Summary : Case Study: $18$F Automating compliance for the Federal Government with Compliance Masonry

US Federal Government agencies were projected to spend nearly $$80$ billion on IT in $2016,$ supporting the mission of all the executive branch agencies. Regardless of agency, to take any system from $$dev complete$$ to $$live in production$$ requires obtaining an Authority to Operate $($ATO$)$ from a Designated Approving Authority $($DAA$).$ The laws and policies that govern complience in government are comprised of tens of documents that together number over four thousand pages, littered with acronyms such as FISMA, FedRAMP, and FITARA. Even for systems that only require low levels of confidentiality, integrity, and availability, over one hundred controls must be implemented, documented, and tested. It typically takes between eight and fourteen months for an ATO to be granted following $$dev complete.$$

The $18$F team in the federal government$$s General Services Administration has taken a multi$-$pronged approach to solving this problem. Mike Bland explains, $18$F was created within the General Services Administration to capitalize on the momentum generated by the Healthcare.gov recovery to reform how the government builds and buys software.$$

One $18$F effort is a platform as a service called Cloud.gov, created from open source components. Cloud.gov runs on AWS GovCloud at present. Not only does the platform handle many of the operational concerns delivery teams might otherwise have to take care of$,$ such as logging$,$ monitoring, alerting, and service lifecycle management, it also handles the bulk of compliance concerns. By running on this platform, a large majority of the controls that government systems must implement can be taken care of at the infrastructure and platform level. Then, only the remaining controls that are in scope at the application layer have to be documented and tested, significantly reducing the compliance burden and the time it takes to receive an ATO.

AWS GovCloud has already been approved for use for federal government systems of all types, including those which require high levels of confidentiality, integrity, and availability. By the time you read this book, it is expected that Cloud.gov will be approved for all systems that require moderate levels of confidentiality, integrity, and availability.

Furthermore, the Cloud.gov team is building a framework to automate the creation of system security plans $($SSPs$),$ which are $$comprehensive descriptions of the system$$s architecture, implemented controls, and general security posture...$[$which are$]$ often incredibly complex, running several hundred pages in length.$$ They developed a prototype tool called compliance masonry so that SSP data is stored in machine$-$readable YAML and then turned into GitBooks and PDFs automatically.

$18$F is dedicated to working in the open and publishes its work open source in the public domain. You can find compliance masonry and the components that make up Cloud.gov in $18$F$$s GitHub repositories$$you can even stand up your own instance of Cloud.gov. The work on open documentation for SSPs is being done in close partnership with the OpenControl community.