[BrieFing]
18Fautomates system security plans
BY AMANDA ZIADEH
The General Services Administration’s 18F is building an open-source platform for automating updates to system secu- rity plans (SSPs) so agencies can create and maintain compliance documenta- tion as rapidly as they deploy systems.
Now in prototype form, the Compli- ance Masonry platform is a framework for documenting the complex and lengthy SSPs that describe systems’ ar- chitecture, security controls and overall security posture.
The new tool creates machine-read- able SSPs that automatically update when a system changes, allowing agency executives and IT staff to gener- ate reports with searchable content.
To build the Compliance Masonry platform, 18F stores SSP data in the YAML/JSON format using OpenControl schema, a machine-readable format for storing compliance documentation.
The platform also offers automated processes, or pipelines, for generat-
ing standardized certification documen- tation. Pipelines are already in place
for converting YAML/JSON SSPs to GitBook (a GitHub tool) and Microsoft Word and for verifying complex tests such as whether a system is using static code analysis tools.
18F took a component-first approach with the platform, meaning the SSP documentation is based on components rather than security controls. That focus will allow agencies to quickly add, adjust and remove documentation for new or updated components.
So far, 18F is using Compliance Masonry to organize SSP documenta- tion for Cloud.gov. The open-source platform is available for use and contri- bution by all agencies, developers and service providers. •
NewStanfordcourseteaches defense innovation
BY MARK POMERLEAU
A new course at Stanford University called “Hacking for Defense” teaches students to apply lean startup prin- ciples to solving actual national secu- rity problems. It’s part of an effort to bring private-sector advancements to the Defense Department.
In wartime, the military attracts “some of the most innovative folks on the planet,” Steve Blank, an instructor at Stanford University, told GCN. “It’s just that when they get back to peace- time, they collapse back to one of the most bureaucratic organizations on the planet. In contrast, Silicon Valley... has been standing up innovation 24/7 for the last 50 years and not default- ing back to peacetime.”
Students work in teams to address topics such as protecting soldiers from inexpensive commercial drones and countering social media use by groups
retro tech
such as the Islamic State.
In addition to temporary positions
with the U.S. Digital Service, “there’s AmeriCorps, there’s Peace Corps, but there really was no way to help tech- nical folks give back directly to DOD or [the intelligence community] with- out putting on a uniform,” Blank said, which is why he created the course. Retired Army colonel and course instructor Pete Newell asked, “When we have another war...where are we going to find the people” who can rapidly deploy new technology? “I’ll tell you where you’ll find them. We’ll find them on the other side of the battlefield where insurgents...have perfected the lean methodology.”
Building an agile, responsive and resilient approach to national security “requires new ways to think about, or- ganize and build and deploy national security people, organizations and solutions,” Blank said. •
8 GCN MAY 2016 • GCN.COM
GCN has covered government IT since 1982, and the technology itself started earlier still. To wit: Development of the Electronic Numerical Integrator and Computer (ENIAC) began in 1943. The computer was used by the Army’s Ballistic Research Laboratory until 1955. (U.S. Information Agency photo)
ARCHIVES.GOV