Resources

Code

• SSP Toolkit: Auto-generated System Security Plan
  • Originally based on OpenControl, this toolkit - created in 2018 - has been forked to create the SSP documentation achieving seven ATOs for three Federal Agencies, one of which took just two weeks.
• OSCAL Reusable Component Definitions Library
  • This is an early example of reusable OSCAL components. Work to do includes:
    • Update from NIST SP 800-53 rev4 to rev5
    • Present ODP defaults as a Profile
    • Include plain language assessments

Papers

• Policy recommendations for improving the ATO process through Compliance as Code
• ATO ASAP: Let’s finally fix the security compliance problem (FCW)
• Rethinking the process of attaining ATOs (Government Matters)