Skip to content

Instantly share code, notes, and snippets.

@gregelin

gregelin/govready-q-oscal.json

Created March 11, 2021 14:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gregelin/8a536fd93cc670bbbde93d13ff21da3c to your computer and use it in GitHub Desktop.
Save gregelin/8a536fd93cc670bbbde93d13ff21da3c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
govready-q-oscal.json
{
"component-definition": {
"uuid": "7551cb7a-85d8-4f64-a8bc-056dc20bf16b",
"metadata": {
"title": "GovReady-Q Component-to-Control Narratives",
"published": "2021-03-11T14:40:52+00:00",
"last-modified": "2021-03-11T11:16:15+00:00",
"version": "string",
"oscal-version": "1.0.0-rc1"
},
"components": {
"e46dbb98-83c5-4c1f-b136-0a111f7fcae4": {
"title": "GovReady-Q",
"type": "software",
"description": "A modern, open source GRC software tool based around Compliance as Code",
"control-implementations": [
{
"uuid": "88f47147-c89f-4292-80ad-0638dbbc3f71",
"source": "NIST_SP-800-53_rev4",
"description": "Partial implementation of NIST_SP-800-53_rev4",
"implemented-requirements": [
{
"uuid": "9be37677-82e0-47c9-b5c8-63b54101be47",
"control-id": "ac-2",
"description": "",
"remarks": "",
"statements": {
"ac-2_smt.g": {
"uuid": "f56fa601-3116-482a-a4c9-416485e9f3e6",
"description": "GovReady-Q application System Administrator monitors system performance and troubleshoots issues to ensure security and efficiency of IT infrastructure.",
"remarks": ""
},
"ac-2_smt.k": {
"uuid": "0631b757-ad16-485e-bfc9-9495eabcfc91",
"description": "There are no shared/group accounts in the GovReady-Q application.",
"remarks": ""
}
}
},
{
"uuid": "8e527327-8b0a-4b81-a10c-986223852d03",
"control-id": "ac-2.1",
"description": "",
"remarks": "",
"statements": {
"ac-2.1_smt": {
"uuid": "0950767a-17ac-483b-b676-4f0ffd6de035",
"description": "There are no automated process mechanisms to support the management of information system accounts for GovReady-Q application.\r\n\r\n",
"remarks": ""
}
}
},
{
"uuid": "6d68b347-da6b-48ae-a14c-9c8aebe234ed",
"control-id": "ac-2.2",
"description": "",
"remarks": "",
"statements": {
"ac-2.2_smt": {
"uuid": "5726023c-48d1-4b6f-b28a-c6f6b7189884",
"description": "There are no automated removal processes for any account in GovReady-Q application.",
"remarks": ""
}
}
},
{
"uuid": "142ad160-23e1-4ad3-a96d-2622980f523c",
"control-id": "ac-3",
"description": "",
"remarks": "",
"statements": {
"ac-3_smt": {
"uuid": "a722d989-6bcb-4ff1-be53-b39949061ad7",
"description": "All users of the GovReady-Q application will be end users plus a small number of Application Super Admin users. These roles are managed by access control lists in the backend. Authorization of other logical access is not granted to these users. \r\n\r\nThe Application Super Admin user looks after all application management. The application super admin user has the ability to manage the access and level of responsibility of all application users.",
"remarks": ""
}
}
},
{
"uuid": "9c611fd7-dd26-41cb-a842-122e4885fd21",
"control-id": "ac-6",
"description": "",
"remarks": "",
"statements": {
"ac-6_smt": {
"uuid": "076cea89-a9a9-48a0-b42a-fd61e0f999b8",
"description": "All users of the GovReady application will be end users plus a small number of Application Super Admin users. These roles are managed by access control lists in the backend. \r\n\r\nThe Application Super Admin user looks after all application management. The application super admin user has the ability to manage the access and level of responsibility of all application users.",
"remarks": ""
}
}
},
{
"uuid": "47808f6a-1b70-4fb0-973c-7cbdd58288f2",
"control-id": "ac-6.1",
"description": "",
"remarks": "",
"statements": {
"ac-6.1_smt": {
"uuid": "9b91809c-d525-4a74-95e7-9de2e6c9fb00",
"description": "Govready-Q Database Administrators (DBA) use specialized software to monitor and manage the application\u2019s data stored in a relational database. This work includes capacity planning, installation, configuration, migration, performance monitoring, security, troubleshooting, as well as backup and data recovery.\r\n\r\nGovready-Q System Administrators install and configure software, hardware, networks, repositories, the CI/CD pipeline, and deployments. They also monitor system performance and troubleshoot issues to ensure security and efficiency of IT infrastructure.",
"remarks": ""
}
}
},
{
"uuid": "0df3aa01-ff74-4002-be35-5d7932735ee2",
"control-id": "ac-6.2",
"description": "",
"remarks": "",
"statements": {
"ac-6.2_smt": {
"uuid": "c7f38d2e-5532-405e-be51-bba94d34152b",
"description": "All users of the GovReady-Q application will be end users plus a small number of Application Super Admin users. These roles are managed by access control lists in the backend. Authorization of other logical access is not granted to these users. \r\n\r\nThe Application Super Admin user looks after all application management. The application super admin user has the ability to manage the access and level of responsibility of all application users.\r\n\r\nGovready-Q Database Administrators (DBA) use specialized software to monitor and manage the application\u2019s data stored in a relational database. This work includes capacity planning, installation, configuration, migration, performance monitoring, security, troubleshooting, as well as backup and data recovery.\r\n\r\nGovready-Q System Administrators install and configure software, hardware, networks, repositories, the CI/CD pipeline, and deployments. They also monitor system performance and troubleshoot issues to ensure security and efficiency of IT infrastructure.",
"remarks": ""
}
}
},
{
"uuid": "5b01af46-af32-4908-9604-06a1037141eb",
"control-id": "ac-6.5",
"description": "",
"remarks": "",
"statements": {
"ac-6.5_smt": {
"uuid": "57a6ebf8-7460-4264-9402-a483b6aea740",
"description": "All users of the GovReady-Q application will be end users plus a small number of Application Super Admin users. These roles are managed by access control lists in the backend. Authorization of other logical access is not granted to these users. \r\n\r\nThe privileged accounts (Application Super Admin) user looks after all application management. The application super admin user has the ability to manage the access and level of responsibility of all application users. ",
"remarks": ""
}
}
},
{
"uuid": "579d7871-4c74-4edd-82e3-f7bee52684c2",
"control-id": "ac-6.9",
"description": "",
"remarks": "",
"statements": {
"ac-6.9_smt": {
"uuid": "1af61b1a-8228-4d6f-a6a0-d20ec9287d94",
"description": "The GovReady-Q Django/site administration monitors execution of privileged functions within the GovReady application.\r\n\r\n",
"remarks": ""
}
}
},
{
"uuid": "5f992a2b-e0ec-4d33-9710-039f9d03ee6a",
"control-id": "au-2",
"description": "",
"remarks": "",
"statements": {
"au-2_smt": {
"uuid": "79c9e62f-6a1f-4d5b-9e2c-066d5c126923",
"description": "(a) The Govready-Q System Administrator has access to the audit logs in the Organization's logging tool which monitors successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. \r\n\r\n(b) The Govready-Q System Owner in coordination with the GovReady-Q ISSO coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of audit-able events;\r\n\r\n(c) The GovReady-Q ISSO will work with Organization security organization to create a Standard Operating Procedure which provides a rationale for why the audit-able events are deemed to be adequate to support after-the-fact investigations of security incidents;\r\n\r\n(d) The GovReady-Q System Administrator has access to the audit logs in Kibana which monitors successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events.",
"remarks": ""
}
}
},
{
"uuid": "8c318a98-dbdb-4520-a162-88a4bed9634d",
"control-id": "au-6",
"description": "",
"remarks": "",
"statements": {
"au-6_smt": {
"uuid": "6d181e29-1996-4f71-bd2a-2bb358f79a2f",
"description": "a) The GovReady-q ISSO will review the GovReady-Q application related audit logs and provide report findings to the System Owner, Organization CISO and SOC. The GovRead-Q Application in Single Sign On mode transfers primary account auditing to Organization Single Sign On service. The GovReady-Q application in Single Sign On mode provides secondary account auditing to Organization Single Sign On primary auditing.\r\n\r\n(b) Reports findings to System Owner, Organization CISO and SOC.\r\n\r\nThe GovReady ISSO reviews this control at least annually or whenever there is a significant change. ",
"remarks": ""
}
}
},
{
"uuid": "5e1a42c1-6452-43ee-ad28-da6c4f5d8334",
"control-id": "ca-3",
"description": "",
"remarks": "",
"statements": {
"ca-3_smt": {
"uuid": "d374ffc5-35c0-4c2d-a24b-04ffefe3c13a",
"description": "GovReady-Q provides each user with API credentials that enable information exchanges with the same privileges as the user between GovReady-Q and other information systems with documented Interconnection Security Agreements. Users have API credentials that control information exchanges to read-only, write-only, or read/write.\r\n\r\nGovReady ISSO will review this control at least annually or whenever there is a change. ",
"remarks": "Interconnection Security Agreement policies vary among organizations."
}
}
},
{
"uuid": "20b8077d-bc1e-4fb3-b319-4582294ceccc",
"control-id": "cm-2",
"description": "",
"remarks": "",
"statements": {
"cm-2_smt": {
"uuid": "2fb35c58-27b7-486d-bb36-51f7d0d60902",
"description": "The GovReady System Admin in coordination with the release manager maintains configuration controls/baselines for the application. They ensure that changes are documented and formally reviewed before changes are deployed to each environment(dev, sat, edu and prod).\r\n\r\nGit is the source code version control software that is used to maintain configuration control of information systems.\r\n\r\nGovReady-Q application developers employ Git as an automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the GovReady-Q application source code. Git also provides version control for all changes made to baseline configurations. \r\n\r\nThe ISSO reviews this control at least annually or whenever there is a significant change.\r\n\r\nThe GovReady-Q System Administrator in coordination with the Organization Release Manager maintains configuration baselines for the GovReady-Q Application. They ensure that changes are documented and formally reviewed before changes are deployed to each environment.",
"remarks": ""
}
}
},
{
"uuid": "a1362e1f-692a-4496-bb8a-4b6396635a24",
"control-id": "cm-2.1",
"description": "",
"remarks": "",
"statements": {
"cm-2.1_smt": {
"uuid": "5f4c26c8-4e0b-4b87-995b-d9901ddb24c3",
"description": "The GovReady-Q System Administrator reviews and updates the configuration of the GovReady Application:\r\n\r\n(a) Upon changes in the information system or in the system's environment of operation such as new software or detected vulnerabilities;\r\n\r\n(b) When required in accordance with the GovReady Application Concept of Operations document;\r\n\r\n(c) As and integral part of information system component installations and upgrades.",
"remarks": ""
}
}
},
{
"uuid": "e1ff3388-49a5-47a8-b2e4-8394fa3eff4f",
"control-id": "cm-2.3",
"description": "",
"remarks": "",
"statements": {
"cm-2.3_smt": {
"uuid": "546483f1-3770-4f4e-b66b-579b92d23fc1",
"description": "The GovReady-Q System Admin in coordination with the release manager maintains configuration controls/baselines for the application. They ensure that changes are documented and formally reviewed before changes are deployed to each environment.\r\n\r\nThe GovReady-Q application uses the Django framework for maintaining the configuration of the database schema. The Django framework tracks all modifications to the database schema and supports the rollback of the database structure.",
"remarks": ""
}
}
},
{
"uuid": "955fe203-2d9c-4ae5-89b8-990f369693e8",
"control-id": "cm-6",
"description": "",
"remarks": "",
"statements": {
"cm-6_smt.No": {
"uuid": "e4aac0e0-752e-40db-b51f-4a8df30cdd8c",
"description": "The GovReady-Q System Admin in coordination with the Organization Release Manager maintains configuration controls/baselines for the application. They ensure that changes are documented and formally reviewed before changes are deployed to each environment.",
"remarks": ""
}
}
},
{
"uuid": "35404946-4868-4c35-a6c9-bec37d85c3c9",
"control-id": "cm-8",
"description": "",
"remarks": "",
"statements": {
"cm-8_smt": {
"uuid": "d598d9ed-8e54-4788-b6ff-ec25ea6ca9d2",
"description": "(a) The GovReady-Q ISSO develops and documents an inventory of information system components that:\r\n\r\n(1) Accurately reflects the current GovReady-Q System Components and information system;\r\n(2) Includes all components within the authorization boundary of the information system;\r\n(3) Is at the level of granularity deemed necessary for tracking and reporting; and\r\n(4) Includes information contained in the DHS Inventory methodology; and\r\n\r\n(b) The GovReady-Q ISSO reviews and updates the information system component inventory annually.\r\n\r\nThe GovReady-Q ISSO reviews this control at least annually or whenever there is a significant change.",
"remarks": "The GovReady-Q ISSO \r\n\r\n(a) Develops and documents an inventory of information system components that:\r\n\r\n(1) Accurately reflects the current GovReady System Components and information system;\r\n\r\n(2) Includes all components within the authorization boundary of the information system;\r\n\r\n(3) Is at the level of granularity deemed necessary for tracking and reporting; and\r\n\r\n(4) Includes information contained in the Organization Inventory methodology; and\r\n\r\n(b) The GovReady-Q ISSO reviews and updates the information system component inventory annually.\r\n\r\nThe GovReady-Q ISSO reviews this control at least annually or whenever there is a significant change."
}
}
},
{
"uuid": "a566f631-9bec-43fd-bc72-eef6ae0618e4",
"control-id": "cm-8.1",
"description": "",
"remarks": "",
"statements": {
"cm-8.1_smt": {
"uuid": "4b150df5-2584-4d77-87da-af5aae3658b0",
"description": "The GovReady-Q System Admin in coordination with the Organization Release Manager updates the inventory of information system components as an integral part of component installations, removals, and information system updates. The GovReady ISSO works with the GovReady Application Team to update the system inventory in the System Security Plan when ever a new version of software is installed or removed as part of the configuration management plan.",
"remarks": "\r\n\r\n"
}
}
},
{
"uuid": "b1d84c5c-1054-4879-bdbe-b9bbb177e22d",
"control-id": "cm-8.3",
"description": "",
"remarks": "",
"statements": {
"cm-8.3_smt.a": {
"uuid": "7838ae5e-aeb2-4f0a-b794-8922d4d811fb",
"description": "The GovReady-Q application has not employed any automated mechanism to detect the presence of unauthorized software and firmware components within the information system at the level of the Application Layer.\r\n",
"remarks": ""
}
}
},
{
"uuid": "8deb1336-431b-438a-a169-f4a1ae30aa06",
"control-id": "ia-2.8",
"description": "",
"remarks": "",
"statements": {
"ia-2.8_smt": {
"uuid": "6359c356-8cf1-4d47-b3b7-699e135723a7",
"description": "Authentication in GovReady-Q application is managed by the built-in Django Authentication library or is delegated the organization Single Sign On mechanism.\r\n\r\nAdditionally, the GovReady-Q application is configured with the replay-resistant Transport Layer Security (TLS) protocol.",
"remarks": ""
}
}
},
{
"uuid": "1e84a6b1-3a78-4848-80ab-c9a3430848d4",
"control-id": "ir-5",
"description": "",
"remarks": "",
"statements": {
"ir-5_smt": {
"uuid": "add5870e-a6a8-498c-a782-f5dba23f5da5",
"description": "The GovReady-Q Application Team tracks and documents source code and development security incidents at the application level inside GitHub issues and Google docs. GitHub issues is issue tracking software that supports documenting an issue such as a software bug or security issue, the status of the issue, notes about the issue, and attachments about the issue such as forensics.",
"remarks": ""
}
}
},
{
"uuid": "9d3741ef-9ac3-4165-8cda-9998cbd45ad6",
"control-id": "pl-2.3",
"description": "",
"remarks": "",
"statements": {
"pl-2.3_smt": {
"uuid": "cc0588b7-7d4f-4f00-9df8-a43decc5ed45",
"description": "Security-related activities affecting the information system are required to go through the change control process before conducting such activities in order to reduce the impact on other organizational entities. Security authorization documentation activities such as annual assessment and contingency plan updates are done by the GovReady-Q ISSO and reviewed by the Organization SCA.\r\n\r\nThe GovReady ISSO reviews this control at least annually or whenever there is a significant change.",
"remarks": ""
}
}
},
{
"uuid": "b8df07f7-a2a4-4c19-8c4e-d7779be3f4b2",
"control-id": "pl-8",
"description": "",
"remarks": "",
"statements": {
"pl-8_smt.None": {
"uuid": "6c7e36e8-9170-44fb-a97e-615e2938bc87",
"description": "The ISSO reviews this control at least annually or whenever there is a significant change.",
"remarks": ""
}
}
},
{
"uuid": "1e423d3a-1d46-4f28-8b1c-4e9e9991eda5",
"control-id": "ra-5",
"description": "",
"remarks": "",
"statements": {
"ra-5_smt": {
"uuid": "dcd77a65-7fbd-43d5-b015-63eaf0f31121",
"description": "a. TBD is deployed to scan for container image security vulnerabilities. GovReady performs Aquasec code scans with each new build of the application code. Scan results are sent to the GovReady ISSO on a weekly basis. \r\n\r\nb. The Organization SOC uses TBD to manage vulnerability scan results for various scanning tools. \r\n\r\nc. The GovReady-Q ISSO is responsible for reviewing and analyzing scan results for resources defined in their boundary. \r\n\r\nd. The GovReady-Q ISSO works with systems administrators or development teams to patch vulnerabilities and address configuration changes as necessary to address legitimate vulnerabilities discovered in scans.\r\n\r\ne. The GovReady-Q ISSO shares information between teams to address common vulnerabilities.\r\n\r\nThe GovReady-Q ISSO reviews this control at least annually or whenever there is a significant change.",
"remarks": ""
}
}
},
{
"uuid": "bc69e06d-bf6f-48fc-809d-2292b011d789",
"control-id": "sc-13",
"description": "",
"remarks": "",
"statements": {
"sc-13_smt": {
"uuid": "111a1214-1669-4dff-9fe6-3eaf672e9f39",
"description": "nan",
"remarks": "The GovReady Application contributes to this HYBRID control.\n\nThe information system implements Protection of For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive PII, Sensitive But Unclassified (SBU), Sensitive Security Information (SSI) and controlled unclassified Information (CUI) in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nThe GovReady Application employs the cryptography as part of the Transport Layer Security (TLS) protocol to encrypt communication between the GovReady Application and CBP ICAM Single Sign On Proxy and between GovReady Application and the GovReady Database running in CACE RDS. \n\nThe CACE RDS contributes to this HYBRID control.\n\nThe CACE RDS (Relational Database Service) is configured to employ cryptography to encrypt data at rest.\n\nCBP ICAM Single Sign On contributes to this HYBRID control.\n\nCBP ICAM Single Sign On employs the cryptography as part of the Transport Layer Security (TLS) protocol to encrypt communication between User's web browser and the CBP ICAM Single Sign On Proxy and between the GovReady Application and CBP ICAM Single Sign On Proxy. "
}
}
},
{
"uuid": "d6f17078-c8c8-4c04-b01a-08e58ea95fc4",
"control-id": "si-2",
"description": "",
"remarks": "",
"statements": {
"si-2_smt": {
"uuid": "b0a623df-747e-459f-9079-1d01d8ebbe3f",
"description": "The GovReady-Q Application Team:\r\n\r\n(a) Identifies, reports, and corrects any information system flaws including code vulnerability as well as code quality scans and report any flaws using tools such Snyk, Bandit and Fortify. Any flaws discovered during automated and manual quality assurance testing by the GovReady Application Team, any vulnerabilities detected by Pyup.io's Python vulnerability database Safety DB;\r\n\r\n(b) Tests and remediates all code flaws as required by documenting the flaws in Jira and tracking the resolution;\r\n\r\n(c) Any update is performed per request of the System Owner;\r\n\r\n(d) Document and log all remediation in Jira. The various source code scans are part of the CircleCI pipeline process. \r\n\r\nThe GovReady-Q ISSO reviews this control at least annually or whenever there is a significant change.",
"remarks": ""
}
}
},
{
"uuid": "6ffda12c-2c62-4f04-a8ce-0977c35a275b",
"control-id": "si-2.2",
"description": "",
"remarks": "",
"statements": {
"si-2.2_smt": {
"uuid": "7a1fe1df-983f-4b94-9c03-745a4b197344",
"description": "GovReady utilizes monthly scans from the SOC VAT team to identity flaws and ensure patches are applied in accordance with the monthly patch process and ISVM process for formal FISMA reporting. ",
"remarks": ""
}
}
}
]
}
]
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment