @@ This Media Protection control associated with hardware components within AWS is For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### MP-6: Media Sanitization @@ -76,7 +80,8 @@ This Media Protection control associated with hardware components within AWS is For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### MP-7: Media Use @@ -95,4 +100,4 @@ This Media Protection control associated with hardware components within AWS is For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. diff --git a/docs/controls/PE.md b/docs/controls/PE.md index 8ac0bcc..51d1637 100644 --- a/docs/controls/PE.md +++ b/docs/controls/PE.md @@ -2,7 +2,7 @@ ## PE: Physical and Environmental Protection -### PE-1: Physical And Environmental Protection Policy And Procedures +### PE-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -25,7 +25,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-2: Physical Access Authorizations @@ -46,7 +47,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-3: Physical Access Control @@ -72,7 +74,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-6: Monitoring Physical Access @@ -92,7 +95,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-8: Visitor Access Records @@ -112,7 +116,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-12: Emergency Lighting @@ -130,7 +135,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-13: Fire Protection @@ -148,10 +154,11 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + -### PE-14: Temperature And Humidity Controls +### PE-14: Environmental Controls ```text - a. Maintain [Selection (one or more): temperature, humidity, pressure, radiation, [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and @@ -167,7 +174,8 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + ### PE-15: Water Damage Protection @@ -185,10 +193,11 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/ +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + -### PE-16: Delivery And Removal +### PE-16: Delivery and Removal ```text - a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and @@ -204,4 +213,4 @@ This Physical Environment control associated with hardware components within AWS For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). -Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/" +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. diff --git a/docs/controls/PL.md b/docs/controls/PL.md index e656849..a481a10 100644 --- a/docs/controls/PL.md +++ b/docs/controls/PL.md @@ -2,7 +2,7 @@ ## PL: Planning -### PL-1: Security Planning Policy And Procedures +### PL-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -16,7 +16,7 @@ - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -26,6 +26,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Contractor CivicActions has developed, documented and disseminated to personnel a system planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Planning (PL) Policy and Procedure document that can be found in the CivicActions GitHub repository at . @@ -33,6 +34,7 @@ CivicActions has developed, documented and disseminated to personnel a system pl + ##### Project This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. @@ -40,7 +42,8 @@ This is Agency common control. More data about implementation can be obtained fr The Project developed its security policy planning and procedures based on None, guidance from NIST, the Office of Management and Budget and industry best practices. Security policies and procedures are formally documented within the Project SSP, which provides the roles and responsibilities as it pertains to security planning. It provides guidance on all aspects of security for the protection of Project information technology resources. It defines responsibilities for the implementation and oversight of the guidance contained herein. The plan was last updated in December, 2015. -### PL-2: System Security Plan + +### PL-2: System Security and Privacy Plans ```text - a. Develop security and privacy plans for the system that: @@ -65,7 +68,7 @@ The Project developed its security policy planning and procedures based on None, - e. Protect the plans from unauthorized disclosure and modification. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -75,11 +78,13 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Project The System Security Plan (SSP) was developed and implemented for Project system in accordance with None, NIST SP 800-18 and NIST SP 800-37. The SSP includes a description of the management, operational, and technical controls in place or planned for the application. The SSP is included as a key document in an application’s C&A package and is reviewed and approved by designated officials. The SSP identifies the system owner and responsible parties for managing system access and the overall security of the system. The Chief Information Security Officer reviews and approves the SSP. The SSP will be reviewed at least annually and updated to account for any changes to the Project system and to address any changes in security controls. + #### a ##### Contractor @@ -88,13 +93,21 @@ CivicActions has developed this system security plan (SSP) for the information s 1. Is consistent with the organization’s enterprise architecture 2. Explicitly defines the authorization boundary for the system -3. Describes the operational context of the information system in terms of missions and business processes +3. Describes the operational context of the information system in terms of missions and business + processes + 4. Provides the security categorization of the information system including supporting rationale -5. Describes the operational environment for the information system and relationships with or connections to other information systems +5. Describes the operational environment for the information system and relationships with or + connections to other information systems + 6. Provides an overview of the security requirements for the system 7. Identifies any relevant overlays, if applicable -8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions -9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation +8. Describes the security controls in place or planned for meeting those requirements including a + rationale for the tailoring decisions + +9. Is reviewed and approved by the authorizing official or designated representative prior to plan + implementation + #### b @@ -104,6 +117,7 @@ CivicActions has developed this system security plan (SSP) for the information s The SSP is reviewed and approved by the authorizing official prior to plan implementation. A copy of the SSP is provided to authorized CivicActions and assessing personnel including the System Owner, Authorizing Official, Information System Security Officer, System/Network Administrator, and the CivicActions Operations staff. The SSP is maintained by the CivicActions Security Office. + #### c ##### Contractor @@ -111,6 +125,7 @@ The SSP is reviewed and approved by the authorizing official prior to plan imple The SSP is reviewed at least annually by the System Owner and the CivicActions Operations staff in collaboration with the CivicActions Security Office. + #### d ##### Contractor @@ -118,6 +133,7 @@ The SSP is reviewed at least annually by the System Owner and the CivicActions O The CivicActions Operations staff in collaboration with the CivicActions Security Office updates the system description and control descriptions within the SSP as needed to verify the SSP is an accurate description of the system. + #### e ##### Contractor @@ -125,7 +141,8 @@ The CivicActions Operations staff in collaboration with the CivicActions Securit The SSP is currently available to authorized users on GitLab. Per the Acceptable Use Policy, all entities granted access to CivicActions information assets are required to complete a non-disclosure agreement (NDA) to uphold information confidentiality. GitLab provides the configuration management capabilities for the SSP to be protected from unauthorized disclosure and modification. -### PL-4: Rules Of Behavior + +### PL-4: Rules of Behavior ```text - a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; @@ -142,7 +159,8 @@ The SSP is currently available to authorized users on GitLab. Per the Acceptable CivicActions has created and made readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage. These rules, defined as the Acceptable Use Policy, are included in the CivicActions Security Policy accessible here: which has also been uploaded to CSAM as ''Appendix J1 - System Rules of Behavior - Privileged User'' (CivicActions Security Policy 20190226.docx).' -#### a + + ##### Project @@ -151,6 +169,7 @@ Project has created and made readily available to individuals requiring access t Project has reviewed and accepted as a superset alternative the CivicActions Acceptable Use Policy. + #### b ##### Contractor @@ -158,13 +177,15 @@ Project has reviewed and accepted as a superset alternative the CivicActions Acc CivicActions HR receives a signed acknowledgment from all employees, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. The text of the electronically signed (via DocuSign) acknowledgment document has been uploaded to CSAM as artifact: ''CivicActions Security Policy Acknowledgement.docx'' -#### b + + ##### Project The Project System Owner receives a signed acknowledgment from such individuals that are not CivicActions employees, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. + #### c ##### Contractor @@ -172,13 +193,15 @@ The Project System Owner receives a signed acknowledgment from such individuals CivicActions reviews the CivicActions Security Policy at least annually and updates as required. -#### c + + ##### Project Project reviews the Rules of Behavior at least annually and updates it as required. + #### d ##### Contractor @@ -186,8 +209,36 @@ Project reviews the Rules of Behavior at least annually and updates it as requir CivicActions requires individuals who have signed a previous version of the CivicActions Security Policy to read and re-sign when any part of it, including the Acceptable Use Policy/Rules of Behavior, is revised/updated. -#### d + + ##### Project Project requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the Rules of Behavior are revised/updated. + + + +### PL-4 (1): Social Media and External Site/application Usage Restrictions + +```text +Include in the rules of behavior, restrictions on: + - (a) Use of social media, social networking sites, and external sites/applications; + - (b) Posting organizational information on public websites; and + - (c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. + +``` +**Status:** incomplete +### PL-10: Baseline Selection + +```text +Select a control baseline for the system. + +``` +**Status:** incomplete +### PL-11: Baseline Tailoring + +```text +Tailor the selected control baseline by applying specified tailoring actions. + +``` +**Status:** incomplete diff --git a/docs/controls/PS.md b/docs/controls/PS.md index 69f1fc4..753d192 100644 --- a/docs/controls/PS.md +++ b/docs/controls/PS.md @@ -2,7 +2,7 @@ ## PS: Personnel Security -### PS-1: Personnel Security Policy And Procedures +### PS-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -16,7 +16,7 @@ - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -26,6 +26,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Contractor CivicActions has developed, documented and disseminated to personnel a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in CivicActions Personnel Security (PS) Policy document that can be found in the CivicActions GitHub repository at . @@ -33,6 +34,7 @@ CivicActions has developed, documented and disseminated to personnel a personnel + ##### Project The Project documents the security policy and procedures in addressing position categorization, personnel screening, personnel termination, personnel transfer, and access agreements within the Project SSP. Project adopts the Client personnel security standards and determines position risks levels based on public trust responsibilities. @@ -40,6 +42,7 @@ The Project documents the security policy and procedures in addressing position This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + ### PS-2: Position Risk Designation ```text @@ -55,14 +58,19 @@ This is Agency common control. More data about implementation can be obtained fr Project position sensitivity levels are assigned by the Client Full Name. Each position designation is documented on the Standard Position Description (SPD) and assigned a risk level (or sensitivity level) commensurate with the sensitivity of the information, the risk to that information and the system maintaining that information. The levels of risk still need to be designated by Client for employee and contractor positions but since Project system does not have any sensitive data, a low risk scenario can be assumed. -- Employee risk levels and background investigations are: Low Risk= NACI, Moderate Risk= LBI, High Risk= BI. -- Contractor risk levels and background investigations are: Low Risk= NACI, Moderate Risk= NACC, High Risk= BI. +- Employee risk levels and background investigations are: Low Risk= NACI, Moderate Risk= LBI, + High Risk= BI. + +- Contractor risk levels and background investigations are: Low Risk= NACI, Moderate Risk= NACC, + High Risk= BI. + In order to ensure every employee is assigned to a position, which has been reviewed for sensitivity by the NCC, the SPD is a required data attribute of an employee’s HR record. Position risks designations are reviewed and revised when NCC or OPM publish changes to sensitivity levels. This is Agency common control. More data about implementation can be obtained from the Agency common control catalog + #### a ##### Contractor @@ -70,6 +78,7 @@ This is Agency common control. More data about implementation can be obtained fr Risk designations are assigned to all CivicActions positions. The CivicActions Office of Human Resources works in coordination with the CivicActions Security Office to assign risk designations. + #### b ##### Contractor @@ -77,6 +86,7 @@ Risk designations are assigned to all CivicActions positions. The CivicActions O The CivicActions Office of Human Resources works in coordination with the CivicActions Security Office to establish screening criteria for all CivicActions positions. + #### c ##### Contractor @@ -84,6 +94,7 @@ The CivicActions Office of Human Resources works in coordination with the CivicA At least every three (3) years, the CivicActions Office of Human Resources reviews and revises position risk designations. If the Office of Human Resources determines that significant changes must be made to the position risk descriptions the Office of Human Resources works in coordination with the CivicActions Security Office to implement changes as required. + ### PS-3: Personnel Screening ```text @@ -101,6 +112,7 @@ Minimum background investigations are conducted, since all data is non-sensitive This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + #### a ##### Contractor @@ -108,11 +120,13 @@ This is Agency common control. More data about implementation can be obtained fr Prospective CivicActions employees undergo background checks commensurate with the individual’s job duties, the classification of the information they will access, and the risks associated with the role. At the discretion of the CivicActions Security Office, these checks may also be conducted on contractors and/or third party users in cases where they will have access to application data that is not meant to be consumed by the public. In these instances, the Security Office will instruct the Office of Human Resources to conduct a background check before granting access to the information system. + #### b ##### Contractor -Rescreening is conducted as required by the individual’s job duties, the classification of the information they will access, and the risks associated with the role. A basic background check is performed for all CivicActions employees. +Re screening is conducted as required by the individual’s job duties, the classification of the information they will access, and the risks associated with the role. A basic background check is performed for all CivicActions employees. + ### PS-4: Personnel Termination @@ -136,12 +150,14 @@ Client Full Name HR policy states that managers or designated officials are resp This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + #### a ##### Contractor Information system access is terminated immediately upon the voluntary or involuntary departure of an employee. In the case of involuntary departure, in addition to immediate termination of system access, at no point is a departing employee allowed access to any part of the CivicActions infrastructure. -In the case of voluntary departure, employees are permitted access to the information system for the duration of their offboarding period. The departing employee’s manager is responsible for informing the Information Technology department when the employee offboarding period concludes. At this time system and facility, access is terminated. +In the case of voluntary departure, employees are permitted access to the information system for the duration of their off-boarding period. The departing employee’s manager is responsible for informing the Information Technology department when the employee off-boarding period concludes. At this time system and facility, access is terminated. + #### b @@ -151,6 +167,7 @@ In the case of voluntary departure, employees are permitted access to the inform The terminated user’s accounts are disabled and all access associated with the individual is revoked. + #### c ##### Contractor @@ -158,6 +175,7 @@ The terminated user’s accounts are disabled and all access associated with the The employee's manager or the Office of Human Resources conducts exit interviews with all employees who leave CivicActions voluntarily. There is a general discussion about the process of turning in any/all company-issued devices, laptops, etc. + #### d ##### Contractor @@ -166,6 +184,7 @@ CivicActions employees provide their own equipment that must be hardened to secu Some employees may receive company-issued hardware for working on particular projects. These items are collected before the employee exits CivicActions. In the case of an involuntary termination, the Office of Human Resources works to collect company-issued devices and provides paperwork highlighting confidential protections for customers. + #### e ##### Contractor @@ -173,6 +192,7 @@ Some employees may receive company-issued hardware for working on particular pro Access to CivicActions information and information systems is always shared so that the termination of an individual will not prevent CivicActions from having access to needed resources. + #### f ##### Contractor @@ -180,6 +200,7 @@ Access to CivicActions information and information systems is always shared so t When a person is terminated, a standard off-boarding process is used to notify management and CivicActions' Operations staff, and to track the process of disabling access to the information system/information system components. The CivicActions Operations staff and Security Office are given at least four hours notice to schedule the deactivation of access upon termination. Deactivation is a manual process that is tracked via a Trello card in order to meet the four hour turnaround time before termination. + ### PS-5: Personnel Transfer ```text @@ -201,6 +222,7 @@ In accordance with the Client Full Name HR policy, the employee’s manager or d This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + #### a ##### Contractor @@ -208,6 +230,7 @@ This is Agency common control. More data about implementation can be obtained fr When an employee, third party personnel and/or contractor is transferred to a new project or position within CivicActions, they may maintain access to the previous system they were working on in order to facilitate the process of maintenance and knowledge transfer. However, as part of the practices of account management (AC-2) and least privilege (AC-6), regular audits of privileged users are conducted and access privileges may be removed when no longer needed. Additionally, adherence to specific client SLAs may enhance the frequency of such audits or the timeliness of privilege removal during personnel transfer. + #### b ##### Contractor @@ -215,6 +238,7 @@ When an employee, third party personnel and/or contractor is transferred to a ne When an employee, third party personnel and/or contractor is transferred to a new position within CivicActions and there is a requirement for access change, such access changes are normally completed within five business days. + #### c ##### Contractor @@ -222,6 +246,7 @@ When an employee, third party personnel and/or contractor is transferred to a ne Access authorizations are modified as needed to coincide with changes in duties or operational needs upon personnel transfer or reassignment. + #### d ##### Contractor @@ -229,6 +254,7 @@ Access authorizations are modified as needed to coincide with changes in duties CivicActions Operations staff is informed of transfers that require access authorization modifications within five business days by the Project Manager, System Owner or Office of Human Resources. + ### PS-6: Access Agreements ```text @@ -247,6 +273,7 @@ CivicActions Operations staff is informed of transfers that require access autho All users of the Project system must read and accept access agreements upon every login. + #### b ##### Project @@ -254,6 +281,7 @@ All users of the Project system must read and accept access agreements upon ever The Access Agreements are reviewed at least annually or when a significant change occurs. + #### c ##### Project @@ -261,7 +289,8 @@ The Access Agreements are reviewed at least annually or when a significant chang All individuals requiring access to the Project system are required to sign the Access Agreements before login is granted. When the Access Agreements are updated, the individual will be required to sign the new copy before regaining access. -### PS-7: Third-Party Personnel Security + +### PS-7: External Personnel Security ```text - a. Establish personnel security requirements, including security roles and responsibilities for external providers; @@ -279,6 +308,7 @@ All individuals requiring access to the Project system are required to sign the Personnel security requirements including security roles and responsibilities that apply to primary contracting organizations flow down to their subcontractors. + #### b ##### Project @@ -286,6 +316,7 @@ Personnel security requirements including security roles and responsibilities th Personnel security policies and procedures that apply to primary contracting organizations flow down to their subcontractors. + #### c ##### Project @@ -293,6 +324,7 @@ Personnel security policies and procedures that apply to primary contracting org All personnel security requirements are documented in PS-1 and other related Personnel Security controls. + #### d ##### Project @@ -300,6 +332,7 @@ All personnel security requirements are documented in PS-1 and other related Per For personnel transfers and terminations of third-party personnel, the procedures defined in employee termination (PS-4) and employee transfer (PS-5) flow down to subcontractors. + #### e ##### Project @@ -307,6 +340,7 @@ For personnel transfers and terminations of third-party personnel, the procedure Compliance measures for assessing third-party personnel and/or contractors are determined on a case-by-case basis. Third-party personnel are monitored to ensure compliance with personnel security requirements. + ### PS-8: Personnel Sanctions ```text @@ -322,6 +356,7 @@ Compliance measures for assessing third-party personnel and/or contractors are d The disciplinary sanctions for personnel failing to comply with establish IT security policies and procedures are included in Client Full Name HR policy. If an employee violates the Client information security policies and procedures, the employee may be subject to disciplinary action at the discretion of management. Actions may range from verbal or written warning, removal of system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation. Disciplinary sanctions are reported to the OCIO. + #### a ##### Contractor @@ -329,8 +364,19 @@ The disciplinary sanctions for personnel failing to comply with establish IT sec The CivicActions Security Office and/or the Office of Human Resources is responsible for determining and enforcing sanctions for failing to comply with established information security policies and procedures. Coaching may be considered prior to sanctions. Sanctions may include but are not limited to written warnings, reduction in system access, demotion, or termination. + #### b ##### Contractor When employee sanctions processes are initiated, the Office of Human Resources notifies the respective Project Manager(s) and CivicActions' Security Office within five business days. + + + +### PS-9: Position Descriptions + +```text +Incorporate security and privacy roles and responsibilities into organizational position descriptions. + +``` +**Status:** incomplete diff --git a/docs/controls/RA.md b/docs/controls/RA.md index 563c385..f0d8e3d 100644 --- a/docs/controls/RA.md +++ b/docs/controls/RA.md @@ -2,7 +2,7 @@ ## RA: Risk Assessment -### RA-1: Risk Assessment Policy And Procedures +### RA-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -16,7 +16,7 @@ - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. ``` -**Status:** In Place +**Status:** complete ##### AWS @@ -26,6 +26,7 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Contractor CivicActions has developed, documented and disseminated to personnel a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Risk Assessment (RA) Policy and Procedure that can be found in the CivicActions GitHub repository at . @@ -33,6 +34,7 @@ CivicActions has developed, documented and disseminated to personnel a risk asse + ##### Project The Client follows the risk assessment policy and procedures formally documented within None. Furthermore, a Risk Assessment Plan was originally initiated to determine the extent of the potential threat and the risk associated with Project throughout its System Development Life Cycle (SDLC). The Project Risk Assessment defines the methodology approach to determine the likelihood risks, and identify potential mitigation options to reduce risks to the Project system. @@ -42,6 +44,7 @@ The Project Risk Assessment will be conducted in accordance with the Department This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + ### RA-2: Security Categorization ```text @@ -58,6 +61,7 @@ This is Agency common control. More data about implementation can be obtained fr In accordance with FIPS 199 requirement and guidelines provided in NIST SP800-60 Rev.1, the organization categorized the system as a Low system: Confidentiality (Low), Integrity (Low), Availability (Low). + #### b ##### Project @@ -65,6 +69,7 @@ In accordance with FIPS 199 requirement and guidelines provided in NIST SP800-60 The security categorization was determined by evaluating the type of information that is stored, processed, and/or transmitted by the application and the potential impact levels associated with the confidentiality, integrity, and availability of that information. The application’s security categorization has been documented in this SSP. + #### c ##### Project @@ -72,6 +77,7 @@ The security categorization was determined by evaluating the type of information The security categorizations have been reviewed by the designated application POCs, were approved during the C&A effort. The formal security categorization document is available upon request. The system inventory for the Project Project is revalidated semiannually. + ### RA-3: Risk Assessment ```text @@ -94,6 +100,7 @@ The security categorizations have been reviewed by the designated application PO CivicActions/Project will perform risk assessments for the Project system based on SP 800-30 Rev. 1 Guide for Conducting Risk Assessments at least annually and as part of the change management activities for the Project system that warrant a new or updated risk assessment. + #### b ##### Project @@ -101,6 +108,7 @@ CivicActions/Project will perform risk assessments for the Project system based The results of risk assessments will be compiled into a risk assessment report to be reviewed by CivicActions Security and relevant personnel, and also added to the GitLab system for the Project system. + #### c ##### Project @@ -109,6 +117,7 @@ CivicActions/Project reviews risk assessment results at least annually. + #### d ##### Project @@ -118,6 +127,7 @@ personnel through the Project Manager and CivicActions Security. + #### e ##### Project @@ -132,7 +142,16 @@ A significant change includes: - Adding new interconnections to an outside service provide. -### RA-5: Vulnerability Scanning + +### RA-3 (1): Supply Chain Risk Assessment + +```text + - (a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and + - (b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. + +``` +**Status:** incomplete +### RA-5: Vulnerability Monitoring and Scanning ```text - a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; @@ -146,7 +165,7 @@ A significant change includes: - f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. ``` -**Status:** In Place +**Status:** partial ##### AWS @@ -156,11 +175,13 @@ The system partially inherits this control from the FedRAMP Provisional ATO gran + ##### Project The Project uses vulnerability scanning software to document and determine risks to the system. These scans are run monthly and the results of these scans are being used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. + #### a ##### Contractor @@ -173,6 +194,7 @@ CivicActions Operations uses vulnerability scanning software to document and det CivicActions Operations has automated the process to perform the scans on a monthly basis. The resulting reports list vulnerabilities and rank them by severity. These reports are stored in Amazon S3 buckets and are used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. + #### b ##### Contractor @@ -180,6 +202,7 @@ CivicActions Operations has automated the process to perform the scans on a mont CivicActions employs the automated vulnerability scanning tools OpenSCAP and OWASP ZAP which are interoperable with standard web browsers, the Open Source Ansible infrastructure provisioning system and other Open Source tools. + #### c ##### Contractor @@ -187,6 +210,7 @@ CivicActions employs the automated vulnerability scanning tools OpenSCAP and OWA The CivicActions Security Office reviews all vulnerabilities identified from automated scans and security assessments. "False positive" findings are documented and may be tailored out. Vulnerabilities found and deemed legitimate are assigned an impact rating and response time thought creation of an issue or ticket. The CivicActions Operations staff reviews current scans and compare with older scans to identify trends and to verify previous vulnerabilities have been mitigated. + #### d ##### Contractor @@ -199,8 +223,33 @@ Identified and reported vulnerabilities are assigned an impact rating and respon - Low - Within 180 days of discovery + #### e ##### Contractor Results of the vulnerability scans and security assessments are shared with all appropriate CivicActions personnel supporting continuous monitoring requirements. CivicActions Security assigns each vulnerability an impact rating and response time through JIRA or the Git issue tool for tracking to the established remediation deadlines listed in RA-5(d). + + + +### RA-5 (2): Update Vulnerabilities to Be Scanned + +```text +Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency], prior to a new scan, when new vulnerabilities are identified and reported]. + +``` +**Status:** incomplete +### RA-5 (11): Public Disclosure Program + +```text +Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. + +``` +**Status:** incomplete +### RA-7: Risk Response + +```text +Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. + +``` +**Status:** incomplete diff --git a/docs/controls/SA.md b/docs/controls/SA.md index 87699d4..7414be0 100644 --- a/docs/controls/SA.md +++ b/docs/controls/SA.md @@ -2,7 +2,7 @@ ## SA: System and Services Acquisition -### SA-1: System And Services Acquisition Policy And Procedures +### SA-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,6 +26,7 @@ CivicActions has developed, documented and disseminated to personnel a system an + ##### Project The Project complies with the None. The Project will identify new threats/vulnerabilities and technologies that may require updating of solicitation documents. @@ -33,7 +34,8 @@ The Project complies with the None. The Project will identify new threats/vulner This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. -### SA-2: Allocation Of Resources + +### SA-2: Allocation of Resources ```text - a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; @@ -53,6 +55,7 @@ Security costs are included in Exhibit 53 in the Department's on-line electronic Costs for providing security at the infrastructure level are contained in the business cases for infrastructure supporting computing platforms, desktop processing, the network environment, and web capability. Since the Exhibit 53 includes projections for multiple fiscal years, its intention is to identify and anticipate security resources required. + #### a ##### Contractor @@ -60,6 +63,7 @@ Costs for providing security at the infrastructure level are contained in the bu CivicActions' Security Office, in collaboration with the System Owner, act and/or meet on a pre-determined basis to determine information system security requirements and to develop implementation budgets and plans. + #### b ##### Contractor @@ -67,6 +71,7 @@ CivicActions' Security Office, in collaboration with the System Owner, act and/o The CivicActions Security Office, in collaboration with the System Owner, determines, designates, documents, and allocates the resources required to protect the system as part of its capital planning and investment control processes. + #### c ##### Contractor @@ -74,6 +79,7 @@ The CivicActions Security Office, in collaboration with the System Owner, determ The annual budget developed by the System Owner includes explicit budgetary line items for FISMA security requirements. Additional security-related expenditures that fall outside of explicit compliance requirements are addressed in sub-lines under the CivicActions Information Technology budget. + ### SA-3: System Development Life Cycle ```text @@ -91,32 +97,75 @@ The annual budget developed by the System Owner includes explicit budgetary line The Project draws from the None, NIST SP 800-64, and Agile software development methodology to ensure security requirements are incorporated during each phase of the life cycle. This helps to ensure the development of secure systems and effective risk management. + #### a ##### Contractor The system and application(s) are managed by CivicActions using the Agile software development methodology, which provides a continuous System Development Life Cycle (SDLC) methodology. CivicActions Agile management continues to improve the software through ongoing planned code releases. The process is overseen by the Change Control Board (CCB) as described in CM-1. Each point release introduces code and configuration changes to the website through the following SDLC methodology: -- Code release planning: A code release ticket is created in the Change Request project of the CivicActions ticketing system which describes the overall goals of the code release. The code release ticket is linked to other tickets in the ticketing system which describe issues to be addressed by the planned code release. Those issues may include bug fixes and feature enhancements as well as upgrades to newer versions of the software packages that have been used to build the website. -- Sprints: The tickets covered by the planned code release are then implemented through a series of planned sprints, each of which typically lasts two weeks. Each sprint begins with a sprint planning session at which the CCB selects a list of tickets to be implemented. CivicActions Development holds daily coordination meetings throughout the sprint to share information and resolve any problems that may be blocking progress toward completion. At the end of the sprint, a retrospective is performed in which progress is reviewed to determine which issues have been resolved and which need further work. -- Development/unit testing: Work on each ticket is performed within a separate code branch within the CivicActions Git repository, and tested using the GitLab Runner continuous integration platform. Developers also write unit tests to prove their code behaves as expected and address security considerations such as information leakage, bounds checking, and input validation. Once work on a ticket is completed, the developer creates a merge request, and the changes are submitted to at least one other developer for review to ensure they meet functional requirements and address security considerations before the pull request is merged into the Git repository's development branch for the planned code release. -- Integration testing: Once all work tickets have been completed, the code and configuration necessary to implement the changes are merged into the website's staging server, where it undergoes additional testing to ensure there are no conflicts between the work that has been done on individual tickets. -- User acceptance testing (UAT): The code release undergoes manual testing against a checklist of expected site behaviors and options each of the website's defined user roles to further verify that the functional changes work as expected and to identify any changes in user experience that need to be documented in release notes to be shared with the customer. -- Approval for deployment: After all the planned code release has passed all of the above tests, the code release is scheduled for deployment to production and presented to CivicActions' Change Control Board (CCB) for review and approval. -- Deployment to production: A full backup of the website is performed immediately prior to the deployment. -- Security scan: After the deployment to production, the website undergoes a security scan using a web vulnerability scanner. +- Code release planning: A code release ticket is created in the Change Request project of the + CivicActions ticketing system which describes the overall goals of the code release. + The code release ticket is linked to other tickets in the ticketing system which describe issues to + be addressed by the planned code release. Those issues may include bug fixes and feature enhancements + as well as upgrades to newer versions of the software packages that have been used to build the + website. + +- Sprints: The tickets covered by the planned code release are then implemented through a series of + planned sprints, each of which typically lasts two weeks. Each sprint begins with a sprint planning + session at which the CCB selects a list of tickets to be implemented. CivicActions + Development holds daily coordination meetings throughout the sprint to share information and resolve + any problems that may be blocking progress toward completion. At the end of the sprint, a + retrospective is performed in which progress is reviewed to determine which issues have been + resolved and which need further work. + +- Development/unit testing: Work on each ticket is performed within a separate code branch within the + CivicActions Git repository, and tested using the GitLab Runner continuous integration + platform. Developers also write unit tests to prove their code behaves as expected and address security + considerations such as information leakage, bounds checking, and input validation. Once work on a + ticket is completed, the developer creates a merge request, and the changes are submitted to at least + one other developer for review to ensure they meet functional requirements and address security + considerations before the pull request is merged into the Git repository's development branch for the + planned code release. + +- Integration testing: Once all work tickets have been completed, the code and configuration necessary + to implement the changes are merged into the website's staging server, where it undergoes additional + testing to ensure there are no conflicts between the work that has been done on individual tickets. + +- User acceptance testing (UAT): The code release undergoes manual testing against a checklist of + expected site behaviors and options each of the website's defined user roles to further verify that + the functional changes work as expected and to identify any changes in user experience that need to + be documented in release notes to be shared with the customer. + +- Approval for deployment: After all the planned code release has passed all of the above tests, the + code release is scheduled for deployment to production and presented to CivicActions' + Change + Control Board (CCB) for review and approval. + +- Deployment to production: A full backup of the website is performed immediately prior to the + deployment. + +- Security scan: After the deployment to production, the website undergoes a security scan using a web + vulnerability scanner. Security issues to be addressed in the planned code release may come from a variety of sources: - Customer support requests received by the CivicActions Help Desk - Security concerns, incidents, and site performance issues reported by users -- Security incident reports, including server log analysis and root cause analysis of those incidents performed by the CivicActions Security Office and Operations staff -- Security notifications received by the CivicActions Security Office from external security teams and other software vendors -- Vulnerabilities detected during security scans of the website performed by the CivicActions Security Office +- Security incident reports, including server log analysis and root cause analysis of those incidents + performed by the CivicActions Security Office and Operations staff + +- Security notifications received by the CivicActions Security Office from external + security teams and other software vendors + +- Vulnerabilities detected during security scans of the website performed by the + CivicActions Security Office + - Issues reported by the CivicActions Security Office, Operations staff and Development - Security issues reported through continuous monitoring + #### b ##### Contractor @@ -124,21 +173,39 @@ The system and application(s) are managed by CivicActions using the Agile softwa The CivicActions organization defines and documents information security roles and responsibilities throughout the SDLC. The following teams participate in this process: - Customer Support: Files tickets when incidents are reported and shares incident reports with customers -- The CivicActions Security Office: Receives security notifications from the Drupal security team and other software vendors; performs security scans; uses CivicActions JIRA ticketing system to request mitigation of all reported vulnerabilities -- CivicActions Development: Performs server log analysis when security incidents are reported; assists in root cause analysis -- Change Control Board: Meets weekly to review and approve upcoming planned code changes to the website, include security-related code releases. -- AWS Cloud: Monitors server and application events; proactively respond to security incidents, and reports incidents to CivicActions -- Users: Communicates customer security requirements and expectations, and alerts the CivicActions customer support team whenever it detects a security or site performance issue +- The CivicActions Security Office: Receives security notifications from the Drupal security + team and other software vendors; performs security scans; uses CivicActions JIRA ticketing + system to request mitigation of all reported vulnerabilities + +- CivicActions Development: Performs server log analysis when security incidents are + reported; assists in root cause analysis + +- Change Control Board: Meets weekly to review and approve upcoming planned code changes to the website, + include security-related code releases. + +- AWS Cloud: Monitors server and application events; proactively respond to security incidents, and + reports incidents to CivicActions + +- Users: Communicates customer security requirements and expectations, and alerts the + CivicActions customer support team whenever it detects a security or site performance + issue + Security responsibilities performed by these teams include the following: -- Perform configuration management during information system design, development, implementation, and operation; +- Perform configuration management during information system design, development, implementation, and + operation; + - Implement only organization-approved changes; - Document approved changes; - Manage and control changes to the system; -- Fully test all changes, taking into account security considerations as well as other functional requirements; +- Fully test all changes, taking into account security considerations as well as other functional + requirements; + - Track security flaws and flaw resolution; and -- Employ code analysis tools to examine software for common flaws and document the results of the analysis. +- Employ code analysis tools to examine software for common flaws and document the results of the + analysis. + #### c @@ -148,6 +215,7 @@ Security responsibilities performed by these teams include the following: Each of the CivicActions teams described in SA-3(b) has a team leader who is responsible for defining the roles and responsibilities of individual personnel members within that team. CivicActions uses role-based management for access and authentication implementation and enforcement. + #### d ##### Contractor @@ -155,6 +223,7 @@ Each of the CivicActions teams described in SA-3(b) has a team leader who is res The CivicActions organization integrates the organizational information security risk management process into system development life cycle activities by requiring that the processes defined in SA-3(a) and (b) above are adhered to by all information system developers and associated security personnel. + ### SA-4: Acquisition Process ```text @@ -186,6 +255,7 @@ Configuration and design of the development and production environments are host + ##### Project The Project follows the guidelines and procedures within the overarching None. The requirements in the information system acquisition contract permit updating security controls as new threat/vulnerabilities are identified and new technologies are implemented. @@ -195,13 +265,14 @@ The Project System and Services Acquisition Policy contains the process for dete The Project organization reviews and approves all acquisition contracts in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. -### SA-4 (10): Use Of Approved Piv Products + +### SA-4 (10): Use of Approved PIV Products ```text Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. ``` -**Status:** incomplete +**Status:** None ##### Project @@ -211,7 +282,8 @@ CivicActions/Project and AWS describes this control as “not applicable”, as It is the responsibility of CivicActions for implementation of PIV capability for authentication as required. -### SA-5: Information System Documentation + +### SA-5: System Documentation ```text - a. Obtain or develop administrator documentation for the system, system component, or system service that describes: @@ -226,7 +298,7 @@ It is the responsibility of CivicActions for implementation of PIV capability fo - d. Distribute documentation to [Assignment: organization-defined personnel or roles]. ``` -**Status:** partial +**Status:** complete ##### Project @@ -241,23 +313,26 @@ Client maintains adequate documentation for the Project system. The Project syst etc.) + #### a ##### AWS In this architecture, documentation of the infrastructure configuration in the form of AWS CloudFormation templates in JSON or YAML format, architecture diagrams, deployment user guide and security controls implementation details is included. -AWS built-in features include online documentation for management of the infrastructure at http://aws.amazon.com/documentation/ +AWS built-in features include online documentation for management of the infrastructure at + + -#### a ##### Contractor Some application features are built on a custom basis and are not part of standard FOSS packages. Administrator documentation for those custom features is maintained in the CivicActions Git repository documentation system. -#### a + + ##### Ilias @@ -267,28 +342,30 @@ Public documentation related to Ilias is maintained by the Ilias Association and - known vulnerabilities regarding configuration and use of administrative functions; + #### b ##### AWS -AWS built-in features include online documentation of AWS services at http://aws.amazon.com/documentation/ +AWS built-in features include online documentation of AWS services at 1. AWS built-in features include online documentation for AWS account users at - http://aws.amazon.com/documentation/ such as user Guides, API reference guides, CLI + such as user Guides, API reference guides, CLI reference guides and developer reference guides to provide information on how to effectively use security functions. 2. AWS built-in features include online documentation for AWS account users within the - infrastructure at http://aws.amazon.com/documentation/ such as user Guides, API + infrastructure at such as user Guides, API reference guides, CLI reference guides and developer reference guides to provide information on how to access AWS services and components in a more secure manner. 3. AWS built-in features include online documentation for AWS account users at - https://aws.amazon.com/security/security-resources/ that provides information + that provides information related to security responsibilities of customers using AWS services. -#### b + + ##### Contractor @@ -299,7 +376,8 @@ CivicActions follows the user documentation standard practice to provide context The CivicActions Customer Support team, described in control SA-3(b), handles questions about how to use the system. Questions are submitted by sending an email to support@civicactions.com, which triggers the creation of a ticket in the CivicActions customer support ticketing system. -#### b + + ##### Ilias @@ -311,6 +389,7 @@ The public documentation at Ilias.de contains user documentation for the informa - user responsibilities in maintaining the security of the system, component, or service; + #### c ##### Contractor @@ -318,12 +397,14 @@ The public documentation at Ilias.de contains user documentation for the informa If the information needed to answer a question is not already included in the website's public-facing documentation, a ticket is created to determine whether the question is sufficiently general in nature to warrant adding the answer to the website's documentation. -#### c + + ##### Ilias As a popular and well-used and maintained free and open source (FOSS) project, in the event that sought after documentation is not available on Ilias.de, it can usually be found in one of the many forums, mailing lists or Stack Exchange sites covering Ilias and its many contributed modules. + #### d ##### AWS @@ -331,40 +412,60 @@ As a popular and well-used and maintained free and open source (FOSS) project, i AWS built-in features include online documentation that is protected by AWS from unauthorized modification or deletion within AWS system. -#### d + + ##### Contractor All administrator documentation is housed in a protected Git repository. User documentation is publicly available. -#### d + + ##### Ilias The Ilias.de documentation is multi-sourced on GitHub and private repositories. + #### e ##### AWS -AWS built-in features include online documentation located at http://aws.amazon.com/documentation/ that is publicly available. +AWS built-in features include online documentation located at that is publicly available. + + -#### e ##### Contractor As needed and approved by the CivicActions Security Office, documentation is available to appropriate personnel by granting access to the private Git repository. -#### e + + ##### Ilias As the Ilias.de documentation is publicly available, there is no need to provide distribution mechanisms. -### SA-9: External Information System Services + +### SA-8: Security and Privacy Engineering Principles + +```text +Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles]. + +``` +**Status:** incomplete +### SA-8 (33): Minimization + +```text +Implement the privacy principle of minimization using [Assignment: organization-defined processes]. + +``` +**Status:** incomplete +### SA-9: External System Services ```text - a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; @@ -382,6 +483,7 @@ CivicActions does not have any dedicated interconnections between information sy + ##### Project Project does not have any dedicated interconnections between information system components within the authorization boundary and external third-party vendor information systems for the purposes of storing, processing, or transmitting federal agency data. diff --git a/docs/controls/SC.md b/docs/controls/SC.md index e3c8475..4c42167 100644 --- a/docs/controls/SC.md +++ b/docs/controls/SC.md @@ -2,7 +2,7 @@ ## SC: System and Communications Protection -### SC-1: System And Communications Protection Policy And Procedures +### SC-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,13 +26,15 @@ CivicActions has developed, documented and disseminated to personnel a system an + ##### Project System and communications protection policy and procedures are formally documented in the None and the Project SSP. The Department reviews and updates the policy as necessary and has been continually updated since April 2008. This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. -### SC-5: Denial Of Service Protection + +### SC-5: Denial-of-service Protection ```text - a. [Selection: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and @@ -48,18 +50,21 @@ Drupal has a manual ability to block IP addresses in cases where attacks bypass + ##### Ilias Ilias has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by CivicActions Operations. + ##### Project The Project system is configured to reduce vulnerabilities in its operating system and applications to protect against Denial of Service (DoS) attacks. The Project support staff ensures the system is protected against or limits the effect of DoS attacks as specified in the None. + ### SC-7: Boundary Protection ```text @@ -68,7 +73,7 @@ The Project support staff ensures the system is protected against or limits the - c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. ``` -**Status:** partial +**Status:** complete ##### Drupal @@ -78,17 +83,20 @@ Drupal, when deployed on SELinux in full enforcing mode, minimizes the number of + ##### Ilias Ilias, when deployed on SELinux in full enforcing mode, minimizes the number of services and computing nodes that are exposed to the Internet. Ilias employs both the AWS platform safeguards and the Ilias logging in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. + ##### Project The Project system has monitored and controlled communications at the external boundary of the information system and at key internal boundaries within the system, where appropriate. The Project allocates publicly accessible information system components (e.g., public web servers) specific IP address and port combinations. Public access into the organization’s internal networks is prevented except as appropriately mediated. + #### a ##### AWS @@ -96,6 +104,7 @@ The Project system has monitored and controlled communications at the external b In this architecture, network communications to, from, and between VPCs, subnets and Amazon S3 buckets are controlled as follows: AWS Route Tables specify which subnets in each VPC are accessible through gateways and which are isolated/private. AWS Security Groups provide stateful inbound/outbound port/protocol restrictions, Amazon Simple Storage Service (Amazon S3) buckets support access control restrictions based on network source/destination. + #### b ##### AWS @@ -103,6 +112,7 @@ In this architecture, network communications to, from, and between VPCs, subnets In this architecture, subnetworks for publicly accessible system components are logically separated from internal private subnetworks via AWS security groups, refined routing tables, and NACLs. + #### c ##### AWS @@ -110,13 +120,14 @@ In this architecture, subnetworks for publicly accessible system components are In this architecture, connection to external networks is possible only through Internet Gateways (IGWs) or NAT gateways (in regions where supported by AWS VPC) and are restricted based on ports/protocols via AWS Security groups, and default subnet rules provided by NACLs. -### SC-12: Cryptographic Key Establishment And Management + +### SC-12: Cryptographic Key Establishment and Management ```text Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. ``` -**Status:** partial +**Status:** none ##### AWS @@ -126,11 +137,13 @@ In this architecture, initial private/public SSH keys stored in Identity and Acc + ##### Project Use of cryptographic key management for the Project system is in use for at the time of implementation for authentication. CivicActions utilizes customer agency supplied PIV credentials for access to customer instances of the Project. Access enforcement and authentication requirements for Project are described in AC-2 & IA-2. AWS platform does not utilize or manage cryptographic keys within the ACE boundary. + ### SC-13: Cryptographic Protection ```text @@ -138,7 +151,7 @@ Use of cryptographic key management for the Project system is in use for at the - b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. ``` -**Status:** partial +**Status:** none ##### AWS @@ -150,17 +163,21 @@ AWS built-in features employ TLS for AWS Management Console sessions, AWS API ca + ##### Contractor The information system implements: -- Cryptographic modules through Secure Shell (SSH) to allow administrators to securely logon to the various system components +- Cryptographic modules through Secure Shell (SSH) to allow administrators to securely logon to the + various system components + - HTTPS/SSL (TLS) for connection to web-based services - TLS for connection to email services - AES-256 (FIPS 140-2 validated) for data at rest (with Elastic Block Store (EBS) volumes) -### SC-15: Collaborative Computing Devices + +### SC-15: Collaborative Computing Devices and Applications ```text - a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and @@ -176,14 +193,15 @@ This control is not applicable, as the Project system does employ any collaborative computing devices. -### SC-20: Secure Name / Address Resolution Service + +### SC-20: Secure Name/address Resolution Service (authoritative Source) ```text - a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and - b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. ``` -**Status:** incomplete +**Status:** None ##### Contractor @@ -191,13 +209,14 @@ employ any collaborative computing devices. The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (authoritative source) -### SC-21: Secure Name / Address Resolution Service + +### SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver) ```text Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. ``` -**Status:** incomplete +**Status:** None ##### Contractor @@ -205,7 +224,8 @@ Request and perform data origin authentication and data integrity verification o The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (recursive or caching resolver) -### SC-22: Architecture And Provisioning For Name / Address Resolution Service + +### SC-22: Architecture and Provisioning for Name/address Resolution Service ```text Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. @@ -218,13 +238,14 @@ Ensure the systems that collectively provide name/address resolution service for + ### SC-39: Process Isolation ```text Maintain a separate execution domain for each executing system process. ``` -**Status:** partial +**Status:** none ##### AWS @@ -236,6 +257,7 @@ AWS built-in features of the hypervisors that support the infrastructure maintai + ##### Contractor Process isolation is maintained on the Linux platform. Linux is the only operating system that is part of the boundary. diff --git a/docs/controls/SI.md b/docs/controls/SI.md index daf3794..e4c55ce 100644 --- a/docs/controls/SI.md +++ b/docs/controls/SI.md @@ -2,7 +2,7 @@ ## SI: System and Information Integrity -### SI-1: System And Information Integrity Policy And Procedures +### SI-1: Policy and Procedures ```text - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: @@ -26,6 +26,7 @@ CivicActions has developed, documented and disseminated to personnel a system an + ##### Project System and information integrity policy and procedures for the Project system are formally documented in the Project SSP, which provides the roles and responsibilities as it pertains to physical and environmental protection systems. The Project system support staff monitors the network on a daily basis and employs up-to-date patches to protect the integrity of the system. @@ -35,6 +36,7 @@ Additional information is contained within the None. This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + ### SI-2: Flaw Remediation ```text @@ -44,13 +46,14 @@ This is Agency common control. More data about implementation can be obtained fr - d. Incorporate flaw remediation into the organizational configuration management process. ``` -**Status:** complete +**Status:** None ##### Ilias Ilias contains built-in security status monitoring of the core application and contributed modules. + #### a ##### Contractor @@ -66,6 +69,7 @@ Identification of information system security flaws are detected as early as pos Any security issues found are ticketed through JIRA and/or the Git issue queue. CivicActions Operations staff prioritizes high findings. Changes made to correct the information system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB as implemented in CM-3. + #### b ##### Contractor @@ -73,6 +77,7 @@ Any security issues found are ticketed through JIRA and/or the Git issue queue. CivicActions testing of the system as a result of security flaw remediation is done through a development environment through the use of internal software and automated testing that ensures the system is working as intended. When a change is made by a developer, testing though a peer review is conducted as part of the Change Request process to ensure the correct analysis is completed. Then the changed code is tested in an automatic test environment as described in the Configuration Management Plan (CMP). Tracking of the testing is documented in JIRA and/or the Git issue queue. + #### c ##### Contractor @@ -80,6 +85,7 @@ CivicActions testing of the system as a result of security flaw remediation is d CivicActions security-software updates are tested prior to implementation on production. The CivicActions Security framework for installation requires updates to be made within 30 days for high vulnerabilities, 90 days for moderate vulnerabilities, and 240 for low vulnerabilities. An issue ticket is created to track any updates made to the system. + #### d ##### Contractor @@ -87,6 +93,7 @@ CivicActions security-software updates are tested prior to implementation on pro Flaw remediation is part of the CivicActions configuration management process. Any security issues found are ticketed through JIRA or the Git issue queue. The CivicActions Security Office prioritizes the high findings within the application. Changes made to correct the system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB Chair as implemented in CM-3. + ### SI-3: Malicious Code Protection ```text @@ -106,6 +113,7 @@ Flaw remediation is part of the CivicActions configuration management process. A Virus scans are performed by ClamAV, a server-hosted tool protecting the application from Trojans, Viruses and other malicious cyber-threats. Real-time scans are conducted whenever files are uploaded from any external source and malicious code is blocked or quarantined when detected. All file-based traffic traversing the server is sanitized before being delivered. All input form text is validated and sanitized. + #### b ##### Contractor @@ -113,6 +121,7 @@ Virus scans are performed by ClamAV, a server-hosted tool protecting the applica Anti-virus definitions and malicious code protection mechanisms are configured and updated automatically on a nightly basis. + #### c ##### Contractor @@ -120,6 +129,7 @@ Anti-virus definitions and malicious code protection mechanisms are configured a CivicActions Operations staff receives information system security alerts, advisories, and notifications in response to malicious code detection. These messages are sent to group email distribution lists to ensure all members of the team receive the proper information in a timely manner. + #### d ##### Contractor @@ -127,7 +137,8 @@ CivicActions Operations staff receives information system security alerts, advis False positives during malicious code detection and eradication are dealt with on a case by case basis. Potential impacts on the availability of the information system are detailed in a false positive report depending on if the report is for the OS, database or web application. -### SI-4: Information System Monitoring + +### SI-4: System Monitoring ```text - a. Monitor the system to detect: @@ -162,6 +173,7 @@ CivicActions systems use a collection of monitoring systems, including: - OpsGenie - a slack/email/text/phone incident escalation tool + #### b ##### Contractor @@ -169,12 +181,14 @@ CivicActions systems use a collection of monitoring systems, including: Logs from the systems described in SI-4(a) are sent to the CivicActions SIEM tool for analysis. These logs can identify unauthorized use of the information system. + #### c ##### Contractor Monitoring and log collection occur throughout the system. + #### d ##### Contractor @@ -182,6 +196,7 @@ Monitoring and log collection occur throughout the system. The Configuration Management process, remote log gathering, and SELinux MAC protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. + #### e ##### Contractor @@ -189,6 +204,7 @@ The Configuration Management process, remote log gathering, and SELinux MAC prot In the event of a performance score lower than CivicActions standards, a notification is sent to the CivicActions Security Office. CivicActions subscribes to security mailing lists in the event the monitoring activity is required based on law enforcement information, intelligence information, or other credible sources of information. + #### f ##### Contractor @@ -196,6 +212,7 @@ In the event of a performance score lower than CivicActions standards, a notific Internal legal counsel is utilized as required when system notifications indicate such action based on user and/or malicious activity. Legal counsel is engaged for any actions that may necessitate increased user monitoring or evidence/forensic actions. + #### g ##### Contractor @@ -203,7 +220,8 @@ Internal legal counsel is utilized as required when system notifications indicat System alerts generated by CivicActions internal monitors (StatusCake, OSSEC, ClamAV, others) are sent to the Incident Response team via OpsGenie. -### SI-5: Security Alerts, Advisories, And Directives + +### SI-5: Security Alerts, Advisories, and Directives ```text - a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; @@ -221,11 +239,13 @@ CivicActions Security and Operations receive Ilias Security Advisories on a regu + ##### Project Project representatives and system administrators receive alerts from US-CERT on a regular basis. Support personnel take appropriate action in response to relevant areas of concern. + #### a ##### Contractor @@ -238,6 +258,7 @@ The CivicActions Security Office and Operations staff receive the following secu - Drupal Security Advisories + #### b ##### Contractor @@ -245,6 +266,7 @@ The CivicActions Security Office and Operations staff receive the following secu CivicActions utilizes StatusCake for front line monitoring for real time system status and events of the application. StatusCake can feed to the OpsGenie incident escalation system. + #### c ##### Contractor @@ -252,6 +274,7 @@ CivicActions utilizes StatusCake for front line monitoring for real time system The CivicActions Security Office disseminates security alerts, advisories, and directives to all CivicActions internal personnel and client personnel as directed. + #### d ##### Contractor @@ -259,7 +282,8 @@ The CivicActions Security Office disseminates security alerts, advisories, and d The CivicActions Security Office is responsible for ensuring the dissemination and implementation of relevant security alerts and advisories. -### SI-12: Information Output Handling And Retention + +### SI-12: Information Management and Retention ```text Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. @@ -275,6 +299,39 @@ The CivicActions organization retains all information, system-related informatio + ##### Project Project representatives and systems administrators receive annual training from Client regarding information assurance and information handling requirements. These personnel are required to operate the system and handle system data and output in accordance with legal requirements. Personnel training and system guidelines ensure that data and programs are handled appropriately. + + + +### SI-12 (1): Limit Personally Identifiable Information Elements + +```text +Limit personally identifiable information being processed in the information life cycle to the following elements of PII: [Assignment: organization-defined elements of personally identifiable information]. + +``` +**Status:** incomplete +### SI-12 (2): Minimize Personally Identifiable Information in Testing, Training, and Research + +```text +Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [Assignment: organization-defined techniques]. + +``` +**Status:** incomplete +### SI-12 (3): Information Disposal + +```text +Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques]. + +``` +**Status:** incomplete +### SI-18: Personally Identifiable Information Quality Operations + +```text + - a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and + - b. Correct or delete inaccurate or outdated personally identifiable information. + +``` +**Status:** incomplete diff --git a/docs/responsibility_matrix.csv b/docs/responsibility_matrix.csv index 3165cf8..7d60186 100644 --- a/docs/responsibility_matrix.csv +++ b/docs/responsibility_matrix.csv @@ -2,6 +2,7 @@ Control,Status,AWS,Contractor,Drupal,Ilias,Project,SSH AC-1,complete,,Hybrid,,,Hybrid, AC-2,complete,Shared,Hybrid,Hybrid,Hybrid,Hybrid,Hybrid AC-3,complete,Shared,,Hybrid,Hybrid,Hybrid, +AC-3 (14),,,,,,, AC-7,complete,,,Hybrid,,Hybrid, AC-8,partial,,,,Hybrid,Hybrid, AC-14,complete,,,System Specific Control,System Specific Control,System Specific Control, @@ -9,11 +10,13 @@ AC-17,complete,,Hybrid,,,Inherited (Cloud Service Provider), AC-18,complete,,Inherited (Cloud Service Provider),,,, AC-19,complete,,Inherited (Cloud Service Provider),,,, AC-20,complete,,Inherited (Cloud Service Provider),,,, +AC-21,,,,,,, AC-22,complete,,,,,System Specific Control, AT-1,complete,,Hybrid,,,Hybrid, AT-2,complete,,Hybrid,,,Hybrid, AT-2 (2),,,,,,, AT-3,complete,,Hybrid,,,Hybrid, +AT-3 (5),,,,,,, AT-4,complete,,Hybrid,,,Hybrid, AU-1,complete,,Hybrid,,,Hybrid, AU-2,none,Shared,Hybrid,Hybrid,Hybrid,, @@ -50,14 +53,16 @@ CP-9,partial,Shared,Hybrid,,,, CP-10,partial,,Hybrid,,,, IA-1,partial,,Hybrid,,,Hybrid, IA-2,partial,Shared,,,,, -IA-2 (1),,,,,,, -IA-2 (2),,,,,,, -IA-2 (8),,,,,,, -IA-2 (12),,,,,,, +IA-2 (1),complete,,Hybrid,Hybrid,,Hybrid, +IA-2 (2),,,,,,, +IA-2 (8),,,,,,, +IA-2 (12),none,,,,,Hybrid, IA-4,partial,,Hybrid,Hybrid,Hybrid,, +IA-5,partial,,Hybrid,Hybrid,Hybrid,Hybrid, IA-5 (1),partial,Shared,,Hybrid,Hybrid,Hybrid, IA-6,complete,Shared,,System Specific Control,System Specific Control,, IA-7,complete,Shared,Hybrid,System Specific Control,System Specific Control,, +IA-8,partial,Shared,,,,, IA-8 (1),none,,,,,Hybrid, IA-8 (2),none,,,,,Hybrid, IA-8 (4),none,,,,,Hybrid, @@ -93,6 +98,31 @@ PL-4,complete,,Hybrid,,,Hybrid, PL-4 (1),,,,,,, PL-10,,,,,,, PL-11,,,,,,, +PM-3,,,,,,, +PM-4,,,,,,, +PM-5,,,,,,, +PM-5 (1),,,,,,, +PM-6,,,,,,, +PM-7,,,,,,, +PM-8,,,,,,, +PM-9,,,,,,, +PM-10,,,,,,, +PM-11,,,,,,, +PM-13,,,,,,, +PM-14,,,,,,, +PM-17,,,,,,, +PM-18,,,,,,, +PM-19,,,,,,, +PM-20,,,,,,, +PM-20 (1),,,,,,, +PM-21,,,,,,, +PM-22,,,,,,, +PM-24,,,,,,, +PM-25,,,,,,, +PM-26,,,,,,, +PM-27,,,,,,, +PM-28,,,,,,, +PM-31,,,,,,, PS-1,complete,Hybrid,Hybrid,,,Hybrid, PS-2,complete,,Hybrid,,,Hybrid, PS-3,complete,,Hybrid,,,Hybrid, @@ -102,6 +132,19 @@ PS-6,complete,,,,,Hybrid, PS-7,complete,,,,,Hybrid, PS-8,complete,,Hybrid,,,Hybrid, PS-9,,,,,,, +PT-1,,,,,,, +PT-2,,,,,,, +PT-3,,,,,,, +PT-4,,,,,,, +PT-5,,,,,,, +PT-5 (2),,,,,,, +PT-6,,,,,,, +PT-6 (1),,,,,,, +PT-6 (2),,,,,,, +PT-7,,,,,,, +PT-7 (1),,,,,,, +PT-7 (2),,,,,,, +PT-8,,,,,,, RA-1,complete,Hybrid,Hybrid,,,Hybrid, RA-2,complete,,,,,Hybrid, RA-3,complete,,,,,Hybrid, @@ -114,11 +157,11 @@ SA-1,complete,,Hybrid,,,Hybrid, SA-2,complete,,Hybrid,,,Hybrid, SA-3,complete,,Hybrid,,,Hybrid, SA-4,complete,,Hybrid,,,Hybrid, -SA-4 (10),,,,,,, +SA-4 (10),,,,,,Hybrid, SA-5,complete,Shared,Hybrid,,Hybrid,Hybrid, SA-8,,,,,,, +SA-8 (33),,,,,,, SA-9,complete,,Hybrid,,,Hybrid, -SA-22,,,,,,, SC-1,complete,,Hybrid,,,Hybrid, SC-5,complete,,,Hybrid,Hybrid,Hybrid, SC-7,complete,Shared,,Hybrid,Hybrid,Hybrid, @@ -135,6 +178,10 @@ SI-3,complete,,Hybrid,,,, SI-4,complete,,Hybrid,,,, SI-5,complete,,Hybrid,,Hybrid,Hybrid, SI-12,complete,,Hybrid,,,Hybrid, +SI-12 (1),,,,,,, +SI-12 (2),,,,,,, +SI-12 (3),,,,,,, +SI-18,,,,,,, SR-1,,,,,,, SR-2,,,,,,, SR-2 (1),,,,,,, diff --git a/keys/status.yaml b/keys/status.yaml index 8b59800..36596e0 100644 --- a/keys/status.yaml +++ b/keys/status.yaml @@ -1,5 +1,5 @@ # This work is dual-licensed under Creative Commons Zero v1.0 Universal and GNU General Public License v3.0 or later. -# The file containts example code. Replace the values with information that is pertinent to your project. +# The file contains example code. Replace the values with information that is pertinent to your project. # Based off Table D-2: SECURITY CONTROL BASELINES # in NIST 800-53 # Current as of 2018-JUNE-2018 diff --git a/poetry.lock b/poetry.lock index 0a36377..04143dd 100644 --- a/poetry.lock +++ b/poetry.lock @@ -24,13 +24,13 @@ trio = ["trio (>=0.23)"] [[package]] name = "argcomplete" -version = "3.4.0" +version = "3.5.0" description = "Bash tab completion for argparse" optional = false python-versions = ">=3.8" files = [ - {file = "argcomplete-3.4.0-py3-none-any.whl", hash = "sha256:69a79e083a716173e5532e0fa3bef45f793f4e61096cf52b5a42c0211c8b8aa5"}, - {file = "argcomplete-3.4.0.tar.gz", hash = "sha256:c2abcdfe1be8ace47ba777d4fce319eb13bf8ad9dace8d085dcad6eded88057f"}, + {file = "argcomplete-3.5.0-py3-none-any.whl", hash = "sha256:d4bcf3ff544f51e16e54228a7ac7f486ed70ebf2ecfe49a63a91171c76bf029b"}, + {file = "argcomplete-3.5.0.tar.gz", hash = "sha256:4349400469dccfb7950bb60334a680c58d88699bff6159df61251878dc6bf74b"}, ] [package.extras] @@ -38,13 +38,13 @@ test = ["coverage", "mypy", "pexpect", "ruff", "wheel"] [[package]] name = "attrs" -version = "24.1.0" +version = "24.2.0" description = "Classes Without Boilerplate" optional = false python-versions = ">=3.7" files = [ - {file = "attrs-24.1.0-py3-none-any.whl", hash = "sha256:377b47448cb61fea38533f671fba0d0f8a96fd58facd4dc518e3dac9dbea0905"}, - {file = "attrs-24.1.0.tar.gz", hash = "sha256:adbdec84af72d38be7628e353a09b6a6790d15cd71819f6e9d7b0faa8a125745"}, + {file = "attrs-24.2.0-py3-none-any.whl", hash = "sha256:81921eb96de3191c8258c199618104dd27ac608d9366f5e35d011eae1867ede2"}, + {file = "attrs-24.2.0.tar.gz", hash = "sha256:5cfb1b9148b5b086569baec03f20d7b6bf3bcacc9a42bebf87ffaaca362f6346"}, ] [package.extras] @@ -165,63 +165,78 @@ files = [ [[package]] name = "cffi" -version = "1.16.0" +version = "1.17.0" description = "Foreign Function Interface for Python calling C code." optional = false python-versions = ">=3.8" files = [ - {file = "cffi-1.16.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088"}, - {file = "cffi-1.16.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9"}, - {file = "cffi-1.16.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673"}, - {file = "cffi-1.16.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896"}, - {file = "cffi-1.16.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684"}, - {file = "cffi-1.16.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7"}, - {file = "cffi-1.16.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614"}, - {file = "cffi-1.16.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743"}, - {file = "cffi-1.16.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d"}, - {file = "cffi-1.16.0-cp310-cp310-win32.whl", hash = "sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a"}, - {file = "cffi-1.16.0-cp310-cp310-win_amd64.whl", hash = "sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1"}, - {file = "cffi-1.16.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404"}, - {file = "cffi-1.16.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417"}, - {file = "cffi-1.16.0-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627"}, - {file = "cffi-1.16.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936"}, - {file = "cffi-1.16.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d"}, - {file = "cffi-1.16.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56"}, - {file = "cffi-1.16.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e"}, - {file = "cffi-1.16.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc"}, - {file = "cffi-1.16.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb"}, - {file = "cffi-1.16.0-cp311-cp311-win32.whl", hash = "sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab"}, - {file = "cffi-1.16.0-cp311-cp311-win_amd64.whl", hash = "sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba"}, - {file = "cffi-1.16.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956"}, - {file = "cffi-1.16.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e"}, - {file = "cffi-1.16.0-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e"}, - {file = "cffi-1.16.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2"}, - {file = "cffi-1.16.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357"}, - {file = "cffi-1.16.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6"}, - {file = "cffi-1.16.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969"}, - {file = "cffi-1.16.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520"}, - {file = "cffi-1.16.0-cp312-cp312-win32.whl", hash = "sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b"}, - {file = "cffi-1.16.0-cp312-cp312-win_amd64.whl", hash = "sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235"}, - {file = "cffi-1.16.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc"}, - {file = "cffi-1.16.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0"}, - {file = "cffi-1.16.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b"}, - {file = "cffi-1.16.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c"}, - {file = "cffi-1.16.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b"}, - {file = "cffi-1.16.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324"}, - {file = "cffi-1.16.0-cp38-cp38-win32.whl", hash = "sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a"}, - {file = "cffi-1.16.0-cp38-cp38-win_amd64.whl", hash = "sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36"}, - {file = "cffi-1.16.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed"}, - {file = "cffi-1.16.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2"}, - {file = "cffi-1.16.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872"}, - {file = "cffi-1.16.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8"}, - {file = "cffi-1.16.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f"}, - {file = "cffi-1.16.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4"}, - {file = "cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098"}, - {file = "cffi-1.16.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000"}, - {file = "cffi-1.16.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe"}, - {file = "cffi-1.16.0-cp39-cp39-win32.whl", hash = "sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4"}, - {file = "cffi-1.16.0-cp39-cp39-win_amd64.whl", hash = "sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8"}, - {file = "cffi-1.16.0.tar.gz", hash = "sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0"}, + {file = "cffi-1.17.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb"}, + {file = "cffi-1.17.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b"}, + {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206"}, + {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa"}, + {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f"}, + {file = "cffi-1.17.0-cp310-cp310-win32.whl", hash = "sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc"}, + {file = "cffi-1.17.0-cp310-cp310-win_amd64.whl", hash = "sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2"}, + {file = "cffi-1.17.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720"}, + {file = "cffi-1.17.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6"}, + {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91"}, + {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8"}, + {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb"}, + {file = "cffi-1.17.0-cp311-cp311-win32.whl", hash = "sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9"}, + {file = "cffi-1.17.0-cp311-cp311-win_amd64.whl", hash = "sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0"}, + {file = "cffi-1.17.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc"}, + {file = "cffi-1.17.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150"}, + {file = "cffi-1.17.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a"}, + {file = "cffi-1.17.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885"}, + {file = "cffi-1.17.0-cp312-cp312-win32.whl", hash = "sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492"}, + {file = "cffi-1.17.0-cp312-cp312-win_amd64.whl", hash = "sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2"}, + {file = "cffi-1.17.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118"}, + {file = "cffi-1.17.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f"}, + {file = "cffi-1.17.0-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0"}, + {file = "cffi-1.17.0-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4"}, + {file = "cffi-1.17.0-cp313-cp313-win32.whl", hash = "sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a"}, + {file = "cffi-1.17.0-cp313-cp313-win_amd64.whl", hash = "sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7"}, + {file = "cffi-1.17.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c"}, + {file = "cffi-1.17.0-cp38-cp38-win32.whl", hash = "sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499"}, + {file = "cffi-1.17.0-cp38-cp38-win_amd64.whl", hash = "sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c"}, + {file = "cffi-1.17.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2"}, + {file = "cffi-1.17.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932"}, + {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693"}, + {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3"}, + {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4"}, + {file = "cffi-1.17.0-cp39-cp39-win32.whl", hash = "sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb"}, + {file = "cffi-1.17.0-cp39-cp39-win_amd64.whl", hash = "sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29"}, + {file = "cffi-1.17.0.tar.gz", hash = "sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76"}, ] [package.dependencies] @@ -424,13 +439,13 @@ test-randomorder = ["pytest-randomly"] [[package]] name = "datamodel-code-generator" -version = "0.25.8" +version = "0.25.9" description = "Datamodel Code Generator" optional = false python-versions = "<4.0,>=3.7" files = [ - {file = "datamodel_code_generator-0.25.8-py3-none-any.whl", hash = "sha256:f9b216efad84d8dcb517273d2728875b6052b7e8dc4e5c13a597441cef236f6e"}, - {file = "datamodel_code_generator-0.25.8.tar.gz", hash = "sha256:b7838122b8133dae6e46f36a1cf25c0ccc66745da057988f490d00ab71121de7"}, + {file = "datamodel_code_generator-0.25.9-py3-none-any.whl", hash = "sha256:9e0324233123d6e39a35bc0004771956935889a974aacfd7a0651de11d2219a9"}, + {file = "datamodel_code_generator-0.25.9.tar.gz", hash = "sha256:65ca9807d8edbd88a7f7931c10f4bc1c08bd9bbc5bb0508418a2b6a16590eb65"}, ] [package.dependencies] @@ -858,64 +873,68 @@ six = ">=1.8.0" [[package]] name = "orjson" -version = "3.10.6" +version = "3.10.7" description = "Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy" optional = false python-versions = ">=3.8" files = [ - {file = "orjson-3.10.6-cp310-cp310-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:fb0ee33124db6eaa517d00890fc1a55c3bfe1cf78ba4a8899d71a06f2d6ff5c7"}, - {file = "orjson-3.10.6-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9c1c4b53b24a4c06547ce43e5fee6ec4e0d8fe2d597f4647fc033fd205707365"}, - {file = "orjson-3.10.6-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:eadc8fd310edb4bdbd333374f2c8fec6794bbbae99b592f448d8214a5e4050c0"}, - {file = "orjson-3.10.6-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:61272a5aec2b2661f4fa2b37c907ce9701e821b2c1285d5c3ab0207ebd358d38"}, - {file = "orjson-3.10.6-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:57985ee7e91d6214c837936dc1608f40f330a6b88bb13f5a57ce5257807da143"}, - {file = "orjson-3.10.6-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:633a3b31d9d7c9f02d49c4ab4d0a86065c4a6f6adc297d63d272e043472acab5"}, - {file = "orjson-3.10.6-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:1c680b269d33ec444afe2bdc647c9eb73166fa47a16d9a75ee56a374f4a45f43"}, - {file = "orjson-3.10.6-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:f759503a97a6ace19e55461395ab0d618b5a117e8d0fbb20e70cfd68a47327f2"}, - {file = "orjson-3.10.6-cp310-none-win32.whl", hash = "sha256:95a0cce17f969fb5391762e5719575217bd10ac5a189d1979442ee54456393f3"}, - {file = "orjson-3.10.6-cp310-none-win_amd64.whl", hash = "sha256:df25d9271270ba2133cc88ee83c318372bdc0f2cd6f32e7a450809a111efc45c"}, - {file = "orjson-3.10.6-cp311-cp311-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:b1ec490e10d2a77c345def52599311849fc063ae0e67cf4f84528073152bb2ba"}, - {file = "orjson-3.10.6-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:55d43d3feb8f19d07e9f01e5b9be4f28801cf7c60d0fa0d279951b18fae1932b"}, - {file = "orjson-3.10.6-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ac3045267e98fe749408eee1593a142e02357c5c99be0802185ef2170086a863"}, - {file = "orjson-3.10.6-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c27bc6a28ae95923350ab382c57113abd38f3928af3c80be6f2ba7eb8d8db0b0"}, - {file = "orjson-3.10.6-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d27456491ca79532d11e507cadca37fb8c9324a3976294f68fb1eff2dc6ced5a"}, - {file = "orjson-3.10.6-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:05ac3d3916023745aa3b3b388e91b9166be1ca02b7c7e41045da6d12985685f0"}, - {file = "orjson-3.10.6-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1335d4ef59ab85cab66fe73fd7a4e881c298ee7f63ede918b7faa1b27cbe5212"}, - {file = "orjson-3.10.6-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:4bbc6d0af24c1575edc79994c20e1b29e6fb3c6a570371306db0993ecf144dc5"}, - {file = "orjson-3.10.6-cp311-none-win32.whl", hash = "sha256:450e39ab1f7694465060a0550b3f6d328d20297bf2e06aa947b97c21e5241fbd"}, - {file = "orjson-3.10.6-cp311-none-win_amd64.whl", hash = "sha256:227df19441372610b20e05bdb906e1742ec2ad7a66ac8350dcfd29a63014a83b"}, - {file = "orjson-3.10.6-cp312-cp312-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:ea2977b21f8d5d9b758bb3f344a75e55ca78e3ff85595d248eee813ae23ecdfb"}, - {file = "orjson-3.10.6-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b6f3d167d13a16ed263b52dbfedff52c962bfd3d270b46b7518365bcc2121eed"}, - {file = "orjson-3.10.6-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:f710f346e4c44a4e8bdf23daa974faede58f83334289df80bc9cd12fe82573c7"}, - {file = "orjson-3.10.6-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7275664f84e027dcb1ad5200b8b18373e9c669b2a9ec33d410c40f5ccf4b257e"}, - {file = "orjson-3.10.6-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0943e4c701196b23c240b3d10ed8ecd674f03089198cf503105b474a4f77f21f"}, - {file = "orjson-3.10.6-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:446dee5a491b5bc7d8f825d80d9637e7af43f86a331207b9c9610e2f93fee22a"}, - {file = "orjson-3.10.6-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:64c81456d2a050d380786413786b057983892db105516639cb5d3ee3c7fd5148"}, - {file = "orjson-3.10.6-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:960db0e31c4e52fa0fc3ecbaea5b2d3b58f379e32a95ae6b0ebeaa25b93dfd34"}, - {file = "orjson-3.10.6-cp312-none-win32.whl", hash = "sha256:a6ea7afb5b30b2317e0bee03c8d34c8181bc5a36f2afd4d0952f378972c4efd5"}, - {file = "orjson-3.10.6-cp312-none-win_amd64.whl", hash = "sha256:874ce88264b7e655dde4aeaacdc8fd772a7962faadfb41abe63e2a4861abc3dc"}, - {file = "orjson-3.10.6-cp313-none-win32.whl", hash = "sha256:efdf2c5cde290ae6b83095f03119bdc00303d7a03b42b16c54517baa3c4ca3d0"}, - {file = "orjson-3.10.6-cp313-none-win_amd64.whl", hash = "sha256:8e190fe7888e2e4392f52cafb9626113ba135ef53aacc65cd13109eb9746c43e"}, - {file = "orjson-3.10.6-cp38-cp38-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:66680eae4c4e7fc193d91cfc1353ad6d01b4801ae9b5314f17e11ba55e934183"}, - {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:caff75b425db5ef8e8f23af93c80f072f97b4fb3afd4af44482905c9f588da28"}, - {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3722fddb821b6036fd2a3c814f6bd9b57a89dc6337b9924ecd614ebce3271394"}, - {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c2c116072a8533f2fec435fde4d134610f806bdac20188c7bd2081f3e9e0133f"}, - {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6eeb13218c8cf34c61912e9df2de2853f1d009de0e46ea09ccdf3d757896af0a"}, - {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:965a916373382674e323c957d560b953d81d7a8603fbeee26f7b8248638bd48b"}, - {file = "orjson-3.10.6-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:03c95484d53ed8e479cade8628c9cea00fd9d67f5554764a1110e0d5aa2de96e"}, - {file = "orjson-3.10.6-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:e060748a04cccf1e0a6f2358dffea9c080b849a4a68c28b1b907f272b5127e9b"}, - {file = "orjson-3.10.6-cp38-none-win32.whl", hash = "sha256:738dbe3ef909c4b019d69afc19caf6b5ed0e2f1c786b5d6215fbb7539246e4c6"}, - {file = "orjson-3.10.6-cp38-none-win_amd64.whl", hash = "sha256:d40f839dddf6a7d77114fe6b8a70218556408c71d4d6e29413bb5f150a692ff7"}, - {file = "orjson-3.10.6-cp39-cp39-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:697a35a083c4f834807a6232b3e62c8b280f7a44ad0b759fd4dce748951e70db"}, - {file = "orjson-3.10.6-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fd502f96bf5ea9a61cbc0b2b5900d0dd68aa0da197179042bdd2be67e51a1e4b"}, - {file = "orjson-3.10.6-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:f215789fb1667cdc874c1b8af6a84dc939fd802bf293a8334fce185c79cd359b"}, - {file = "orjson-3.10.6-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a2debd8ddce948a8c0938c8c93ade191d2f4ba4649a54302a7da905a81f00b56"}, - {file = "orjson-3.10.6-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5410111d7b6681d4b0d65e0f58a13be588d01b473822483f77f513c7f93bd3b2"}, - {file = "orjson-3.10.6-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bb1f28a137337fdc18384079fa5726810681055b32b92253fa15ae5656e1dddb"}, - {file = "orjson-3.10.6-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:bf2fbbce5fe7cd1aa177ea3eab2b8e6a6bc6e8592e4279ed3db2d62e57c0e1b2"}, - {file = "orjson-3.10.6-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:79b9b9e33bd4c517445a62b90ca0cc279b0f1f3970655c3df9e608bc3f91741a"}, - {file = "orjson-3.10.6-cp39-none-win32.whl", hash = "sha256:30b0a09a2014e621b1adf66a4f705f0809358350a757508ee80209b2d8dae219"}, - {file = "orjson-3.10.6-cp39-none-win_amd64.whl", hash = "sha256:49e3bc615652617d463069f91b867a4458114c5b104e13b7ae6872e5f79d0844"}, - {file = "orjson-3.10.6.tar.gz", hash = "sha256:e54b63d0a7c6c54a5f5f726bc93a2078111ef060fec4ecbf34c5db800ca3b3a7"}, + {file = "orjson-3.10.7-cp310-cp310-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:74f4544f5a6405b90da8ea724d15ac9c36da4d72a738c64685003337401f5c12"}, + {file = "orjson-3.10.7-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:34a566f22c28222b08875b18b0dfbf8a947e69df21a9ed5c51a6bf91cfb944ac"}, + {file = "orjson-3.10.7-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bf6ba8ebc8ef5792e2337fb0419f8009729335bb400ece005606336b7fd7bab7"}, + {file = "orjson-3.10.7-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ac7cf6222b29fbda9e3a472b41e6a5538b48f2c8f99261eecd60aafbdb60690c"}, + {file = "orjson-3.10.7-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:de817e2f5fc75a9e7dd350c4b0f54617b280e26d1631811a43e7e968fa71e3e9"}, + {file = "orjson-3.10.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:348bdd16b32556cf8d7257b17cf2bdb7ab7976af4af41ebe79f9796c218f7e91"}, + {file = "orjson-3.10.7-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:479fd0844ddc3ca77e0fd99644c7fe2de8e8be1efcd57705b5c92e5186e8a250"}, + {file = "orjson-3.10.7-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:fdf5197a21dd660cf19dfd2a3ce79574588f8f5e2dbf21bda9ee2d2b46924d84"}, + {file = "orjson-3.10.7-cp310-none-win32.whl", hash = "sha256:d374d36726746c81a49f3ff8daa2898dccab6596864ebe43d50733275c629175"}, + {file = "orjson-3.10.7-cp310-none-win_amd64.whl", hash = "sha256:cb61938aec8b0ffb6eef484d480188a1777e67b05d58e41b435c74b9d84e0b9c"}, + {file = "orjson-3.10.7-cp311-cp311-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:7db8539039698ddfb9a524b4dd19508256107568cdad24f3682d5773e60504a2"}, + {file = "orjson-3.10.7-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:480f455222cb7a1dea35c57a67578848537d2602b46c464472c995297117fa09"}, + {file = "orjson-3.10.7-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8a9c9b168b3a19e37fe2778c0003359f07822c90fdff8f98d9d2a91b3144d8e0"}, + {file = "orjson-3.10.7-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8de062de550f63185e4c1c54151bdddfc5625e37daf0aa1e75d2a1293e3b7d9a"}, + {file = "orjson-3.10.7-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6b0dd04483499d1de9c8f6203f8975caf17a6000b9c0c54630cef02e44ee624e"}, + {file = "orjson-3.10.7-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b58d3795dafa334fc8fd46f7c5dc013e6ad06fd5b9a4cc98cb1456e7d3558bd6"}, + {file = "orjson-3.10.7-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:33cfb96c24034a878d83d1a9415799a73dc77480e6c40417e5dda0710d559ee6"}, + {file = "orjson-3.10.7-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:e724cebe1fadc2b23c6f7415bad5ee6239e00a69f30ee423f319c6af70e2a5c0"}, + {file = "orjson-3.10.7-cp311-none-win32.whl", hash = "sha256:82763b46053727a7168d29c772ed5c870fdae2f61aa8a25994c7984a19b1021f"}, + {file = "orjson-3.10.7-cp311-none-win_amd64.whl", hash = "sha256:eb8d384a24778abf29afb8e41d68fdd9a156cf6e5390c04cc07bbc24b89e98b5"}, + {file = "orjson-3.10.7-cp312-cp312-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:44a96f2d4c3af51bfac6bc4ef7b182aa33f2f054fd7f34cc0ee9a320d051d41f"}, + {file = "orjson-3.10.7-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:76ac14cd57df0572453543f8f2575e2d01ae9e790c21f57627803f5e79b0d3c3"}, + {file = "orjson-3.10.7-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bdbb61dcc365dd9be94e8f7df91975edc9364d6a78c8f7adb69c1cdff318ec93"}, + {file = "orjson-3.10.7-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b48b3db6bb6e0a08fa8c83b47bc169623f801e5cc4f24442ab2b6617da3b5313"}, + {file = "orjson-3.10.7-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:23820a1563a1d386414fef15c249040042b8e5d07b40ab3fe3efbfbbcbcb8864"}, + {file = "orjson-3.10.7-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a0c6a008e91d10a2564edbb6ee5069a9e66df3fbe11c9a005cb411f441fd2c09"}, + {file = "orjson-3.10.7-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:d352ee8ac1926d6193f602cbe36b1643bbd1bbcb25e3c1a657a4390f3000c9a5"}, + {file = "orjson-3.10.7-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:d2d9f990623f15c0ae7ac608103c33dfe1486d2ed974ac3f40b693bad1a22a7b"}, + {file = "orjson-3.10.7-cp312-none-win32.whl", hash = "sha256:7c4c17f8157bd520cdb7195f75ddbd31671997cbe10aee559c2d613592e7d7eb"}, + {file = "orjson-3.10.7-cp312-none-win_amd64.whl", hash = "sha256:1d9c0e733e02ada3ed6098a10a8ee0052dd55774de3d9110d29868d24b17faa1"}, + {file = "orjson-3.10.7-cp313-cp313-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:77d325ed866876c0fa6492598ec01fe30e803272a6e8b10e992288b009cbe149"}, + {file = "orjson-3.10.7-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9ea2c232deedcb605e853ae1db2cc94f7390ac776743b699b50b071b02bea6fe"}, + {file = "orjson-3.10.7-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:3dcfbede6737fdbef3ce9c37af3fb6142e8e1ebc10336daa05872bfb1d87839c"}, + {file = "orjson-3.10.7-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:11748c135f281203f4ee695b7f80bb1358a82a63905f9f0b794769483ea854ad"}, + {file = "orjson-3.10.7-cp313-none-win32.whl", hash = "sha256:a7e19150d215c7a13f39eb787d84db274298d3f83d85463e61d277bbd7f401d2"}, + {file = "orjson-3.10.7-cp313-none-win_amd64.whl", hash = "sha256:eef44224729e9525d5261cc8d28d6b11cafc90e6bd0be2157bde69a52ec83024"}, + {file = "orjson-3.10.7-cp38-cp38-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:6ea2b2258eff652c82652d5e0f02bd5e0463a6a52abb78e49ac288827aaa1469"}, + {file = "orjson-3.10.7-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:430ee4d85841e1483d487e7b81401785a5dfd69db5de01314538f31f8fbf7ee1"}, + {file = "orjson-3.10.7-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:4b6146e439af4c2472c56f8540d799a67a81226e11992008cb47e1267a9b3225"}, + {file = "orjson-3.10.7-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:084e537806b458911137f76097e53ce7bf5806dda33ddf6aaa66a028f8d43a23"}, + {file = "orjson-3.10.7-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4829cf2195838e3f93b70fd3b4292156fc5e097aac3739859ac0dcc722b27ac0"}, + {file = "orjson-3.10.7-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1193b2416cbad1a769f868b1749535d5da47626ac29445803dae7cc64b3f5c98"}, + {file = "orjson-3.10.7-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:4e6c3da13e5a57e4b3dca2de059f243ebec705857522f188f0180ae88badd354"}, + {file = "orjson-3.10.7-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:c31008598424dfbe52ce8c5b47e0752dca918a4fdc4a2a32004efd9fab41d866"}, + {file = "orjson-3.10.7-cp38-none-win32.whl", hash = "sha256:7122a99831f9e7fe977dc45784d3b2edc821c172d545e6420c375e5a935f5a1c"}, + {file = "orjson-3.10.7-cp38-none-win_amd64.whl", hash = "sha256:a763bc0e58504cc803739e7df040685816145a6f3c8a589787084b54ebc9f16e"}, + {file = "orjson-3.10.7-cp39-cp39-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:e76be12658a6fa376fcd331b1ea4e58f5a06fd0220653450f0d415b8fd0fbe20"}, + {file = "orjson-3.10.7-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ed350d6978d28b92939bfeb1a0570c523f6170efc3f0a0ef1f1df287cd4f4960"}, + {file = "orjson-3.10.7-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:144888c76f8520e39bfa121b31fd637e18d4cc2f115727865fdf9fa325b10412"}, + {file = "orjson-3.10.7-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:09b2d92fd95ad2402188cf51573acde57eb269eddabaa60f69ea0d733e789fe9"}, + {file = "orjson-3.10.7-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5b24a579123fa884f3a3caadaed7b75eb5715ee2b17ab5c66ac97d29b18fe57f"}, + {file = "orjson-3.10.7-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e72591bcfe7512353bd609875ab38050efe3d55e18934e2f18950c108334b4ff"}, + {file = "orjson-3.10.7-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:f4db56635b58cd1a200b0a23744ff44206ee6aa428185e2b6c4a65b3197abdcd"}, + {file = "orjson-3.10.7-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:0fa5886854673222618638c6df7718ea7fe2f3f2384c452c9ccedc70b4a510a5"}, + {file = "orjson-3.10.7-cp39-none-win32.whl", hash = "sha256:8272527d08450ab16eb405f47e0f4ef0e5ff5981c3d82afe0efd25dcbef2bcd2"}, + {file = "orjson-3.10.7-cp39-none-win_amd64.whl", hash = "sha256:974683d4618c0c7dbf4f69c95a979734bf183d0658611760017f6e70a145af58"}, + {file = "orjson-3.10.7.tar.gz", hash = "sha256:75ef0640403f945f3a1f9f6400686560dbfb0fb5b16589ad62cd477043c4eee3"}, ] [[package]] @@ -1196,62 +1215,64 @@ files = [ [[package]] name = "pyyaml" -version = "6.0.1" +version = "6.0.2" description = "YAML parser and emitter for Python" optional = false -python-versions = ">=3.6" +python-versions = ">=3.8" files = [ - {file = "PyYAML-6.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a"}, - {file = "PyYAML-6.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f"}, - {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"}, - {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"}, - {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"}, - {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"}, - {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"}, - {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"}, - {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"}, - {file = "PyYAML-6.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab"}, - {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"}, - {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"}, - {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"}, - {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"}, - {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"}, - {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"}, - {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"}, - {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"}, - {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef"}, - {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"}, - {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"}, - {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"}, - {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"}, - {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"}, - {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"}, - {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"}, - {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd"}, - {file = "PyYAML-6.0.1-cp36-cp36m-win32.whl", hash = "sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585"}, - {file = "PyYAML-6.0.1-cp36-cp36m-win_amd64.whl", hash = "sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa"}, - {file = "PyYAML-6.0.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3"}, - {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27"}, - {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3"}, - {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c"}, - {file = "PyYAML-6.0.1-cp37-cp37m-win32.whl", hash = "sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba"}, - {file = "PyYAML-6.0.1-cp37-cp37m-win_amd64.whl", hash = "sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867"}, - {file = "PyYAML-6.0.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595"}, - {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"}, - {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"}, - {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"}, - {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"}, - {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"}, - {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"}, - {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"}, - {file = "PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859"}, - {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"}, - {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"}, - {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"}, - {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"}, - {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"}, - {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"}, - {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"}, + {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"}, + {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"}, + {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237"}, + {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b"}, + {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed"}, + {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180"}, + {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68"}, + {file = "PyYAML-6.0.2-cp310-cp310-win32.whl", hash = "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99"}, + {file = "PyYAML-6.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e"}, + {file = "PyYAML-6.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774"}, + {file = "PyYAML-6.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee"}, + {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c"}, + {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317"}, + {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85"}, + {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"}, + {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e"}, + {file = "PyYAML-6.0.2-cp311-cp311-win32.whl", hash = "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5"}, + {file = "PyYAML-6.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44"}, + {file = "PyYAML-6.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab"}, + {file = "PyYAML-6.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725"}, + {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5"}, + {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425"}, + {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476"}, + {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48"}, + {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b"}, + {file = "PyYAML-6.0.2-cp312-cp312-win32.whl", hash = "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4"}, + {file = "PyYAML-6.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8"}, + {file = "PyYAML-6.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba"}, + {file = "PyYAML-6.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1"}, + {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133"}, + {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484"}, + {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5"}, + {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc"}, + {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652"}, + {file = "PyYAML-6.0.2-cp313-cp313-win32.whl", hash = "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183"}, + {file = "PyYAML-6.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563"}, + {file = "PyYAML-6.0.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a"}, + {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5"}, + {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d"}, + {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083"}, + {file = "PyYAML-6.0.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706"}, + {file = "PyYAML-6.0.2-cp38-cp38-win32.whl", hash = "sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a"}, + {file = "PyYAML-6.0.2-cp38-cp38-win_amd64.whl", hash = "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff"}, + {file = "PyYAML-6.0.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d"}, + {file = "PyYAML-6.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f"}, + {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290"}, + {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12"}, + {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19"}, + {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e"}, + {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725"}, + {file = "PyYAML-6.0.2-cp39-cp39-win32.whl", hash = "sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631"}, + {file = "PyYAML-6.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8"}, + {file = "pyyaml-6.0.2.tar.gz", hash = "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e"}, ] [[package]] @@ -1452,4 +1473,4 @@ files = [ [metadata] lock-version = "2.0" python-versions = "^3.10" -content-hash = "5e023db282184c5d8d3138ac2a75f5d8e71ab69ef14e9201128df1188fab8750" +content-hash = "c7aae94528fddddaea2fcf85a9939b60e1830d63a00012865df235f1fe6c9e0d" diff --git a/pyproject.toml b/pyproject.toml index a4596e1..c090200 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,6 @@ packages = [ python = "^3.10" click = "^8.1.6" pyyaml = "^6.0.1" -pyyaml-include = "^1.3.1" jinja2 = "^3.1.2" md-toc = "^9.0.0" rtyaml = "^1.0.0" @@ -34,6 +33,7 @@ exportto = "tools.exportto.exportto:main" makefamilies = "tools.makefamilies.makefamilies:main" sop = "tools.sop.sop:main" makessp = "tools.makessp.makessp:main" +getconfig = "tools.helpers.config:check_config" [[tool.mypy.overrides]] module = "yaml" diff --git a/templates/components/Contractor/AC-ACCESS_CONTROL.yaml b/templates/components/Contractor/AC-ACCESS_CONTROL.yaml index 4389f3b..f39581d 100644 --- a/templates/components/Contractor/AC-ACCESS_CONTROL.yaml +++ b/templates/components/Contractor/AC-ACCESS_CONTROL.yaml @@ -15,7 +15,7 @@ satisfies: controls. This information is maintained in the {{contractor.name_short}} Access Control (AC) Policy. This document can be found in the {{contractor.name_short}} Compliance Docs GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.AC_1.contractor}} + implementation_status: {{responsibility.AC_1.contractor}} - control_key: AC-2 control_name: ACCOUNT MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -75,7 +75,7 @@ satisfies: In accordance with standard security best practices and {{contractor.name_short}} policy, shared and reissued accounts for internal accounts of any kind are not created nor used for any purpose in any system. - implementation_status: {{status.AC_2.contractor}} + implementation_status: {{responsibility.AC_2.contractor}} - control_key: AC-17 control_name: REMOTE ACCESS standard_key: NIST SP 800-53 Revision 4 @@ -86,7 +86,7 @@ satisfies: The {{contractor.name_short}} Access Control (AC) policy defines policy for remote usage restrictions. The Project Manager or System Owner may additionally provision users according to their Access Control policies. - implementation_status: {{status.AC_17.contractor}} + implementation_status: {{responsibility.AC_17.contractor}} - control_key: AC-18 control_name: WIRELESS ACCESS standard_key: NIST SP 800-53 Revision 4 @@ -96,7 +96,7 @@ satisfies: - text: > This control is not applicable. The system does not provide wireless access points. - implementation_status: {{status.AC_18.contractor}} + implementation_status: {{responsibility.AC_18.contractor}} - control_key: AC-19 control_name: ACCESS CONTROL FOR MOBILE DEVICES standard_key: NIST SP 800-53 Revision 4 @@ -106,7 +106,7 @@ satisfies: - text: > This control is not applicable. The system does not maintain a facility in which mobile device access limitations are required. - implementation_status: {{status.AC_19.contractor}} + implementation_status: {{responsibility.AC_19.contractor}} - control_key: AC-20 control_name: USE OF EXTERNAL INFORMATION SYSTEMS standard_key: NIST SP 800-53 Revision 4 @@ -116,4 +116,4 @@ satisfies: - text: > This control is not applicable. The system does not connect with external information systems. - implementation_status: {{status.AC_20.contractor}} + implementation_status: {{responsibility.AC_20.contractor}} diff --git a/templates/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml b/templates/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml index fe73b35..f8ab361 100644 --- a/templates/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml +++ b/templates/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml @@ -15,7 +15,7 @@ satisfies: controls. This information is maintained in the {{contractor.name_short}} Awareness and Training (AT) Policy. This document can be found in the {{contractor.name_short}} Compliance Docs GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.AT_1.contractor}} + implementation_status: {{responsibility.AT_1.contractor}} summary: | {{contractor.name_short}} develops, documents, and disseminates Security Awareness Training policy and procedures. - control_key: AT-2 @@ -62,7 +62,7 @@ satisfies: - key: c text: | {{contractor.name_short}} provides annual security awareness training to its personnel. - implementation_status: {{status.AT_2.contractor}} + implementation_status: {{responsibility.AT_2.contractor}} summary: Initial security awareness training provided to all staff. - control_key: AT-3 control_name: ROLE-BASED SECURITY TRAINING @@ -91,7 +91,7 @@ satisfies: responsibilities role-based security training on an annual basis. The training is provided and tracked by the {{contractor.name_short}} Security Office. - implementation_status: {{status.AT_3.contractor}} + implementation_status: {{responsibility.AT_3.contractor}} summary: Role-based training provided prior to access to systems. - control_key: AT-4 control_name: SECURITY TRAINING RECORDS @@ -110,7 +110,7 @@ satisfies: text: > Training records are tracked and maintained by the {{contractor.name_short}} Security Office. Records are maintained permanently. - implementation_status: {{status.AT_4.contractor}} + implementation_status: {{responsibility.AT_4.contractor}} summary: > {{contractor.name_short}} Information Security Office tracks all security awareness training. diff --git a/templates/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/templates/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml index 3d8147e..e7125ff 100644 --- a/templates/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml +++ b/templates/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml @@ -16,7 +16,7 @@ satisfies: maintained in the {{contractor.name_short}} Audit and Accountability (AU) Policy. This document can be found in the {{contractor.name_short}} Compliance Docs GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.AU_1.implentation_status}} + implementation_status: {{responsibility.AU_1.implentation_status}} - control_key: AU-2 control_name: AUDITABLE EVENTS standard_key: NIST SP 800-53 Revision 4 @@ -35,7 +35,7 @@ satisfies: with customers and partner organizations to identify and select auditable events. The teams that participate in this process are described in control SA-3(b). - implementation_status: {{status.AU_2.contractor}} + implementation_status: {{responsibility.AU_2.contractor}} summary: > {{contractor.name_short}}' Security Policy provides information about auditing and logging. @@ -48,7 +48,7 @@ satisfies: {{contractor.name_short}} ensures adequate storage capability requirements listed in AU-11 for all events from the application, database, and hosting environment. - implementation_status: {{status.AU_4.contractor}} + implementation_status: {{responsibility.AU_4.contractor}} summary: > {{contractor.name_short}} ensures adequate storage capability requirements for all events. @@ -62,7 +62,7 @@ satisfies: When notified (e.g., via CloudWatch) of an auditing failure, {{contractor.name_short}} Operations staff will review the causes and take corrective action. - implementation_status: {{status.AU_5.contractor}} + implementation_status: {{responsibility.AU_5.contractor}} summary: > {{contractor.name_short}} Operations reviews causes and takes corrective action when notified via CloudWatch of auditing failures. @@ -92,7 +92,7 @@ satisfies: constitute a security incident, then the Incident Response process is invoked as described in the implementation of the Incident Response Plan (IR-8). - implementation_status: {{status.AU_6.contractor}} + implementation_status: {{responsibility.AU_6.contractor}} summary: > {{contractor.name_short}} security audit data is collected by a Graylog Security and Event Management (SIEM) dashboard to support real time and @@ -109,7 +109,7 @@ satisfies: {{contractor.name_short}} Security Office are the only {{contractor.name_short}} personnel with logical permission to access and review audit logs. - implementation_status: {{status.AU_9.contractor}} + implementation_status: {{responsibility.AU_9.contractor}} summary: > {{contractor.name_short}} ensures that audit logs are created, stored and maintained. @@ -122,7 +122,7 @@ satisfies: - text: > {{contractor.name_short}} audits events from the application, database, and hosting environment, and retains these records for at least 180 days. - implementation_status: {{status.AU_11.contractor}} + implementation_status: {{responsibility.AU_11.contractor}} summary: > {{contractor.name_short}} retains audit records for at least 180 days. - control_key: AU-12 @@ -145,7 +145,7 @@ satisfies: text: > {{contractor.name_short}} maintained applications generate audit records for their web and event logs as described in AU-2 and AU-3. - implementation_status: {{status.AU_12.contractor}} + implementation_status: {{responsibility.AU_12.contractor}} summary: > {{contractor.name_short}} ensures audit records are generated for its web and event logs as required. diff --git a/templates/components/Contractor/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/templates/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 95% rename from templates/components/Contractor/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to templates/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml index 4c6b124..5a4c8c5 100644 --- a/templates/components/Contractor/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +++ b/templates/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml @@ -17,7 +17,7 @@ satisfies: {{contractor.name_short}} Security Assessment and Authorization Policy. This document can be found in the {{contractor.name_short}} Compliance Docs GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.CA_1.contractor}} + implementation_status: {{responsibility.CA_1.contractor}} - control_key: CA-2 control_name: SECURITY ASSESSMENTS standard_key: NIST SP 800-53 Revision 4 @@ -72,7 +72,7 @@ satisfies: - Incident Response Plan - implementation_status: {{status.CA_2.contractor}} + implementation_status: {{responsibility.CA_2.contractor}} - control_key: CA-3 control_name: SYSTEM INTERCONNECTIONS standard_key: NIST SP 800-53 Revision 4 @@ -83,7 +83,7 @@ satisfies: This control is not applicable. {{contractor.name_short}} systems do not have system interconnections. The only communication conducted to {{contractor.name_short}}' systems is through the Internet. - implementation_status: {{status.CA_3.contractor}} + implementation_status: {{responsibility.CA_3.contractor}} summary: | Control not applicable. {{contractor.name_short}} systems do not have system interconnections. - control_key: CA-5 @@ -119,7 +119,7 @@ satisfies: mitigation. All POA&Ms are reviewed on a monthly basis by {{contractor.name_short}} Information System Security Officer to ensure all mitigation strategies are continuing as documented. - implementation_status: {{status.CA_5.contractor}} + implementation_status: {{responsibility.CA_5.contractor}} - control_key: CA-7 control_name: CONTINUOUS MONITORING standard_key: NIST SP 800-53 Revision 4 @@ -171,7 +171,7 @@ satisfies: The security status of the system is reported up to the System Owner and Project Manager via the {{contractor.name_short}} Security Office to be reviewed alongside other security issues relating to the system. - implementation_status: {{status.CA_7.contractor}} + implementation_status: {{responsibility.CA_7.contractor}} - control_key: CA-9 control_name: INTERNAL SYSTEM CONNECTIONS standard_key: NIST SP 800-53 Revision 4 @@ -179,4 +179,4 @@ satisfies: security_control_type: Inherited narrative: - text: Not applicable. - implementation_status: {{status.CA_9.contractor}} + implementation_status: {{responsibility.CA_9.contractor}} diff --git a/templates/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml b/templates/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml index 9c15a8b..dbdab43 100644 --- a/templates/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml +++ b/templates/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml @@ -20,7 +20,7 @@ satisfies: Configuration changes are overseen by the Change Control Board (CCB) consisting of the System Owner, Project Manager, {{contractor.name_short}} Operations staff and the engineering team. - implementation_status: {{status.CM_1.contractor}} + implementation_status: {{responsibility.CM_1.contractor}} - control_key: CM-2 control_name: BASELINE CONFIGURATION standard_key: NIST SP 800-53 Revision 4 @@ -31,7 +31,7 @@ satisfies: A current baseline configuration is always available - stored as a tag in the Git repository - such that the site can be regenerated or rolled back should unauthorized or failing changes be applied. - implementation_status: {{status.CM_2.contractor}} + implementation_status: {{responsibility.CM_2.contractor}} - control_key: CM-4 control_name: SECURITY IMPACT ANALYSIS standard_key: NIST SP 800-53 Revision 4 @@ -45,7 +45,7 @@ satisfies: development environment before being pushed to a staging environment to be tested by another developer and by the Engineering team prior to final approval from CCB to move changes to the production environment. - implementation_status: {{status.CM_4.contractor}} + implementation_status: {{responsibility.CM_4.contractor}} summary: > {{contractor.name_short}} tests and validates changes to the system before implementing the changes in production. @@ -66,7 +66,7 @@ satisfies: code version control system, which records the identity of the developer who committed each change. Version control is enforced, with previous tagged code releases kept for rollback purposes. - implementation_status: {{status.CM_6.contractor}} + implementation_status: {{responsibility.CM_6.contractor}} - control_key: CM-10 control_name: SOFTWARE USAGE RESTRICTIONS standard_key: NIST SP 800-53 Revision 4 @@ -77,7 +77,7 @@ satisfies: Drupal is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. - implementation_status: {{status.CM_10.contractor}} + implementation_status: {{responsibility.CM_10.contractor}} - control_key: CM-11 control_name: USER-INSTALLED SOFTWARE standard_key: NIST SP 800-53 Revision 4 @@ -105,7 +105,7 @@ satisfies: {{contractor.name_short}} monitors policy compliance continuously via the code release planning and quality control systems built into the System Development Life Cycle described in control SA-3. - implementation_status: {{status.CM_11.contractor}} + implementation_status: {{responsibility.CM_11.contractor}} summary: > All software installed in the system environment must be first approved via the CCB resulting in a Change Request. diff --git a/templates/components/Contractor/CP-CONTINGENCY_PLANNING.yaml b/templates/components/Contractor/CP-CONTINGENCY_PLANNING.yaml index e29b354..0d4fb71 100644 --- a/templates/components/Contractor/CP-CONTINGENCY_PLANNING.yaml +++ b/templates/components/Contractor/CP-CONTINGENCY_PLANNING.yaml @@ -16,7 +16,7 @@ satisfies: maintained in Contingency Planning (CP) Policy and Procedure that can be found in the {{contractor.name_short}} Compliance Docs GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.CP_1.contractor}} + implementation_status: {{responsibility.CP_1.contractor}} - control_key: CP-2 control_name: CONTINGENCY PLAN standard_key: NIST SP 800-53 Revision 4 @@ -71,7 +71,7 @@ satisfies: The ISCP is available on {{contractor.name_short}} GitHub repository. This repository provides the configuration management capabilities for the ISCP to be protected from unauthorized disclosure and modification. - implementation_status: {{status.CP_2.contractor}} + implementation_status: {{responsibility.CP_2.contractor}} - control_key: CP-3 control_name: CONTINGENCY TRAINING standard_key: NIST SP 800-53 Revision 4 @@ -85,7 +85,7 @@ satisfies: thereafter or when changes are required. {{contractor.name_short}} uses the Contingency Plan as described in controls CP-1 and CP-2 as a basis for personnel contingency training. - implementation_status: {{status.CP_3.contractor}} + implementation_status: {{responsibility.CP_3.contractor}} - control_key: CP-4 control_name: CONTINGENCY PLAN TESTING standard_key: NIST SP 800-53 Revision 4 @@ -99,7 +99,7 @@ satisfies: testing exercises. The testing process for the ISCP includes a review of the ISCP, exercise, and identification of corrective actions and other improvements. - implementation_status: {{status.CP_4.contractor}} + implementation_status: {{responsibility.CP_4.contractor}} - control_key: CP-9 control_name: INFORMATION SYSTEM BACKUP standard_key: NIST SP 800-53 Revision 4 @@ -128,7 +128,7 @@ satisfies: being accessed. The folder structure of GitHub protects though permissions and ownership prohibiting users from accessing unauthorized documentation. - implementation_status: {{status.CP_9.contractor}} + implementation_status: {{responsibility.CP_9.contractor}} - control_key: CP-10 control_name: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION standard_key: NIST SP 800-53 Revision 4 @@ -145,4 +145,4 @@ satisfies: operating procedures are available, application and system software is reinstalled, information from the most recent backups is available and the system is fully tested. - implementation_status: {{status.CP_10.contractor}} + implementation_status: {{responsibility.CP_10.contractor}} diff --git a/templates/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/templates/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml index 0834650..3ead207 100644 --- a/templates/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml +++ b/templates/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml @@ -17,7 +17,7 @@ satisfies: Identification and Authentication (IA) Policy. This document can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.IA_1.contractor}} + implementation_status: {{responsibility.IA_1.contractor}} summary: > {{contractor.name_short}} has developed, documented and disseminated to personnel an identification and authentication policy. @@ -39,7 +39,7 @@ satisfies: passwords are maintained in encrypted form in the Ansible inventory file. The mechanism to enable select users to use a password to obtain root access can be viewed in artifact: {{artifact.admin_sudo}} - implementation_status: {{status.IA_2_1.contractor}} + implementation_status: {{responsibility.IA_2_1.contractor}} - control_key: IA-4 control_name: IDENTIFIER MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -76,7 +76,7 @@ satisfies: change their password within that time period, after which the account may only be unblocked by a website Administrator or {{contractor.name_short}} Operations staff. - implementation_status: {{status.IA_4.contractor}} + implementation_status: {{responsibility.IA_4.contractor}} summary: > Access to the system is authorized by the System Owner or Project Manager for each role. @@ -100,7 +100,7 @@ satisfies: - Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. - implementation_status: {{status.IA_5.contractor}} + implementation_status: {{responsibility.IA_5.contractor}} summary: > {{contractor.name_short}} required to take appropriate password handling measures. @@ -120,7 +120,7 @@ satisfies: password) between the remote user and the server. Where Transport Layer Security (TLS, aka SSL) is used, cryptographic modules will be configured in accordance with FIPS 140-2. - implementation_status: {{status.IA_7.contractor}} + implementation_status: {{responsibility.IA_7.contractor}} summary: > {{contractor.name_short}} systems employ authentication methods consistent with NIST FIPS 140-2 requirements. diff --git a/templates/components/Contractor/IR-INCIDENT_RESPONSE.yaml b/templates/components/Contractor/IR-INCIDENT_RESPONSE.yaml index cb7bbd4..6741a26 100644 --- a/templates/components/Contractor/IR-INCIDENT_RESPONSE.yaml +++ b/templates/components/Contractor/IR-INCIDENT_RESPONSE.yaml @@ -16,7 +16,7 @@ satisfies: maintained in Incident Response (IR) Policy and Procedure that can be found in the {{contractor.name_short}} Compliance Docs GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.IR_1.contractor}} + implementation_status: {{responsibility.IR_1.contractor}} - control_key: IR-2 control_name: INCIDENT RESPONSE TRAINING standard_key: NIST SP 800-53 Revision 4 @@ -31,7 +31,7 @@ satisfies: and the incident response workflow created by the Security Office. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. - implementation_status: {{status.IR_2.contractor}} + implementation_status: {{responsibility.IR_2.contractor}} - control_key: IR-4 control_name: INCIDENT HANDLING standard_key: NIST SP 800-53 Revision 4 @@ -64,7 +64,7 @@ satisfies: the Operations staff and Security Office. Changes to the Incident Response Plan (<{{project.incident_response_plan_url}}>) require a team review session for approval. - implementation_status: {{status.IR_4.contractor}} + implementation_status: {{responsibility.IR_4.contractor}} - control_key: IR-5 control_name: INCIDENT MONITORING standard_key: NIST SP 800-53 Revision 4 @@ -83,7 +83,7 @@ satisfies: included in the {{contractor.name_short}} Incident Response Plan (<{{project.incident_response_plan_url}}/#response-process>) Response Process. - implementation_status: {{status.IR_5.contractor}} + implementation_status: {{responsibility.IR_5.contractor}} - control_key: IR-6 control_name: INCIDENT REPORTING standard_key: NIST SP 800-53 Revision 4 @@ -111,7 +111,7 @@ satisfies: {{contractor.name_short}} personnel, as soon as the incident event is detected and/or communicated, are required to report the incident event to the {{contractor.name_short}} Security Office. - implementation_status: {{status.IR_6.contractor}} + implementation_status: {{responsibility.IR_6.contractor}} - control_key: IR-7 control_name: INCIDENT RESPONSE ASSISTANCE standard_key: NIST SP 800-53 Revision 4 @@ -126,7 +126,7 @@ satisfies: workflow. Tickets created in the Jira (customer ticketing system) and GitLab (internal ticketing system) documents all details related to the incident to assist the Incident Response Teams in handling the incident. - implementation_status: {{status.IR_7.contractor}} + implementation_status: {{responsibility.IR_7.contractor}} - control_key: IR-8 control_name: INCIDENT RESPONSE PLAN standard_key: NIST SP 800-53 Revision 4 @@ -191,4 +191,4 @@ satisfies: is maintained in the {{contractor.name_short}} GitHub repository. GitHub provides the configuration management capabilities for the IR Plan to be protected from unauthorized disclosure and modification. - implementation_status: {{status.IR_8.contractor}} + implementation_status: {{responsibility.IR_8.contractor}} diff --git a/templates/components/Contractor/MA-MAINTENANCE.yaml b/templates/components/Contractor/MA-MAINTENANCE.yaml index ccc5519..8ff92c1 100644 --- a/templates/components/Contractor/MA-MAINTENANCE.yaml +++ b/templates/components/Contractor/MA-MAINTENANCE.yaml @@ -16,7 +16,7 @@ satisfies: is maintained in the {{contractor.name_short}} Maintenance (MA) Policy and Procedure document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.MA_1.contractor}} + implementation_status: {{responsibility.MA_1.contractor}} - control_key: MA-4 control_name: NON-LOCAL MAINTENANCE standard_key: NIST SP 800-53 Revision 4 @@ -52,7 +52,7 @@ satisfies: Any session for internal maintenance activities is terminated when the user completes their session, disconnects from the system, or logs out. In addition, sessions are terminated after 15 minutes of inactivity. - implementation_status: {{status.MA_4.contractor}} + implementation_status: {{responsibility.MA_4.contractor}} - control_key: MA-5 control_name: MAINTENANCE PERSONNEL standard_key: NIST SP 800-53 Revision 4 @@ -65,4 +65,4 @@ satisfies: responsibilities. Access rights for the internal administrators are assigned and granted access to perform their specific job responsibilities. All physical maintenance requirements are inherited from AWS. - implementation_status: {{status.MA_5.contractor}} + implementation_status: {{responsibility.MA_5.contractor}} diff --git a/templates/components/Contractor/MP-MEDIA_PROTECTION.yaml b/templates/components/Contractor/MP-MEDIA_PROTECTION.yaml index 593211a..d0affda 100644 --- a/templates/components/Contractor/MP-MEDIA_PROTECTION.yaml +++ b/templates/components/Contractor/MP-MEDIA_PROTECTION.yaml @@ -16,4 +16,4 @@ satisfies: {{contractor.name_short}} Media Protection (MP) Policy and Procedure document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.MP_1.contractor}} + implementation_status: {{responsibility.MP_1.contractor}} diff --git a/templates/components/Contractor/PL-PLANNING.yaml b/templates/components/Contractor/PL-PLANNING.yaml index dcafeec..d0976a7 100644 --- a/templates/components/Contractor/PL-PLANNING.yaml +++ b/templates/components/Contractor/PL-PLANNING.yaml @@ -16,7 +16,7 @@ satisfies: maintained in the {{contractor.name_short}} Planning (PL) Policy and Procedure document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}/>. - implementation_status: {{status.PL_1.contractor}} + implementation_status: {{responsibility.PL_1.contractor}} - control_key: PL-2 control_name: SYSTEM SECURITY PLAN standard_key: NIST SP 800-53 Revision 4 @@ -81,7 +81,7 @@ satisfies: non-disclosure agreement (NDA) to uphold information confidentiality. GitLab provides the configuration management capabilities for the SSP to be protected from unauthorized disclosure and modification. - implementation_status: {{status.PL_2.contractor}} + implementation_status: {{responsibility.PL_2.contractor}} - control_key: PL-4 control_name: RULES OF BEHAVIOR standard_key: NIST SP 800-53 Revision 4 @@ -117,4 +117,4 @@ satisfies: version of the {{contractor.name_short}} Security Policy to read and re-sign when any part of it, including the Acceptable Use Policy/Rules of Behavior, is revised/updated. - implementation_status: {{status.PL_4.contractor}} + implementation_status: {{responsibility.PL_4.contractor}} diff --git a/templates/components/Contractor/PS-PERSONNEL_SECURITY.yaml b/templates/components/Contractor/PS-PERSONNEL_SECURITY.yaml index edddef0..ee74f07 100644 --- a/templates/components/Contractor/PS-PERSONNEL_SECURITY.yaml +++ b/templates/components/Contractor/PS-PERSONNEL_SECURITY.yaml @@ -16,7 +16,7 @@ satisfies: maintained in {{contractor.name_short}} Personnel Security (PS) Policy document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}>. - implementation_status: {{status.PS_1.contractor}} + implementation_status: {{responsibility.PS_1.contractor}} - control_key: PS-2 control_name: POSITION RISK DESIGNATION standard_key: NIST SP 800-53 Revision 4 @@ -42,7 +42,7 @@ satisfies: made to the position risk descriptions the Office of Human Resources works in coordination with the {{contractor.name_short}} Security Office to implement changes as required. - implementation_status: {{status.PS_2.contractor}} + implementation_status: {{responsibility.PS_2.contractor}} - control_key: PS-3 control_name: PERSONNEL SCREENING standard_key: NIST SP 800-53 Revision 4 @@ -66,7 +66,7 @@ satisfies: classification of the information they will access, and the risks associated with the role. A basic background check is performed for all {{contractor.name_short}} employees. - implementation_status: {{status.PS_3.contractor}} + implementation_status: {{responsibility.PS_3.contractor}} - control_key: PS-4 control_name: PERSONNEL TERMINATION standard_key: NIST SP 800-53 Revision 4 @@ -123,7 +123,7 @@ satisfies: deactivation of access upon termination. Deactivation is a manual process that is tracked via a Trello card in order to meet the four hour turnaround time before termination. - implementation_status: {{status.PS_4.contractor}} + implementation_status: {{responsibility.PS_4.contractor}} - control_key: PS-5 control_name: PERSONNEL TRANSFER standard_key: NIST SP 800-53 Revision 4 @@ -156,7 +156,7 @@ satisfies: {{contractor.name_short}} Operations staff is informed of transfers that require access authorization modifications within five business days by the Project Manager, System Owner or Office of Human Resources. - implementation_status: {{status.PS_5.contractor}} + implementation_status: {{responsibility.PS_5.contractor}} - control_key: PS-8 control_name: PERSONNEL SANCTIONS standard_key: NIST SP 800-53 Revision 4 @@ -176,4 +176,4 @@ satisfies: When employee sanctions processes are initiated, the Office of Human Resources notifies the respective Project Manager(s) and {{contractor.name_short}}' Security Office within five business days. - implementation_status: {{status.PS_8.contractor}} + implementation_status: {{responsibility.PS_8.contractor}} diff --git a/templates/components/Contractor/RA-RISK_ASSESSMENT.yaml b/templates/components/Contractor/RA-RISK_ASSESSMENT.yaml index b5e08e4..330348c 100644 --- a/templates/components/Contractor/RA-RISK_ASSESSMENT.yaml +++ b/templates/components/Contractor/RA-RISK_ASSESSMENT.yaml @@ -16,7 +16,7 @@ satisfies: the {{contractor.name_short}} Risk Assessment (RA) Policy and Procedure that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}/>. - implementation_status: {{status.RA_1.contractor}} + implementation_status: {{responsibility.RA_1.contractor}} - control_key: RA-5 control_name: VULNERABILITY SCANNING standard_key: NIST SP 800-53 Revision 4 @@ -81,4 +81,4 @@ satisfies: assigns each vulnerability an impact rating and response time through JIRA or the Git issue tool for tracking to the established remediation deadlines listed in RA-5(d). - implementation_status: {{status.RA_5.contractor}} + implementation_status: {{responsibility.RA_5.contractor}} diff --git a/templates/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/templates/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml index bfab4c7..3854180 100644 --- a/templates/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml +++ b/templates/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml @@ -16,7 +16,7 @@ satisfies: maintained by the {{contractor.name_short}} System and Services Acquisition (SA) Policy document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}/>. - implementation_status: {{status.SA_1.contractor}} + implementation_status: {{responsibility.SA_1.contractor}} - control_key: SA-2 control_name: ALLOCATION OF RESOURCES standard_key: NIST SP 800-53 Revision 4 @@ -42,7 +42,7 @@ satisfies: security-related expenditures that fall outside of explicit compliance requirements are addressed in sub-lines under the {{contractor.name_short}} Information Technology budget. - implementation_status: {{status.SA_2.contractor}} + implementation_status: {{responsibility.SA_2.contractor}} - control_key: SA-3 control_name: SYSTEM DEVELOPMENT LIFE CYCLE standard_key: NIST SP 800-53 Revision 4 @@ -183,7 +183,7 @@ satisfies: cycle activities by requiring that the processes defined in SA-3(a) and (b) above are adhered to by all information system developers and associated security personnel. - implementation_status: {{status.SA_3.contractor}} + implementation_status: {{responsibility.SA_3.contractor}} - control_key: SA-4 control_name: ACQUISITION PROCESS standard_key: NIST SP 800-53 Revision 4 @@ -216,7 +216,7 @@ satisfies: in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. - implementation_status: {{status.SA_4.contractor}} + implementation_status: {{responsibility.SA_4.contractor}} - control_key: SA-5 control_name: INFORMATION SYSTEM DOCUMENTATION standard_key: NIST SP 800-53 Revision 4 @@ -263,7 +263,7 @@ satisfies: As needed and approved by the {{contractor.name_short}} Security Office, documentation is available to appropriate personnel by granting access to the private Git repository. - implementation_status: {{status.SA_5.contractor}} + implementation_status: {{responsibility.SA_5.contractor}} - control_key: SA-9 control_name: EXTERNAL INFORMATION SYSTEM SERVICES standard_key: NIST SP 800-53 Revision 4 @@ -275,4 +275,4 @@ satisfies: between information system components within the authorization boundary and external third-party vendor information systems for the purposes of storing, processing or transmitting federal agency data. - implementation_status: {{status.SA_9.contractor}} + implementation_status: {{responsibility.SA_9.contractor}} diff --git a/templates/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/templates/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml index c045dcd..4116f60 100644 --- a/templates/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml +++ b/templates/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml @@ -17,7 +17,7 @@ satisfies: Communications Protection (SC) Policy {{contractor.name_short}} document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}/>. - implementation_status: {{status.SC_1.contractor}} + implementation_status: {{responsibility.SC_1.contractor}} - control_key: SC-13 control_name: CRYPTOGRAPHIC PROTECTION standard_key: NIST SP 800-53 Revision 4 @@ -36,7 +36,7 @@ satisfies: - TLS for connection to email services - AES-256 (FIPS 140-2 validated) for data at rest (with Elastic Block Store (EBS) volumes) - implementation_status: {{status.SC_13.contractor}} + implementation_status: {{responsibility.SC_13.contractor}} - control_key: SC-20 control_name: SECURE NAME / ADDRESS RESOLUTION SERVICE standard_key: NIST SP 800-53 Revision 4 @@ -47,7 +47,7 @@ satisfies: The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (authoritative source) - implementation_status: {{status.SC_20.contractor}} + implementation_status: {{responsibility.SC_20.contractor}} - control_key: SC-21 control_name: SECURE NAME / ADDRESS RESOLUTION SERVICE standard_key: NIST SP 800-53 Revision 4 @@ -58,7 +58,7 @@ satisfies: The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (recursive or caching resolver) - implementation_status: {{status.SC_21.contractor}} + implementation_status: {{responsibility.SC_21.contractor}} - control_key: SC-22 control_name: ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE standard_key: NIST SP 800-53 Revision 4 @@ -67,7 +67,7 @@ satisfies: narrative: - text: > - implementation_status: {{status.SC_22.contractor}} + implementation_status: {{responsibility.SC_22.contractor}} - control_key: SC-39 control_name: PROCESS ISOLATION standard_key: NIST SP 800-53 Revision 4 @@ -77,4 +77,4 @@ satisfies: - text: > Process isolation is maintained on the Linux platform. Linux is the only operating system that is part of the boundary. - implementation_status: {{status.SC_39.contractor}} + implementation_status: {{responsibility.SC_39.contractor}} diff --git a/templates/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml b/templates/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml index b54945e..2e53c4b 100644 --- a/templates/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml +++ b/templates/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml @@ -17,7 +17,7 @@ satisfies: and Information Integrity (SI) Policy document that can be found in the {{contractor.name_short}} GitHub repository at <{{contractor.compliance_docs_url}}/>. - implementation_status: {{status.SI_1.contractor}} + implementation_status: {{responsibility.SI_1.contractor}} - control_key: SI-2 control_name: FLAW REMEDIATION standard_key: NIST SP 800-53 Revision 4 @@ -72,7 +72,7 @@ satisfies: correct the system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB Chair as implemented in CM-3. - implementation_status: {{status.SI_2.contractor}} + implementation_status: {{responsibility.SI_2.contractor}} - control_key: SI-3 control_name: MALICIOUS CODE PROTECTION standard_key: NIST SP 800-53 Revision 4 @@ -104,7 +104,7 @@ satisfies: with on a case by case basis. Potential impacts on the availability of the information system are detailed in a false positive report depending on if the report is for the OS, database or web application. - implementation_status: {{status.SI_3.contractor}} + implementation_status: {{responsibility.SI_3.contractor}} - control_key: SI-4 control_name: INFORMATION SYSTEM MONITORING standard_key: NIST SP 800-53 Revision 4 @@ -165,7 +165,7 @@ satisfies: System alerts generated by {{contractor.name_short}} internal monitors (StatusCake, OSSEC, ClamAV, others) are sent to the Incident Response team via OpsGenie. - implementation_status: {{status.SI_4.contractor}} + implementation_status: {{responsibility.SI_4.contractor}} - control_key: SI-5 control_name: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES standard_key: NIST SP 800-53 Revision 4 @@ -201,7 +201,7 @@ satisfies: The {{contractor.name_short}} Security Office is responsible for ensuring the dissemination and implementation of relevant security alerts and advisories. - implementation_status: {{status.SI_5.contractor}} + implementation_status: {{responsibility.SI_5.contractor}} - control_key: SI-12 control_name: INFORMATION OUTPUT HANDLING AND RETENTION standard_key: NIST SP 800-53 Revision 4 @@ -214,4 +214,4 @@ satisfies: output in accordance with customers’ requirements retention periods and other NIST guidance and standards, Federal policies, procedures, federal laws, and executive orders. Audit records are retained for 365 days. - implementation_status: {{status.SI_12.contractor}} + implementation_status: {{responsibility.SI_12.contractor}} diff --git a/templates/components/Contractor/component.yaml b/templates/components/Contractor/component.yaml index b21d858..1f687b3 100644 --- a/templates/components/Contractor/component.yaml +++ b/templates/components/Contractor/component.yaml @@ -4,7 +4,7 @@ satisfies: - AC-ACCESS_CONTROL.yaml - AT-AWARENESS_AND_TRAINING.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - CM-CONFIGURATION_MANAGEMENT.yaml - CP-CONTINGENCY_PLANNING.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/templates/components/Drupal/AC-ACCESS_CONTROL.yaml b/templates/components/Drupal/AC-ACCESS_CONTROL.yaml index e84f48a..f5d98f2 100644 --- a/templates/components/Drupal/AC-ACCESS_CONTROL.yaml +++ b/templates/components/Drupal/AC-ACCESS_CONTROL.yaml @@ -31,7 +31,7 @@ satisfies: controls for which their privilege allows. - key: g text: Drupal monitors the usage of information accounts in the Watchdog log. - implementation_status: {{status.AC_2.drupal}} + implementation_status: {{responsibility.AC_2.drupal}} - control_key: AC-3 control_name: ACCESS ENFORCEMENT standard_key: NIST SP 800-53 Revision 4 @@ -46,7 +46,7 @@ satisfies: The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. Drupal Administrators are the only user roles that can create new user accounts. - implementation_status: {{status.AC_3.drupal}} + implementation_status: {{responsibility.AC_3.drupal}} - control_key: AC-7 control_name: UNSUCCESSFUL LOGIN ATTEMPTS standard_key: NIST SP 800-53 Revision 4 @@ -63,7 +63,7 @@ satisfies: login attempts, their account is automatically locked for a specified time and requires administrator action to unlock the account before the lockout period expires. - implementation_status: {{status.AC_7.drupal}} + implementation_status: {{responsibility.AC_7.drupal}} - control_key: AC-14 control_name: PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -75,4 +75,4 @@ satisfies: The anonymous user role has the least access to the site of all roles. Drupal sites can be configured to allow actions identified by {{project.name}} - implementation_status: {{status.AC_14.drupal}} + implementation_status: {{responsibility.AC_14.drupal}} diff --git a/templates/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/templates/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml index d6b1829..7e84b93 100644 --- a/templates/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml +++ b/templates/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml @@ -78,7 +78,7 @@ satisfies: - PHP error logs: Captures any errors logged during execution of the PHP programming language. - implementation_status: {{status.AU_2.drupal}} + implementation_status: {{responsibility.AU_2.drupal}} - control_key: AU-3 control_name: CONTENT OF AUDIT RECORDS standard_key: NIST SP 800-53 Revision 4 @@ -110,4 +110,4 @@ satisfies: Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. - implementation_status: {{status.AU_3.drupal}} + implementation_status: {{responsibility.AU_3.drupal}} diff --git a/templates/components/Drupal/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/templates/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 92% rename from templates/components/Drupal/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to templates/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml index b76a1de..9729051 100644 --- a/templates/components/Drupal/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +++ b/templates/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml @@ -17,4 +17,4 @@ satisfies: {{contractor.name_short}} works closely with the Drupal security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. - implementation_status: {{status.CA_7.drupal}} + implementation_status: {{responsibility.CA_7.drupal}} diff --git a/templates/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/templates/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml index f0cd924..4b5f5fe 100644 --- a/templates/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml +++ b/templates/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml @@ -11,7 +11,7 @@ satisfies: Drupal administrators and other roles with unrestricted access to live content and/or user accounts are required to use two-factor authentication. See artifact {{artifact.two_factor_auth}} - implementation_status: {{status.IA_2_1.drupal}} + implementation_status: {{responsibility.IA_2_1.drupal}} - control_key: IA-4 control_name: IDENTIFIER MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -37,7 +37,7 @@ satisfies: by the admin group when it approves the creation of the user account. - key: d text: Drupal user's unique identifier (the numeric user ID, or UID) is never reused. - implementation_status: {{status.IA_4.drupal}} + implementation_status: {{responsibility.IA_4.drupal}} - control_key: IA-5 control_name: AUTHENTICATOR MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -98,7 +98,7 @@ satisfies: - key: j text: This control is not applicable due to the fact that group accounts are not created within the Drupal application per IA Policy. - implementation_status: {{status.IA_5.drupal}} + implementation_status: {{responsibility.IA_5.drupal}} - control_key: IA-5 (1) control_name: PASSWORD-BASED AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -137,7 +137,7 @@ satisfies: login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. - implementation_status: {{status.IA_5_1.drupal}} + implementation_status: {{responsibility.IA_5_1.drupal}} - control_key: IA-6 control_name: AUTHENTICATOR FEEDBACK standard_key: NIST SP 800-53 Revision 4 @@ -149,7 +149,7 @@ satisfies: process into the Drupal application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. - implementation_status: {{status.IA_6.drupal}} + implementation_status: {{responsibility.IA_6.drupal}} - control_key: IA-7 control_name: CRYPTOGRAPHIC MODULE AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -161,4 +161,4 @@ satisfies: algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. - implementation_status: {{status.IA_7.drupal}} + implementation_status: {{responsibility.IA_7.drupal}} diff --git a/templates/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/templates/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml index a7d48bc..ebb3098 100644 --- a/templates/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml +++ b/templates/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml @@ -9,7 +9,7 @@ satisfies: narrative: - text: Drupal has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by {{contractor.name_short}} Operations. - implementation_status: {{status.SC_5.drupal}} + implementation_status: {{responsibility.SC_5.drupal}} - control_key: SC-7 control_name: BOUNDARY PROTECTION standard_key: NIST SP 800-53 Revision 4 @@ -22,4 +22,4 @@ satisfies: both the AWS platform safeguards and the Drupal Watchdog module in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. - implementation_status: {{status.SC_7.drupal}} + implementation_status: {{responsibility.SC_7.drupal}} diff --git a/templates/components/Drupal/component.yaml b/templates/components/Drupal/component.yaml index cd64e94..e96c360 100644 --- a/templates/components/Drupal/component.yaml +++ b/templates/components/Drupal/component.yaml @@ -3,6 +3,6 @@ schema_version: 3.0.0 satisfies: - AC-ACCESS_CONTROL.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml - SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/templates/components/Ilias/AC-ACCESS_CONTROL.yaml b/templates/components/Ilias/AC-ACCESS_CONTROL.yaml index 0b54e83..95acf38 100644 --- a/templates/components/Ilias/AC-ACCESS_CONTROL.yaml +++ b/templates/components/Ilias/AC-ACCESS_CONTROL.yaml @@ -27,7 +27,7 @@ satisfies: allows. - key: g text: Ilias monitors the usage of information accounts in a log on the server. - implementation_status: {{status.AC_2.ilias}} + implementation_status: {{responsibility.AC_2.ilias}} - control_key: AC-3 control_name: ACCESS ENFORCEMENT standard_key: NIST SP 800-53 Revision 4 @@ -50,7 +50,7 @@ satisfies: security_control_type: Hybrid narrative: - text: System Use Notification is inherited from the {{project.name_short}}. - implementation_status: {{status.AC_8.ilias}} + implementation_status: {{responsibility.AC_8.ilias}} - control_key: AC-14 control_name: PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 diff --git a/templates/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/templates/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml index b281b2a..df6c91a 100644 --- a/templates/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml +++ b/templates/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml @@ -58,7 +58,7 @@ satisfies: - Slow query logs. - PHP error logs: Captures any errors logged during execution of the PHP programming language. - implementation_status: {{status.AU_2.ilias}} + implementation_status: {{responsibility.AU_2.ilias}} - control_key: AU-3 control_name: CONTENT OF AUDIT RECORDS standard_key: NIST SP 800-53 Revision 4 @@ -85,4 +85,4 @@ satisfies: Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. - implementation_status: {{status.AU_3.ilias}} + implementation_status: {{responsibility.AU_3.ilias}} diff --git a/templates/components/Ilias/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/templates/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 92% rename from templates/components/Ilias/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to templates/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml index c06448a..9f05dde 100644 --- a/templates/components/Ilias/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +++ b/templates/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml @@ -15,4 +15,4 @@ satisfies: text: '{{contractor.name_short}} works closely with the Ilias security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed.' - implementation_status: {{status.CA_7.ilias}} + implementation_status: {{responsibility.CA_7.ilias}} diff --git a/templates/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml b/templates/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml index cb0c885..1b4aaaa 100644 --- a/templates/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml +++ b/templates/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml @@ -22,7 +22,7 @@ satisfies: Git repository as the new baseline. All code prior to it being staged is documented, tested and approved by {{contractor.name_short}} Development, which is described in control SA-3. The production environment is configured to take database snapshots daily. - implementation_status: {{status.CM_2.ilias}} + implementation_status: {{responsibility.CM_2.ilias}} - control_key: CM-8 control_name: INFORMATION SYSTEM COMPONENT INVENTORY standard_key: NIST SP 800-53 Revision 4 @@ -46,7 +46,7 @@ satisfies: Website content is backed up daily using CPM snapshots. This allows {{contractor.name_short}} to build an inventory of the system on demand. - implementation_status: {{status.CM_8.ilias}} + implementation_status: {{responsibility.CM_8.ilias}} - control_key: CM-10 control_name: SOFTWARE USAGE RESTRICTIONS standard_key: NIST SP 800-53 Revision 4 @@ -56,4 +56,4 @@ satisfies: - text: Ilias is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. - implementation_status: {{status.CM_10.ilias}} + implementation_status: {{responsibility.CM_10.ilias}} diff --git a/templates/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/templates/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml index 0226328..a90acf3 100644 --- a/templates/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml +++ b/templates/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml @@ -23,7 +23,7 @@ satisfies: by the admin group when it approves the creation of the user account. - key: d text: Ilias user's unique identifier (the numeric user ID, or UID) is never reused. - implementation_status: {{status.IA_4.ilias}} + implementation_status: {{responsibility.IA_4.ilias}} - control_key: IA-5 control_name: AUTHENTICATOR MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -80,7 +80,7 @@ satisfies: - key: j text: This control is not applicable due to the fact that group accounts are not created within the Ilias application per IA Policy. - implementation_status: {{status.IA_5.ilias}} + implementation_status: {{responsibility.IA_5.ilias}} - control_key: IA-5 (1) control_name: PASSWORD-BASED AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -116,7 +116,7 @@ satisfies: login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. - implementation_status: {{status.IA_5_1.ilias}} + implementation_status: {{responsibility.IA_5_1.ilias}} - control_key: IA-6 control_name: AUTHENTICATOR FEEDBACK standard_key: NIST SP 800-53 Revision 4 @@ -127,7 +127,7 @@ satisfies: process into the Ilias application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. - implementation_status: {{status.IA_6.ilias}} + implementation_status: {{responsibility.IA_6.ilias}} - control_key: IA-7 control_name: CRYPTOGRAPHIC MODULE AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -138,4 +138,4 @@ satisfies: algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. - implementation_status: {{status.IA_7.ilias}} + implementation_status: {{responsibility.IA_7.ilias}} diff --git a/templates/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/templates/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml index dc6b9e6..16828f6 100644 --- a/templates/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml +++ b/templates/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml @@ -37,4 +37,4 @@ satisfies: - key: e text: As the Ilias.de documentation is publicly available, there is no need to provide distribution mechanisms. - implementation_status: {{status.SA_5.ilias}} + implementation_status: {{responsibility.SA_5.ilias}} diff --git a/templates/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/templates/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml index 46f8e22..39fbf7b 100644 --- a/templates/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml +++ b/templates/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml @@ -9,7 +9,7 @@ satisfies: narrative: - text: Ilias has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by {{contractor.name_short}} Operations. - implementation_status: {{status.SC_5.ilias}} + implementation_status: {{responsibility.SC_5.ilias}} - control_key: SC-7 control_name: BOUNDARY PROTECTION standard_key: NIST SP 800-53 Revision 4 @@ -21,4 +21,4 @@ satisfies: both the AWS platform safeguards and the Ilias logging in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. - implementation_status: {{status.SC_7.ilias}} + implementation_status: {{responsibility.SC_7.ilias}} diff --git a/templates/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml b/templates/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml index 9fcd1f9..ae61d97 100644 --- a/templates/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml +++ b/templates/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml @@ -9,7 +9,7 @@ satisfies: narrative: - text: Ilias contains built-in security status monitoring of the core application and contributed modules. - implementation_status: {{status.SI_2.ilias}} + implementation_status: {{responsibility.SI_2.ilias}} - control_key: SI-5 control_name: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES standard_key: NIST SP 800-53 Revision 4 @@ -18,4 +18,4 @@ satisfies: narrative: - text: '{{contractor.name_short}} Security and Operations receive Ilias Security Advisories on a regular basis.' - implementation_status: {{status.SI_5.ilias}} + implementation_status: {{responsibility.SI_5.ilias}} diff --git a/templates/components/Ilias/component.yaml b/templates/components/Ilias/component.yaml index b1d0ad8..536806f 100644 --- a/templates/components/Ilias/component.yaml +++ b/templates/components/Ilias/component.yaml @@ -3,7 +3,7 @@ schema_version: 3.0.0 satisfies: - AC-ACCESS_CONTROL.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - CM-CONFIGURATION_MANAGEMENT.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml - SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml diff --git a/templates/components/Project/AC-ACCESS_CONTROL.yaml b/templates/components/Project/AC-ACCESS_CONTROL.yaml index 4e5c2b9..be81e51 100644 --- a/templates/components/Project/AC-ACCESS_CONTROL.yaml +++ b/templates/components/Project/AC-ACCESS_CONTROL.yaml @@ -19,7 +19,7 @@ satisfies: to protect the integrity of the {{project.name}}. This Department reviews and updates this policy as necessary and it has been being updated, as necessary, since April 2008. - implementation_status: {{status.AC_1.project}} + implementation_status: {{responsibility.AC_1.project}} - control_key: AC-2 control_name: ACCOUNT MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -87,7 +87,7 @@ satisfies: text: > Administrators are empowered to and responsible for reviewing their own accounts and determining whether the accounts should still be authorized. - implementation_status: {{status.AC_2.project}} + implementation_status: {{responsibility.AC_2.project}} - control_key: AC-3 control_name: ACCESS ENFORCEMENT standard_key: NIST SP 800-53 Revision 4 @@ -103,7 +103,7 @@ satisfies: controlled with access control list used on each instance. Members of one group cannot access resources defined for other groups unless explicitly permitted. - implementation_status: {{status.AC_3.project}} + implementation_status: {{responsibility.AC_3.project}} summary: > {{project.name_short}} ensures access authorizations enforced in accordance with user definitions. @@ -116,7 +116,7 @@ satisfies: - text: > The {{project.name_short}} information system does not release information outside of the established system boundary. - implementation_status: {{status.AC_3.project}} + implementation_status: {{responsibility.AC_3.project}} - control_key: AC-7 control_name: UNSUCCESSFUL LOGIN ATTEMPTS standard_key: NIST SP 800-53 Revision 4 @@ -129,7 +129,7 @@ satisfies: the account permanently, unless an administrator unlocks the account before then, when the maximum number of unsuccessful attempts (3) is exceeded. - implementation_status: {{status.AC_7.project}} + implementation_status: {{responsibility.AC_7.project}} summary: > The {{project.name_short}} system locks out users after three unsuccessful login attempts. @@ -167,7 +167,7 @@ satisfies: - This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - implementation_status: {{status.AC_8.project}} + implementation_status: {{responsibility.AC_8.project}} summary: > {{project.name_short}} shows all persons who log into system "Authorized User Only" warning banner. @@ -183,7 +183,7 @@ satisfies: information without identification and authentication for the public web site. Program and Privilege users cannot access the {{project.name_short}} system without identification or authentication. - implementation_status: {{status.AC_14.project}} + implementation_status: {{responsibility.AC_14.project}} summary: > General public can read web pages without authentication; privileged users require identification and authentication to log in. @@ -202,7 +202,7 @@ satisfies: authenticate to the device through this secure channel. Virtual Private Networking (VPN) is not enabled in any form within the {{project.name_short}} accreditation boundary. - implementation_status: {{status.AC_17.project}} + implementation_status: {{responsibility.AC_17.project}} summary: > {{project.name_short}} permits remote access for privileged functions to support operational needs. @@ -249,7 +249,7 @@ satisfies: Authorized {{project.name_short}} individuals review the content on the publicly accessible information system for nonpublic information at least every 365 days and removes such information. - implementation_status: {{status.AC_22.project}} + implementation_status: {{responsibility.AC_22.project}} summary: > {{project.client_name_short}} grants certain {{project.name_short}} support staff members the authority to post publicly accessible content. diff --git a/templates/components/Project/AT-AWARENESS_AND_TRAINING.yaml b/templates/components/Project/AT-AWARENESS_AND_TRAINING.yaml index 463be30..92e2860 100644 --- a/templates/components/Project/AT-AWARENESS_AND_TRAINING.yaml +++ b/templates/components/Project/AT-AWARENESS_AND_TRAINING.yaml @@ -17,7 +17,7 @@ satisfies: thereafter. {{project.client_name_short}} documents and monitors all individual information system security training activities including basic security awareness training. {{project.info_security_policy_agency}} reviews and updates the policy as necessary. - implementation_status: {{status.AT_1.project}} + implementation_status: {{responsibility.AT_1.project}} summary: > This is an Agency Common Control. Security awareness and training policy and procedures documented in Handbook OCIO-01. @@ -51,7 +51,7 @@ satisfies: - Proper procedures for software installation, uploading, and use on workstations. - implementation_status: {{status.AT_2.project}} + implementation_status: {{responsibility.AT_2.project}} summary: > This is an Agency Common Control. Department personnel and contractors receive security awareness training. @@ -78,7 +78,7 @@ satisfies: participating in instructor-led training provided by the OCIO, or completing an external role-based course or courses offered within their specific functional area of expertise. - implementation_status: {{status.AT_3.project}} + implementation_status: {{responsibility.AT_3.project}} summary: > Role-based training is a requirement for personnel with significant information security responsibilities. @@ -101,7 +101,7 @@ satisfies: text: > {{project.client_name_short}} maintains training certifications for the specified period. - implementation_status: {{status.AT_4.project}} + implementation_status: {{responsibility.AT_4.project}} summary: | {{project.client_name_short}} documents and monitors all individual information system security training activities diff --git a/templates/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/templates/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml index 08759c3..7ba6bf9 100644 --- a/templates/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml +++ b/templates/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml @@ -16,7 +16,7 @@ satisfies: on all multi-user systems. The {{project.client_name_short}} reviews and updates this policy as necessary and it was last updated in April 2008. Additional information is contained within the {{project.info_security_policy}}. - implementation_status: {{status.AU_1.project}} + implementation_status: {{responsibility.AU_1.project}} summary: > {{project.name_short}} maintains a record of system activity by application process and by user activity and follows {{project.info_security_policy}}. @@ -29,6 +29,6 @@ satisfies: - text: > The {{project.name_short}} system clocks are synchronized system-wide and provide time stamps with audit records. - implementation_status: {{status.AU_8.project}} + implementation_status: {{responsibility.AU_8.project}} summary: > {{project.name_short}} system clocks are synchronized system-wide. diff --git a/templates/components/Project/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml b/templates/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 93% rename from templates/components/Project/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml rename to templates/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml index 3b74807..1ba9735 100644 --- a/templates/components/Project/CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +++ b/templates/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml @@ -17,7 +17,7 @@ satisfies: {{project.name_short}} will periodically review and update the SSP when there is a significant change to the regulatory, operational, or technical environment. - implementation_status: {{status.CA_1.project}} + implementation_status: {{responsibility.CA_1.project}} summary: > {{project.name_short}} follows the {{project.info_security_policy}}. - control_key: CA-2 @@ -47,7 +47,7 @@ satisfies: Representative will create a Security Assessment Report (SAR). A full assessment shall be conducted by an independent third party assessor at least every three years. - implementation_status: {{status.CA_2.project}} + implementation_status: {{responsibility.CA_2.project}} summary: > The {{project.name_short}} will conduct annual security assessments to comply with FISMA and NIST regulations. @@ -60,7 +60,7 @@ satisfies: - text: > The {{project.name_short}} follows the {{project.info_security_policy}} procedures in managing POA&Ms. - implementation_status: {{status.CA_5.project}} + implementation_status: {{responsibility.CA_5.project}} summary: > The {{project.name_short}} follows the {{project.info_security_policy}} procedures in managing POA&Ms. @@ -79,7 +79,7 @@ satisfies: ATO re-assessment will be performed every three years or when there is a major change to the application, in which a senior organizational official will sign and approve the security accreditation. - implementation_status: {{status.CA_6.project}} + implementation_status: {{responsibility.CA_6.project}} summary: > The {{project.name_short}} follows the {{project.info_security_policy}} procedures. diff --git a/templates/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml b/templates/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml index cc17e28..0273e21 100644 --- a/templates/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml +++ b/templates/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml @@ -14,7 +14,7 @@ satisfies: physical and environmental protection. It defines responsibilities for the implementation and oversight of the guidance contained herein. {{project.client_name_short}} reviews and updates the policy as necessary. - implementation_status: {{status.CM_1.project}} + implementation_status: {{responsibility.CM_1.project}} summary: > Configuration management policy and procedures documented in the {{project.name_short}} Configuration Management Plan @@ -35,7 +35,7 @@ satisfies: {{project.name_short}} system do not unintentionally or unknowingly diminish security. If the change is major, the security of the system must be re-analyzed. - implementation_status: {{status.CM_2.project}} + implementation_status: {{responsibility.CM_2.project}} summary: > A CM process has been established and documented in the {{project.name_short}} CMP. @@ -57,7 +57,7 @@ satisfies: formal or informal, is performed when changes are occur. This ensures that {{project.client_name}} understands the security impacts and can determine if additional security controls are required. - implementation_status: {{status.CM_4.project}} + implementation_status: {{responsibility.CM_4.project}} - control_key: CM-6 control_name: CONFIGURATION SETTINGS standard_key: NIST SP 800-53 Revision 4 @@ -93,7 +93,7 @@ satisfies: exceptions to mandatory configuration settings for individual components within its cloud offering only when operationally necessary. All variances identified during the monthly and annual system testing scans that must be accepted for operational purposes are tracked. - implementation_status: {{status.CM_6.project}} + implementation_status: {{responsibility.CM_6.project}} - control_key: CM-7 control_name: LEAST FUNCTIONALITY standard_key: NIST SP 800-53 Revision 4 @@ -110,4 +110,4 @@ satisfies: access across the system boundary is only allowed on ports 22 (ssh), 80 (http) and 443 (https), with an additional port, 25 (smtp) open on the mail server. - implementation_status: {{status.CM_7.project}} + implementation_status: {{responsibility.CM_7.project}} diff --git a/templates/components/Project/CP-CONTINGENCY_PLANNING.yaml b/templates/components/Project/CP-CONTINGENCY_PLANNING.yaml index 081ae82..62625e3 100644 --- a/templates/components/Project/CP-CONTINGENCY_PLANNING.yaml +++ b/templates/components/Project/CP-CONTINGENCY_PLANNING.yaml @@ -18,7 +18,7 @@ satisfies: Plan, which provides the roles and responsibilities as it pertains to contingency planning. The {{project.name_short}} reviews and updates the policy as necessary and the policy was last updated in July 2012. - implementation_status: {{status.CP_1.project}} + implementation_status: {{responsibility.CP_1.project}} - control_key: CP-2 control_name: CONTINGENCY PLAN standard_key: NIST SP 800-53 Revision 4 @@ -33,4 +33,4 @@ satisfies: required to receive a copy of the contingency plan. The ISCP can be found in the {{project.name_short}} GitHub wiki at <{{project.contingency_plan_url}}>. - implementation_status: {{status.CP_2.project}} + implementation_status: {{responsibility.CP_2.project}} diff --git a/templates/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/templates/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml index 0e7c57e..cea8c94 100644 --- a/templates/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml +++ b/templates/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml @@ -16,7 +16,7 @@ satisfies: period of inactivity as documented in its security procedures; and (vi) archiving user identifiers. {{project.name_short}} reviews and updates this policy as necessary. - implementation_status: {{status.IA_1.project}} + implementation_status: {{responsibility.IA_1.project}} - control_key: IA-2 (1) control_name: NETWORK ACCESS TO PRIVILEGED ACCOUNTS standard_key: NIST SP 800-53 Revision 4 @@ -26,7 +26,7 @@ satisfies: - text: > The {{project.name_short}} employs multi-factor authentication for privileged users. - implementation_status: {{status.IA_2_1.project}} + implementation_status: {{responsibility.IA_2_1.project}} - control_key: IA-2 (12) control_name: ACCEPTANCE OF PIV CREDENTIALS standard_key: NIST SP 800-53 Revision 4 @@ -36,7 +36,7 @@ satisfies: - text: > The {{project.name_short}} system allows users to access the system using Common Access Cards (CAC). - implementation_status: {{status.IA_2_12.project}} + implementation_status: {{responsibility.IA_2_12.project}} - control_key: IA-5 control_name: AUTHENTICATOR MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -121,7 +121,7 @@ satisfies: - Minimum restriction of zero (1) days and - Maximum restriction of ninety (90) days before a password change is required. - implementation_status: {{status.IA_5.project}} + implementation_status: {{responsibility.IA_5.project}} - control_key: IA-5 (1) control_name: PASSWORD-BASED AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -133,7 +133,7 @@ satisfies: end user accounts, which must comply with the strict password policies that are enforced by the website's software configuration, as described in IA-5. - implementation_status: {{status.IA_5_1.project}} + implementation_status: {{responsibility.IA_5_1.project}} - control_key: IA-5 (11) control_name: HARDWARE TOKEN-BASED AUTHENTICATION standard_key: NIST SP 800-53 Revision 4 @@ -143,7 +143,7 @@ satisfies: - text: > {{project.name_short}} does not support physical hardware token-based authentication. Therefore this control is Not Applicable. - implementation_status: {{status.IA_5_11.project}} + implementation_status: {{responsibility.IA_5_11.project}} - control_key: IA-8 (1) control_name: ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES standard_key: NIST SP 800-53 Revision 4 @@ -153,7 +153,7 @@ satisfies: - text: > {{project.name_short}} allows the use of customer agency supplied Common Access Cards (CAC). - implementation_status: {{status.IA_8_1.project}} + implementation_status: {{responsibility.IA_8_1.project}} - control_key: IA-8 (2) control_name: ACCEPTANCE OF THIRD-PARTY CREDENTIALS standard_key: NIST SP 800-53 Revision 4 @@ -162,7 +162,7 @@ satisfies: narrative: - text: > {{project.name_short}} does not utilize FICAM approved credentials. - implementation_status: {{status.IA_8_2.project}} + implementation_status: {{responsibility.IA_8_2.project}} - control_key: IA-8 (3) control_name: USE OF FICAM-APPROVED PRODUCTS standard_key: NIST SP 800-53 Revision 4 @@ -171,7 +171,7 @@ satisfies: narrative: - text: > {{project.name_short}} does not utilize FICAM approved products. - implementation_status: {{status.IA_8_3.project}} + implementation_status: {{responsibility.IA_8_3.project}} - control_key: IA-8 (4) control_name: USE OF FICAM-ISSUED PROFILES standard_key: NIST SP 800-53 Revision 4 @@ -181,4 +181,4 @@ satisfies: - text: > {{contractor.name_short}} does not utilize FICAM approved products or profiles. - implementation_status: {{status.IA_8_4.project}} + implementation_status: {{responsibility.IA_8_4.project}} diff --git a/templates/components/Project/IR-INCIDENT_RESPONSE.yaml b/templates/components/Project/IR-INCIDENT_RESPONSE.yaml index 6e2d721..0dec85d 100644 --- a/templates/components/Project/IR-INCIDENT_RESPONSE.yaml +++ b/templates/components/Project/IR-INCIDENT_RESPONSE.yaml @@ -29,7 +29,7 @@ satisfies: The {{project.name_short}} Incident Response Plan can be found in the {{contractor.name_short}} GitHub repository at <{{project.incident_response_plan_url}}> - implementation_status: {{status.IR_1.project}} + implementation_status: {{responsibility.IR_1.project}} - control_key: IR-2 control_name: INCIDENT RESPONSE TRAINING standard_key: NIST SP 800-53 Revision 4 @@ -46,7 +46,7 @@ satisfies: and the incident response workflow created by the Security team. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. - implementation_status: {{status.IR_2.project}} + implementation_status: {{responsibility.IR_2.project}} - control_key: IR-4 control_name: INCIDENT HANDLING standard_key: NIST SP 800-53 Revision 4 @@ -73,7 +73,7 @@ satisfies: eradication and recovery activities include AWS and LAMP-stack inherited fixes and {{project.name_short}} system administrators adjusting IP port blocking security groups and SELinux policies. - implementation_status: {{status.IR_4.project}} + implementation_status: {{responsibility.IR_4.project}} - control_key: IR-5 control_name: INCIDENT MONITORING standard_key: NIST SP 800-53 Revision 4 @@ -85,7 +85,7 @@ satisfies: detection systems, monitoring the system and application logs for anomalous events. Incidents are tracked using the same ticketing system that is used to track all system-related changes and events. - implementation_status: {{status.IR_5.project}} + implementation_status: {{responsibility.IR_5.project}} - control_key: IR-6 control_name: INCIDENT REPORTING standard_key: NIST SP 800-53 Revision 4 @@ -101,7 +101,7 @@ satisfies: The {{contractor.name_short}} Computer Security Officer (CSO) handles all incidents for the {{project.name_short}}. The CSO is prepared to report all incidents to the {{project.client_name}}. - implementation_status: {{status.IR_6.project}} + implementation_status: {{responsibility.IR_6.project}} - control_key: IR-8 control_name: INCIDENT RESPONSE PLAN standard_key: NIST SP 800-53 Revision 4 @@ -121,4 +121,4 @@ satisfies: categorization of incidents in accordance with NIST 800-61 and accordingly documents and reports incidents. The IRP is reviewed annually and updated as needed by ISSO, with the assistance of the Incident Response Team. - implementation_status: {{status.IR_8.project}} + implementation_status: {{responsibility.IR_8.project}} diff --git a/templates/components/Project/MA-MAINTENANCE.yaml b/templates/components/Project/MA-MAINTENANCE.yaml index 41decb0..f840961 100644 --- a/templates/components/Project/MA-MAINTENANCE.yaml +++ b/templates/components/Project/MA-MAINTENANCE.yaml @@ -21,7 +21,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.MA_1.project}} + implementation_status: {{responsibility.MA_1.project}} - control_key: MA-2 control_name: CONTROLLED MAINTENANCE standard_key: NIST SP 800-53 Revision 4 @@ -43,7 +43,7 @@ satisfies: - As needed help desk support - Twice-monthly OS updates/patches - implementation_status: {{status.MA_2.project}} + implementation_status: {{responsibility.MA_2.project}} - control_key: MA-5 control_name: MAINTENANCE PERSONNEL standard_key: NIST SP 800-53 Revision 4 @@ -57,4 +57,4 @@ satisfies: only these authorized personnel may perform the maintenance. All maintenance personnel have the required personnel security elements in place. - implementation_status: {{status.MA_5.project}} + implementation_status: {{responsibility.MA_5.project}} diff --git a/templates/components/Project/PL-PLANNING.yaml b/templates/components/Project/PL-PLANNING.yaml index fd4de0f..723b8e3 100644 --- a/templates/components/Project/PL-PLANNING.yaml +++ b/templates/components/Project/PL-PLANNING.yaml @@ -22,7 +22,7 @@ satisfies: technology resources. It defines responsibilities for the implementation and oversight of the guidance contained herein. The plan was last updated in December, 2015. - implementation_status: {{status.PL_1.project}} + implementation_status: {{responsibility.PL_1.project}} - control_key: PL-2 control_name: SYSTEM SECURITY PLAN standard_key: NIST SP 800-53 Revision 4 @@ -42,7 +42,7 @@ satisfies: the SSP. The SSP will be reviewed at least annually and updated to account for any changes to the {{project.name_short}} system and to address any changes in security controls. - implementation_status: {{status.PL_2.project}} + implementation_status: {{responsibility.PL_2.project}} - control_key: PL-4 control_name: RULES OF BEHAVIOR standard_key: NIST SP 800-53 Revision 4 @@ -77,4 +77,4 @@ satisfies: {{project.name_short}} requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the Rules of Behavior are revised/updated. - implementation_status: {{status.PL_4.project}} + implementation_status: {{responsibility.PL_4.project}} diff --git a/templates/components/Project/PS-PERSONNEL_SECURITY.yaml b/templates/components/Project/PS-PERSONNEL_SECURITY.yaml index 1eba957..5a5c719 100644 --- a/templates/components/Project/PS-PERSONNEL_SECURITY.yaml +++ b/templates/components/Project/PS-PERSONNEL_SECURITY.yaml @@ -18,7 +18,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.PS_1.project}} + implementation_status: {{responsibility.PS_1.project}} - control_key: PS-2 control_name: POSITION RISK DESIGNATION standard_key: NIST SP 800-53 Revision 4 @@ -53,7 +53,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog - implementation_status: {{status.PS_2.project}} + implementation_status: {{responsibility.PS_2.project}} - control_key: PS-3 control_name: PERSONNEL SCREENING standard_key: NIST SP 800-53 Revision 4 @@ -72,7 +72,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.PS_3.project}} + implementation_status: {{responsibility.PS_3.project}} - control_key: PS-4 control_name: PERSONNEL TERMINATION standard_key: NIST SP 800-53 Revision 4 @@ -98,7 +98,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.PS_4.project}} + implementation_status: {{responsibility.PS_4.project}} - control_key: PS-5 control_name: PERSONNEL TRANSFER standard_key: NIST SP 800-53 Revision 4 @@ -124,7 +124,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.PS_5.project}} + implementation_status: {{responsibility.PS_5.project}} - control_key: PS-6 control_name: ACCESS AGREEMENTS standard_key: NIST SP 800-53 Revision 4 @@ -145,7 +145,7 @@ satisfies: required to sign the Access Agreements before login is granted. When the Access Agreements are updated, the individual will be required to sign the new copy before regaining access. - implementation_status: {{status.PS_6.project}} + implementation_status: {{responsibility.PS_6.project}} - control_key: PS-7 control_name: THIRD-PARTY PERSONNEL SECURITY standard_key: NIST SP 800-53 Revision 4 @@ -175,7 +175,7 @@ satisfies: Compliance measures for assessing third-party personnel and/or contractors are determined on a case-by-case basis. Third-party personnel are monitored to ensure compliance with personnel security requirements. - implementation_status: {{status.PS_7.project}} + implementation_status: {{responsibility.PS_7.project}} - control_key: PS-8 control_name: PERSONNEL SANCTIONS standard_key: NIST SP 800-53 Revision 4 @@ -192,4 +192,4 @@ satisfies: system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation. Disciplinary sanctions are reported to the OCIO. - implementation_status: {{status.PS_8.project}} + implementation_status: {{responsibility.PS_8.project}} diff --git a/templates/components/Project/RA-RISK_ASSESSMENT.yaml b/templates/components/Project/RA-RISK_ASSESSMENT.yaml index 9f528df..9900289 100644 --- a/templates/components/Project/RA-RISK_ASSESSMENT.yaml +++ b/templates/components/Project/RA-RISK_ASSESSMENT.yaml @@ -27,7 +27,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.RA_1.project}} + implementation_status: {{responsibility.RA_1.project}} - control_key: RA-2 control_name: SECURITY CATEGORIZATION standard_key: NIST SP 800-53 Revision 4 @@ -52,7 +52,7 @@ satisfies: application POCs, were approved during the C&A effort. The formal security categorization document is available upon request. The system inventory for the {{project.name_short}} Project is revalidated semiannually. - implementation_status: {{status.RA_2.project}} + implementation_status: {{responsibility.RA_2.project}} - control_key: RA-3 control_name: RISK ASSESSMENT standard_key: NIST SP 800-53 Revision 4 @@ -103,7 +103,7 @@ satisfies: - Adding new interconnections to an outside service provide. - implementation_status: {{status.RA_3.project}} + implementation_status: {{responsibility.RA_3.project}} - control_key: RA-5 control_name: VULNERABILITY SCANNING standard_key: NIST SP 800-53 Revision 4 @@ -116,4 +116,4 @@ satisfies: these scans are being used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. - implementation_status: {{status.RA_5.project}} + implementation_status: {{responsibility.RA_5.project}} diff --git a/templates/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/templates/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml index 9250301..b6729c5 100644 --- a/templates/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml +++ b/templates/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml @@ -16,7 +16,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.SA_1.project}} + implementation_status: {{responsibility.SA_1.project}} - control_key: SA-2 control_name: ALLOCATION OF RESOURCES standard_key: NIST SP 800-53 Revision 4 @@ -49,7 +49,7 @@ satisfies: desktop processing, the network environment, and web capability. Since the Exhibit 53 includes projections for multiple fiscal years, its intention is to identify and anticipate security resources required. - implementation_status: {{status.SA_2.project}} + implementation_status: {{responsibility.SA_2.project}} - control_key: SA-3 control_name: SYSTEM DEVELOPMENT LIFE CYCLE standard_key: NIST SP 800-53 Revision 4 @@ -62,7 +62,7 @@ satisfies: security requirements are incorporated during each phase of the life cycle. This helps to ensure the development of secure systems and effective risk management. - implementation_status: {{status.SA_3.project}} + implementation_status: {{responsibility.SA_3.project}} - control_key: SA-4 control_name: ACQUISITIONS standard_key: NIST SP 800-53 Revision 4 @@ -86,7 +86,7 @@ satisfies: acquisition contracts in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. - implementation_status: {{status.SA_4.project}} + implementation_status: {{responsibility.SA_4.project}} - control_key: SA-4 (10) control_name: USE OF APPROVED PIV PRODUCTS standard_key: NIST SP 800-53 Revision 4 @@ -105,7 +105,7 @@ satisfies: It is the responsibility of {{contractor.name_short}} for implementation of PIV capability for authentication as required. - implementation_status: {{status.SA_4_10.project}} + implementation_status: {{responsibility.SA_4_10.project}} - control_key: SA-5 control_name: INFORMATION SYSTEM DOCUMENTATION standard_key: NIST SP 800-53 Revision 4 @@ -133,7 +133,7 @@ satisfies: - FOSS Reference Manuals (Drupal, GNU/Linux, Apache, MySQL, PHP, Postfix, etc.) - implementation_status: {{status.SA_5.project}} + implementation_status: {{responsibility.SA_5.project}} - control_key: SA-9 control_name: EXTERNAL INFORMATION SYSTEM SERVICES standard_key: NIST SP 800-53 Revision 4 @@ -150,4 +150,4 @@ satisfies: {{project.name_short}} is hosted on the AWS Cloud platform, which was approved under the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013. - implementation_status: {{status.SA_9.project}} + implementation_status: {{responsibility.SA_9.project}} diff --git a/templates/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/templates/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml index fdb29ba..bb49413 100644 --- a/templates/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml +++ b/templates/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml @@ -15,7 +15,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.SC_1.project}} + implementation_status: {{responsibility.SC_1.project}} - control_key: SC-5 control_name: DENIAL OF SERVICE PROTECTION standard_key: NIST SP 800-53 Revision 4 @@ -30,7 +30,7 @@ satisfies: The {{project.name_short}} support staff ensures the system is protected against or limits the effect of DoS attacks as specified in the {{project.info_security_policy}}. - implementation_status: {{status.SC_5.project}} + implementation_status: {{responsibility.SC_5.project}} - control_key: SC-7 control_name: BOUNDARY PROTECTION standard_key: NIST SP 800-53 Revision 4 @@ -45,7 +45,7 @@ satisfies: components (e.g., public web servers) specific IP address and port combinations. Public access into the organization’s internal networks is prevented except as appropriately mediated. - implementation_status: {{status.SC_7.project}} + implementation_status: {{responsibility.SC_7.project}} - control_key: SC-12 control_name: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT standard_key: NIST SP 800-53 Revision 4 @@ -60,7 +60,7 @@ satisfies: Access enforcement and authentication requirements for {{project.name_short}} are described in AC-2 & IA-2. AWS platform does not utilize or manage cryptographic keys within the ACE boundary. - implementation_status: {{status.SC_12.project}} + implementation_status: {{responsibility.SC_12.project}} - control_key: SC-15 control_name: COLLABORATIVE COMPUTING DEVICES standard_key: NIST SP 800-53 Revision 4 @@ -70,4 +70,4 @@ satisfies: - text: | This control is not applicable, as the {{project.name_short}} system does employ any collaborative computing devices. - implementation_status: {{status.SC_15.project}} + implementation_status: {{responsibility.SC_15.project}} diff --git a/templates/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml b/templates/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml index a65b3f5..b4b81a5 100644 --- a/templates/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml +++ b/templates/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml @@ -23,7 +23,7 @@ satisfies: This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. - implementation_status: {{status.SI_1.project}} + implementation_status: {{responsibility.SI_1.project}} - control_key: SI-5 control_name: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES standard_key: NIST SP 800-53 Revision 4 @@ -34,7 +34,7 @@ satisfies: {{project.name_short}} representatives and system administrators receive alerts from US-CERT on a regular basis. Support personnel take appropriate action in response to relevant areas of concern. - implementation_status: {{status.SI_5.project}} + implementation_status: {{responsibility.SI_5.project}} - control_key: SI-12 control_name: INFORMATION HANDLING AND RETENTION standard_key: NIST SP 800-53 Revision 4 @@ -48,4 +48,4 @@ satisfies: required to operate the system and handle system data and output in accordance with legal requirements. Personnel training and system guidelines ensure that data and programs are handled appropriately. - implementation_status: {{status.SI_12.project}} + implementation_status: {{responsibility.SI_12.project}} diff --git a/templates/components/Project/component.yaml b/templates/components/Project/component.yaml index c7628f2..dcbc8ad 100644 --- a/templates/components/Project/component.yaml +++ b/templates/components/Project/component.yaml @@ -4,7 +4,7 @@ satisfies: - AC-ACCESS_CONTROL.yaml - AT-AWARENESS_AND_TRAINING.yaml - AU-AUDIT_AND_ACCOUNTABILITY.yaml -- CA-SECURITY_ASSESSMENT_AND_AUTHORIZATION.yaml +- CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml - CM-CONFIGURATION_MANAGEMENT.yaml - CP-CONTINGENCY_PLANNING.yaml - IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/tests/test_ssptoolkit.py b/tests/test_ssptoolkit.py index bfb355a..5250fb7 100644 --- a/tests/test_ssptoolkit.py +++ b/tests/test_ssptoolkit.py @@ -1,6 +1,7 @@ from complianceio.opencontrol import OpenControl from tools.helpers import ssptoolkit +from tools.helpers.config import Config def test_sortable_control_id(): @@ -31,7 +32,7 @@ def test_get_standards(): def test_get_certification_baseline(): baseline = ssptoolkit.get_certification_baseline() - assert len(baseline) == 147 + assert len(baseline) == 194 def test_get_standards_control_data(): @@ -60,4 +61,17 @@ def test_get_component_files(): def test_load_controls_by_id(): project = ssptoolkit.get_project() controls = ssptoolkit.load_controls_by_id(project.get_components()) - assert "AC-01" in controls + assert "AC-1" in controls + + +def test_config_keys(): + config = Config() + + assert len(config.config_files) == 15 + assert "sop" in config.config + + +def test_config_values(): + config = Config() + contractor = config.check_config_values(file="contractor", key="name_short") + assert contractor == "CivicActions" diff --git a/tools/creatematrix/creatematrix.py b/tools/creatematrix/creatematrix.py index 5848dd5..5052907 100644 --- a/tools/creatematrix/creatematrix.py +++ b/tools/creatematrix/creatematrix.py @@ -62,6 +62,10 @@ def create_rows(controls: dict, header: list) -> list: return rows +# def get_status(control_id: str) -> str: +# + + def get_component_data( control_id: str, control: dict, statuses: dict, header: list ) -> dict: diff --git a/tools/helpers/config.py b/tools/helpers/config.py new file mode 100644 index 0000000..53c45a5 --- /dev/null +++ b/tools/helpers/config.py @@ -0,0 +1,84 @@ +from pathlib import Path + +import click +import yaml + + +class Config: + config: dict + configuration: Path = Path("configuration.yaml") + keys: Path = Path("keys") + config_files: list[()] = [] + default_keys: dict = { + "artifacts.yaml": "artifact", + "config-management.yaml": "cm", + "info_system.yaml": "information_system", + "justifications.yaml": "justify", + } + + def __init__(self): + if self.configuration.exists(): + try: + with open(self.configuration, "r") as fp: + self.config = yaml.load(fp, Loader=yaml.FullLoader) + except IOError: + print(f"Error loading {self.configuration.as_posix}.") + else: + raise FileNotFoundError("configuration.yaml not found in project root.") + self.load_keys() + + def load_keys(self): + for filename in self.keys.glob("*.yaml"): + key = self.default_keys.get(filename.name, filename.stem) + self.config_files.append((filename.name, key)) + with open(filename, "r") as fp: + self.config[key] = yaml.load(fp, Loader=yaml.FullLoader) + + def check_config_values(self, file: str, key: str = "") -> str | dict: + if key: + values = self.config.get(file, {}).get(key, "") + else: + values = self.config.get(file, {}) + return values + + +@click.group() +@click.pass_context +def check_config(ctx): + ctx.obj = Config() + + +@check_config.command() +@click.option( + "--file", + "-f", + required=True, +) +@click.option( + "--key", + "-k", + required=False, + help="The name of the configuration key whose value should be shown.", +) +@click.pass_context +def get_value(ctx, file: str, key: str = ""): + config = ctx.obj + if key: + click.echo(config.check_config_values(file, key)) + else: + click.echo(yaml.dump(config.check_config_values(file), indent=4, width=80)) + + +@check_config.command() +@click.pass_context +def list_files(ctx): + """List all the files loaded from the keys directory""" + config = ctx.obj + click.echo("Key files and configuration keys:") + click.echo("---------------------------------") + for files in config.config_files: + click.echo(f"{files[0]} using alias {files[1]}") + + +if __name__ == "__main__": + check_config() diff --git a/tools/helpers/secrender.py b/tools/helpers/secrender.py index 82508dd..83648a5 100644 --- a/tools/helpers/secrender.py +++ b/tools/helpers/secrender.py @@ -24,7 +24,6 @@ import click import jinja2 from yaml import FullLoader, load -from yamlinclude import YamlIncludeConstructor @click.command() @@ -81,7 +80,6 @@ def main( output_file: str, output_dir: str, ): - YamlIncludeConstructor.add_to_loader_class(loader_class=FullLoader) with open(in_, "r") as stream: yaml = load(stream, Loader=FullLoader) diff --git a/tools/helpers/ssptoolkit.py b/tools/helpers/ssptoolkit.py index 1a4d142..98b0079 100644 --- a/tools/helpers/ssptoolkit.py +++ b/tools/helpers/ssptoolkit.py @@ -10,9 +10,11 @@ import md_toc import yaml from complianceio.opencontrol import OpenControl -from yamlinclude import YamlIncludeConstructor from tools.helpers import secrender +from tools.helpers.config import Config + +config = Config() class ControlRegExps: @@ -136,18 +138,11 @@ def load_controls_by_id(component_list: list) -> dict: def load_template_args() -> dict: - YamlIncludeConstructor.add_to_loader_class(loader_class=yaml.FullLoader) - config = load_yaml_files("configuration.yaml") - return secrender.get_template_args(yaml=config, set_={}, root="") + return secrender.get_template_args(yaml=config.config, set_={}, root="") def get_control_statuses() -> dict: - p = Path("keys/status.yaml") - try: - with p.open("r") as fp: - statuses = yaml.load(fp, Loader=yaml.SafeLoader) - except FileNotFoundError as error: - raise error + statuses = config.config.get("status", {}) return statuses