Date: 2022-06-02
Superseded by ADR 16
Compliance documentation is an essential component of working in the open while providing clear and obvious evidence of security considerations, concerns, and mitigations. We need to decide how to document this work in order to expedite the ATO process.
One notable compliance documentation option from NIST is using OSCAL with Trestle to generate a System Security Plan (SSP) using Markdown.
Based on the Compliance Template, we can develop our compliance documentation and SSP generation with less effort than traditional spreadsheet tracking.
This is one option that provides adequate coverage, leverages one of the few compliance documenation frameworks, and is in use by the Login.gov Team Mary, therefore:
We will use Compliance Trestle for compliance documentation
- SSP Generation
- Illustrative examples
- Simple workflow
- Ability to add new controls
- Starting the process early will help expedite the ATO process
- The compliance documentation build process will need to be refined
- Documenting controls will become an additional effort
- Trestle is still in active development
- OSCAL is still in active development
- An SSP generated by Trestle may need to be converted based on an ISSO's preference
Was previously ADR 0009; renamed/renumbered when PDRs and ADRs were merged.