From 5431806ddfe38477f8e1539ad5dc477f1942008a Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Wed, 29 Jan 2025 18:16:46 -0500 Subject: [PATCH 1/7] Adding pre-commit hook to generate requirements.txt --- .pre-commit-config.yaml | 5 +++++ poetry.lock | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e61b06f..b3c0094 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,3 +39,8 @@ repos: .*/.*_test\.py| .*/.*test_.*\.py )$ + - repo: https://github.com/python-poetry/poetry-plugin-export + rev: 1.9.0 + hooks: + - id: poetry-export + args: ["-f", "requirements.txt", "-o", "requirements.txt"] diff --git a/poetry.lock b/poetry.lock index af187c1..378821f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.5.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand. [[package]] name = "anyio" @@ -555,7 +555,7 @@ jinja2 = ">=2.10.1,<4.0" packaging = "*" pydantic = [ {version = ">=1.10.0,<2.0.0 || >2.0.0,<2.0.1 || >2.0.1,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.12\" and python_version < \"4.0\""}, - {version = ">=1.10.0,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.11\" and python_version < \"4.0\""}, + {version = ">=1.10.0,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.11\" and python_version < \"3.12\""}, {version = ">=1.9.0,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.10\" and python_version < \"3.11\""}, ] pyyaml = ">=6.0.1" @@ -1485,6 +1485,7 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd"}, + {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win32.whl", hash = "sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win_amd64.whl", hash = "sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6"}, @@ -1493,6 +1494,7 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2"}, + {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win32.whl", hash = "sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win_amd64.whl", hash = "sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632"}, @@ -1501,6 +1503,7 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680"}, + {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win32.whl", hash = "sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win_amd64.whl", hash = "sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a"}, @@ -1509,6 +1512,7 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_i686.whl", hash = "sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1"}, + {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win32.whl", hash = "sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win_amd64.whl", hash = "sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-macosx_12_0_arm64.whl", hash = "sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987"}, @@ -1517,6 +1521,7 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed"}, + {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win32.whl", hash = "sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win_amd64.whl", hash = "sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b"}, {file = "ruamel.yaml.clib-0.2.12.tar.gz", hash = "sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f"}, From 35e0e5ed52680085ea4261daeff055f96d4715d5 Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Wed, 29 Jan 2025 18:18:57 -0500 Subject: [PATCH 2/7] Adding pre-commit hook to generate requirements.txt --- requirements.txt | 858 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 858 insertions(+) create mode 100644 requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..92a0a54 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,858 @@ +anyio==4.8.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:1d9fe889df5212298c0c0723fa20479d1b94883a2df44bd3897aa91083316f7a \ + --hash=sha256:b5011f270ab5eb0abf13385f851315585cc37ef330dd88e27ec3d34d651fd47a +argcomplete==3.5.3 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:2ab2c4a215c59fd6caaff41a869480a23e8f6a5f910b266c1808037f4e375b61 \ + --hash=sha256:c12bf50eded8aebb298c7b7da7a5ff3ee24dffd9f5281867dfe1424b58c55392 +attrs==25.1.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:1c97078a80c814273a76b2a298a932eb681c87415c11dee0a6921de7f1b02c3e \ + --hash=sha256:c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a +bcrypt==4.2.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:041fa0155c9004eb98a232d54da05c0b41d4b8e66b6fc3cb71b4b3f6144ba837 \ + --hash=sha256:04e56e3fe8308a88b77e0afd20bec516f74aecf391cdd6e374f15cbed32783d6 \ + --hash=sha256:1340411a0894b7d3ef562fb233e4b6ed58add185228650942bdc885362f32c17 \ + --hash=sha256:533e7f3bcf2f07caee7ad98124fab7499cb3333ba2274f7a36cf1daee7409d99 \ + --hash=sha256:6765386e3ab87f569b276988742039baab087b2cdb01e809d74e74503c2faafe \ + --hash=sha256:687cf30e6681eeda39548a93ce9bfbb300e48b4d445a43db4298d2474d2a1e54 \ + --hash=sha256:76132c176a6d9953cdc83c296aeaed65e1a708485fd55abf163e0d9f8f16ce0e \ + --hash=sha256:76d3e352b32f4eeb34703370e370997065d28a561e4a18afe4fef07249cb4396 \ + --hash=sha256:807261df60a8b1ccd13e6599c779014a362ae4e795f5c59747f60208daddd96d \ + --hash=sha256:89df2aea2c43be1e1fa066df5f86c8ce822ab70a30e4c210968669565c0f4685 \ + --hash=sha256:8ad2f4528cbf0febe80e5a3a57d7a74e6635e41af1ea5675282a33d769fba413 \ + --hash=sha256:8c458cd103e6c5d1d85cf600e546a639f234964d0228909d8f8dbeebff82d526 \ + --hash=sha256:8dbd0747208912b1e4ce730c6725cb56c07ac734b3629b60d4398f082ea718ad \ + --hash=sha256:909faa1027900f2252a9ca5dfebd25fc0ef1417943824783d1c8418dd7d6df4a \ + --hash=sha256:aaa2e285be097050dba798d537b6efd9b698aa88eef52ec98d23dcd6d7cf6fea \ + --hash=sha256:adadd36274510a01f33e6dc08f5824b97c9580583bd4487c564fc4617b328005 \ + --hash=sha256:b1ee315739bc8387aa36ff127afc99120ee452924e0df517a8f3e4c0187a0f5f \ + --hash=sha256:b588af02b89d9fad33e5f98f7838bf590d6d692df7153647724a7f20c186f6bf \ + --hash=sha256:b7703ede632dc945ed1172d6f24e9f30f27b1b1a067f32f68bf169c5f08d0425 \ + --hash=sha256:c6f5fa3775966cca251848d4d5393ab016b3afed251163c1436fefdec3b02c84 \ + --hash=sha256:cde78d385d5e93ece5479a0a87f73cd6fa26b171c786a884f955e165032b262c \ + --hash=sha256:cfdf3d7530c790432046c40cda41dfee8c83e29482e6a604f8930b9930e94139 \ + --hash=sha256:e158009a54c4c8bc91d5e0da80920d048f918c61a581f0a63e4e93bb556d362f \ + --hash=sha256:e84e0e6f8e40a242b11bce56c313edc2be121cec3e0ec2d76fce01f6af33c07c \ + --hash=sha256:f85b1ffa09240c89aa2e1ae9f3b1c687104f7b2b9d2098da4e923f1b7082d331 +black==25.1.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:030b9759066a4ee5e5aca28c3c77f9c64789cdd4de8ac1df642c40b708be6171 \ + --hash=sha256:055e59b198df7ac0b7efca5ad7ff2516bca343276c466be72eb04a3bcc1f82d7 \ + --hash=sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da \ + --hash=sha256:172b1dbff09f86ce6f4eb8edf9dede08b1fce58ba194c87d7a4f1a5aa2f5b3c2 \ + --hash=sha256:1e2978f6df243b155ef5fa7e558a43037c3079093ed5d10fd84c43900f2d8ecc \ + --hash=sha256:33496d5cd1222ad73391352b4ae8da15253c5de89b93a80b3e2c8d9a19ec2666 \ + --hash=sha256:3b48735872ec535027d979e8dcb20bf4f70b5ac75a8ea99f127c106a7d7aba9f \ + --hash=sha256:4b60580e829091e6f9238c848ea6750efed72140b91b048770b64e74fe04908b \ + --hash=sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32 \ + --hash=sha256:8f0b18a02996a836cc9c9c78e5babec10930862827b1b724ddfe98ccf2f2fe4f \ + --hash=sha256:95e8176dae143ba9097f351d174fdaf0ccd29efb414b362ae3fd72bf0f710717 \ + --hash=sha256:96c1c7cd856bba8e20094e36e0f948718dc688dba4a9d78c3adde52b9e6c2299 \ + --hash=sha256:a1ee0a0c330f7b5130ce0caed9936a904793576ef4d2b98c40835d6a65afa6a0 \ + --hash=sha256:a22f402b410566e2d1c950708c77ebf5ebd5d0d88a6a2e87c86d9fb48afa0d18 \ + --hash=sha256:a39337598244de4bae26475f77dda852ea00a93bd4c728e09eacd827ec929df0 \ + --hash=sha256:afebb7098bfbc70037a053b91ae8437c3857482d3a690fefc03e9ff7aa9a5fd3 \ + --hash=sha256:bacabb307dca5ebaf9c118d2d2f6903da0d62c9faa82bd21a33eecc319559355 \ + --hash=sha256:bce2e264d59c91e52d8000d507eb20a9aca4a778731a08cfff7e5ac4a4bb7096 \ + --hash=sha256:d9e6827d563a2c820772b32ce8a42828dc6790f095f441beef18f96aa6f8294e \ + --hash=sha256:db8ea9917d6f8fc62abd90d944920d95e73c83a5ee3383493e35d271aca872e9 \ + --hash=sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba \ + --hash=sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f +blinker==1.9.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf \ + --hash=sha256:ba0efaa9080b619ff2f3459d1d500c57bddea4a6b424b60a91141db6fd2f08bc +certifi==2024.12.14 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:1275f7a45be9464efc1173084eaa30f866fe2e47d389406136d332ed4967ec56 \ + --hash=sha256:b650d30f370c2b724812bee08008be0c4163b163ddaec3f2546c1caf65f191db +cffi==1.17.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ + --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ + --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ + --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ + --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ + --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ + --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ + --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ + --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ + --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ + --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ + --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ + --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ + --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ + --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ + --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ + --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ + --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ + --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ + --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ + --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ + --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ + --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ + --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ + --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ + --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ + --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ + --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ + --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ + --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ + --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ + --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ + --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ + --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ + --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ + --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ + --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ + --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ + --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ + --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ + --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ + --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ + --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ + --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ + --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ + --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ + --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ + --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ + --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ + --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ + --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ + --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ + --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ + --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ + --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ + --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ + --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ + --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ + --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ + --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ + --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ + --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ + --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ + --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ + --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ + --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ + --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b +charset-normalizer==3.4.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:0167ddc8ab6508fe81860a57dd472b2ef4060e8d378f0cc555707126830f2537 \ + --hash=sha256:01732659ba9b5b873fc117534143e4feefecf3b2078b0a6a2e925271bb6f4cfa \ + --hash=sha256:01ad647cdd609225c5350561d084b42ddf732f4eeefe6e678765636791e78b9a \ + --hash=sha256:04432ad9479fa40ec0f387795ddad4437a2b50417c69fa275e212933519ff294 \ + --hash=sha256:0907f11d019260cdc3f94fbdb23ff9125f6b5d1039b76003b5b0ac9d6a6c9d5b \ + --hash=sha256:0924e81d3d5e70f8126529951dac65c1010cdf117bb75eb02dd12339b57749dd \ + --hash=sha256:09b26ae6b1abf0d27570633b2b078a2a20419c99d66fb2823173d73f188ce601 \ + --hash=sha256:09b5e6733cbd160dcc09589227187e242a30a49ca5cefa5a7edd3f9d19ed53fd \ + --hash=sha256:0af291f4fe114be0280cdd29d533696a77b5b49cfde5467176ecab32353395c4 \ + --hash=sha256:0f55e69f030f7163dffe9fd0752b32f070566451afe180f99dbeeb81f511ad8d \ + --hash=sha256:1a2bc9f351a75ef49d664206d51f8e5ede9da246602dc2d2726837620ea034b2 \ + --hash=sha256:22e14b5d70560b8dd51ec22863f370d1e595ac3d024cb8ad7d308b4cd95f8313 \ + --hash=sha256:234ac59ea147c59ee4da87a0c0f098e9c8d169f4dc2a159ef720f1a61bbe27cd \ + --hash=sha256:2369eea1ee4a7610a860d88f268eb39b95cb588acd7235e02fd5a5601773d4fa \ + --hash=sha256:237bdbe6159cff53b4f24f397d43c6336c6b0b42affbe857970cefbb620911c8 \ + --hash=sha256:28bf57629c75e810b6ae989f03c0828d64d6b26a5e205535585f96093e405ed1 \ + --hash=sha256:2967f74ad52c3b98de4c3b32e1a44e32975e008a9cd2a8cc8966d6a5218c5cb2 \ + --hash=sha256:2a75d49014d118e4198bcee5ee0a6f25856b29b12dbf7cd012791f8a6cc5c496 \ + --hash=sha256:2bdfe3ac2e1bbe5b59a1a63721eb3b95fc9b6817ae4a46debbb4e11f6232428d \ + --hash=sha256:2d074908e1aecee37a7635990b2c6d504cd4766c7bc9fc86d63f9c09af3fa11b \ + --hash=sha256:2fb9bd477fdea8684f78791a6de97a953c51831ee2981f8e4f583ff3b9d9687e \ + --hash=sha256:311f30128d7d333eebd7896965bfcfbd0065f1716ec92bd5638d7748eb6f936a \ + --hash=sha256:329ce159e82018d646c7ac45b01a430369d526569ec08516081727a20e9e4af4 \ + --hash=sha256:345b0426edd4e18138d6528aed636de7a9ed169b4aaf9d61a8c19e39d26838ca \ + --hash=sha256:363e2f92b0f0174b2f8238240a1a30142e3db7b957a5dd5689b0e75fb717cc78 \ + --hash=sha256:3a3bd0dcd373514dcec91c411ddb9632c0d7d92aed7093b8c3bbb6d69ca74408 \ + --hash=sha256:3bed14e9c89dcb10e8f3a29f9ccac4955aebe93c71ae803af79265c9ca5644c5 \ + --hash=sha256:44251f18cd68a75b56585dd00dae26183e102cd5e0f9f1466e6df5da2ed64ea3 \ + --hash=sha256:44ecbf16649486d4aebafeaa7ec4c9fed8b88101f4dd612dcaf65d5e815f837f \ + --hash=sha256:4532bff1b8421fd0a320463030c7520f56a79c9024a4e88f01c537316019005a \ + --hash=sha256:49402233c892a461407c512a19435d1ce275543138294f7ef013f0b63d5d3765 \ + --hash=sha256:4c0907b1928a36d5a998d72d64d8eaa7244989f7aaaf947500d3a800c83a3fd6 \ + --hash=sha256:4d86f7aff21ee58f26dcf5ae81a9addbd914115cdebcbb2217e4f0ed8982e146 \ + --hash=sha256:5777ee0881f9499ed0f71cc82cf873d9a0ca8af166dfa0af8ec4e675b7df48e6 \ + --hash=sha256:5df196eb874dae23dcfb968c83d4f8fdccb333330fe1fc278ac5ceeb101003a9 \ + --hash=sha256:619a609aa74ae43d90ed2e89bdd784765de0a25ca761b93e196d938b8fd1dbbd \ + --hash=sha256:6e27f48bcd0957c6d4cb9d6fa6b61d192d0b13d5ef563e5f2ae35feafc0d179c \ + --hash=sha256:6ff8a4a60c227ad87030d76e99cd1698345d4491638dfa6673027c48b3cd395f \ + --hash=sha256:73d94b58ec7fecbc7366247d3b0b10a21681004153238750bb67bd9012414545 \ + --hash=sha256:7461baadb4dc00fd9e0acbe254e3d7d2112e7f92ced2adc96e54ef6501c5f176 \ + --hash=sha256:75832c08354f595c760a804588b9357d34ec00ba1c940c15e31e96d902093770 \ + --hash=sha256:7709f51f5f7c853f0fb938bcd3bc59cdfdc5203635ffd18bf354f6967ea0f824 \ + --hash=sha256:78baa6d91634dfb69ec52a463534bc0df05dbd546209b79a3880a34487f4b84f \ + --hash=sha256:7974a0b5ecd505609e3b19742b60cee7aa2aa2fb3151bc917e6e2646d7667dcf \ + --hash=sha256:7a4f97a081603d2050bfaffdefa5b02a9ec823f8348a572e39032caa8404a487 \ + --hash=sha256:7b1bef6280950ee6c177b326508f86cad7ad4dff12454483b51d8b7d673a2c5d \ + --hash=sha256:7d053096f67cd1241601111b698f5cad775f97ab25d81567d3f59219b5f1adbd \ + --hash=sha256:804a4d582ba6e5b747c625bf1255e6b1507465494a40a2130978bda7b932c90b \ + --hash=sha256:807f52c1f798eef6cf26beb819eeb8819b1622ddfeef9d0977a8502d4db6d534 \ + --hash=sha256:80ed5e856eb7f30115aaf94e4a08114ccc8813e6ed1b5efa74f9f82e8509858f \ + --hash=sha256:8417cb1f36cc0bc7eaba8ccb0e04d55f0ee52df06df3ad55259b9a323555fc8b \ + --hash=sha256:8436c508b408b82d87dc5f62496973a1805cd46727c34440b0d29d8a2f50a6c9 \ + --hash=sha256:89149166622f4db9b4b6a449256291dc87a99ee53151c74cbd82a53c8c2f6ccd \ + --hash=sha256:8bfa33f4f2672964266e940dd22a195989ba31669bd84629f05fab3ef4e2d125 \ + --hash=sha256:8c60ca7339acd497a55b0ea5d506b2a2612afb2826560416f6894e8b5770d4a9 \ + --hash=sha256:91b36a978b5ae0ee86c394f5a54d6ef44db1de0815eb43de826d41d21e4af3de \ + --hash=sha256:955f8851919303c92343d2f66165294848d57e9bba6cf6e3625485a70a038d11 \ + --hash=sha256:97f68b8d6831127e4787ad15e6757232e14e12060bec17091b85eb1486b91d8d \ + --hash=sha256:9b23ca7ef998bc739bf6ffc077c2116917eabcc901f88da1b9856b210ef63f35 \ + --hash=sha256:9f0b8b1c6d84c8034a44893aba5e767bf9c7a211e313a9605d9c617d7083829f \ + --hash=sha256:aabfa34badd18f1da5ec1bc2715cadc8dca465868a4e73a0173466b688f29dda \ + --hash=sha256:ab36c8eb7e454e34e60eb55ca5d241a5d18b2c6244f6827a30e451c42410b5f7 \ + --hash=sha256:b010a7a4fd316c3c484d482922d13044979e78d1861f0e0650423144c616a46a \ + --hash=sha256:b1ac5992a838106edb89654e0aebfc24f5848ae2547d22c2c3f66454daa11971 \ + --hash=sha256:b7b2d86dd06bfc2ade3312a83a5c364c7ec2e3498f8734282c6c3d4b07b346b8 \ + --hash=sha256:b97e690a2118911e39b4042088092771b4ae3fc3aa86518f84b8cf6888dbdb41 \ + --hash=sha256:bc2722592d8998c870fa4e290c2eec2c1569b87fe58618e67d38b4665dfa680d \ + --hash=sha256:c0429126cf75e16c4f0ad00ee0eae4242dc652290f940152ca8c75c3a4b6ee8f \ + --hash=sha256:c30197aa96e8eed02200a83fba2657b4c3acd0f0aa4bdc9f6c1af8e8962e0757 \ + --hash=sha256:c4c3e6da02df6fa1410a7680bd3f63d4f710232d3139089536310d027950696a \ + --hash=sha256:c75cb2a3e389853835e84a2d8fb2b81a10645b503eca9bcb98df6b5a43eb8886 \ + --hash=sha256:c96836c97b1238e9c9e3fe90844c947d5afbf4f4c92762679acfe19927d81d77 \ + --hash=sha256:d7f50a1f8c450f3925cb367d011448c39239bb3eb4117c36a6d354794de4ce76 \ + --hash=sha256:d973f03c0cb71c5ed99037b870f2be986c3c05e63622c017ea9816881d2dd247 \ + --hash=sha256:d98b1668f06378c6dbefec3b92299716b931cd4e6061f3c875a71ced1780ab85 \ + --hash=sha256:d9c3cdf5390dcd29aa8056d13e8e99526cda0305acc038b96b30352aff5ff2bb \ + --hash=sha256:dad3e487649f498dd991eeb901125411559b22e8d7ab25d3aeb1af367df5efd7 \ + --hash=sha256:dccbe65bd2f7f7ec22c4ff99ed56faa1e9f785482b9bbd7c717e26fd723a1d1e \ + --hash=sha256:dd78cfcda14a1ef52584dbb008f7ac81c1328c0f58184bf9a84c49c605002da6 \ + --hash=sha256:e218488cd232553829be0664c2292d3af2eeeb94b32bea483cf79ac6a694e037 \ + --hash=sha256:e358e64305fe12299a08e08978f51fc21fac060dcfcddd95453eabe5b93ed0e1 \ + --hash=sha256:ea0d8d539afa5eb2728aa1932a988a9a7af94f18582ffae4bc10b3fbdad0626e \ + --hash=sha256:eab677309cdb30d047996b36d34caeda1dc91149e4fdca0b1a039b3f79d9a807 \ + --hash=sha256:eb8178fe3dba6450a3e024e95ac49ed3400e506fd4e9e5c32d30adda88cbd407 \ + --hash=sha256:ecddf25bee22fe4fe3737a399d0d177d72bc22be6913acfab364b40bce1ba83c \ + --hash=sha256:eea6ee1db730b3483adf394ea72f808b6e18cf3cb6454b4d86e04fa8c4327a12 \ + --hash=sha256:f08ff5e948271dc7e18a35641d2f11a4cd8dfd5634f55228b691e62b37125eb3 \ + --hash=sha256:f30bf9fd9be89ecb2360c7d94a711f00c09b976258846efe40db3d05828e8089 \ + --hash=sha256:fa88b843d6e211393a37219e6a1c1df99d35e8fd90446f1118f4216e307e48cd \ + --hash=sha256:fc54db6c8593ef7d4b2a331b58653356cf04f67c960f584edb7c3d8c97e8f39e \ + --hash=sha256:fd4ec41f914fa74ad1b8304bbc634b3de73d2a0889bd32076342a573e0779e00 \ + --hash=sha256:ffc9202a29ab3920fa812879e95a9e78b2465fd10be7fcbd042899695d75e616 +click==8.1.8 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2 \ + --hash=sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a +cmarkgfm==0.6.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:02f14c7e77fcddf044df14cc227d7703027ee720bac719616ac505af29812b73 \ + --hash=sha256:0c5d762351f14479b07bfda6773905caa0fa7f132f6478c35e467d0be21e9f2e \ + --hash=sha256:13c34b6dc5b77100201c543cd205366ef7ecc612efce4247e2b7a0bb258b271e \ + --hash=sha256:3157b37d1a897ee57ae57be8eafac3659e31fdce33fbbc85f76df34ee2804d5a \ + --hash=sha256:371c4a2d88508800f6cc872082970afdb414f2d3b86ac7769419f27da0d43acc \ + --hash=sha256:3a31b239dfe4945fcb6a53fcb7dac64cb857ecfb1f710d891ff96955c64509f6 \ + --hash=sha256:3a5138d76e93378a72fb7a704cbf09764ebb43cfcf121e6d7ffdc40fb7917d4a \ + --hash=sha256:3c7053c8650bf1f79c607dc88ff56652d07f52aac4b60aa1bf07529c9b4473a7 \ + --hash=sha256:4121f6047c4d4a28ded3cf02c087869549e9f0c3712e5a2af180972f9d1348a5 \ + --hash=sha256:427ca60eb2f56c6293ac0e91b728acf608297c9030dccd3c928e938b3bf3ee77 \ + --hash=sha256:51134e3775ac7c47ca2430a53b02c6ff03463143af8dfaeb1575c03e039ee485 \ + --hash=sha256:57e4f57aa9264a3244a28665d3c5ec81b1ace454b01a1c09ff0d67a2cd12ca5a \ + --hash=sha256:605bd69fa4b247be9bb4e7d75bda4df37428a153e3a67aca50d7cd9dc1ee8225 \ + --hash=sha256:6377e46d854cc32e03933a44a0b6e6750cf89b4314e1c84958a7a547c3952c23 \ + --hash=sha256:6a48a67ff8425b4dee33196f6cd9bdba7b902c0b7e369150f6704989f9c40476 \ + --hash=sha256:6bb05e1b4adc8027c41ddbd11761482c652f1aa2ae4419469e3883ec8b0bdf67 \ + --hash=sha256:706daefce3f9bd1cd955b6bb06beac31c050b65f4bec8025dade3b0f05dbeed2 \ + --hash=sha256:713bd4e64651e7bbd897bbaee6057c16b72c6ac3cf59b2b38892d635d52755eb \ + --hash=sha256:7262bb2b875d1c47dfa0e074fe349eb1ba1901e323fcf9e3fc4dbf97f0b92d97 \ + --hash=sha256:737e4525c63ae3bca731e5c57056c02078e31e579ec655b72bd28eae525d6b53 \ + --hash=sha256:7641061c0bc4caf754f119c326131ad41c25beb1e95e2479e8aab60dbd8f9f79 \ + --hash=sha256:786e8a06f7eec6eb3f3789353a586c8b065570d2db9811fdcdaced736a36ce53 \ + --hash=sha256:791c7f8aed353d540aed52c6724df408eb73208d7c9dd98aae6506d5783cb95f \ + --hash=sha256:7a974b3b90805f656054d6873cd876ee5c7949e7860d131b7ec0b29a3de3a3f3 \ + --hash=sha256:82cfc1bc7099fa819993c41d3c6778bff29e5547dbf1de1dbb113ef4d2bc0df9 \ + --hash=sha256:872f3c9d99aedf55ad6950a4158873a107f6338040bc381b21849ccf165e9d90 \ + --hash=sha256:89cc51c26a10ebdaada4ed2630f6f375cf059d3aca5d77aff493a2010f6ed60a \ + --hash=sha256:8b58277117a439fd27aee2bcc8869be334fb7e8781e27066ec31ec0a596a6a01 \ + --hash=sha256:8be0c52d0caf1852a5374c7c9a279801c1a8dd9e2040939e75262d02b003835b \ + --hash=sha256:8eebdc5ca2cd565998195d1e6189d5979a00a5db9c579d05953478cb085ef435 \ + --hash=sha256:8f901c002172a3be8bb91a422da23dfae0301afe062addf41c976385f96bc1ef \ + --hash=sha256:94ba213739648006232aa917f8c4c42c520812601d85502fa7a5dad0f0d1590e \ + --hash=sha256:989432956e34591387f0aaab98caabd699f2f5d4c708d1a0d882334a8b760cc5 \ + --hash=sha256:a386b01a266a42e8e9052c74ad42dc1ff50b209d8958a3656e0435fa018a0223 \ + --hash=sha256:ae6796d4e8ea746dc8e29173f95ffb9b12f940ff5b9186d10203445526cf8d4d \ + --hash=sha256:b04da61652984c89868b31aface2d75e3d26081273d3764e18b5661eea98916e \ + --hash=sha256:b594063a3421561e0559cc5a68419cdcb020512fc40c3eb37e4629bae2a954b6 \ + --hash=sha256:c17e19db003f86662d08ce382912767f7221637703a64cfdb85b8c1447cc4b36 \ + --hash=sha256:c58c904c22b946d436637e8e1987db5886af8041c57e0028c419f98075344f1f \ + --hash=sha256:c61f3f2cd2b9c44cb2579e165a18f824a6c99682aff10ac2779a7a74a3167e89 \ + --hash=sha256:ccbfb5e427ca815d80962e6705834ebadeb55058ac745e0339fb570bb78a6114 \ + --hash=sha256:ce717bd3e26a95b749fbbf68da42cc5cb9200779a4943bbdd38fa73711366081 \ + --hash=sha256:d4422e0dd3a11eeebbe86c6c08ac1c28783efed4b7b948a9878724e677eda107 \ + --hash=sha256:e550ca0826eab1ab87d9eed58da89cc113f13f369fdd61c799705007422dbfce \ + --hash=sha256:e66f15d4c645c87819f7170990a00e0fa9e0e8255097f8bd5eb3037d78264efb \ + --hash=sha256:e7b5b6cd8befa8c1cf2a55f750a4dcf84de05c80a7110d933ea6724fbc6d2cf8 \ + --hash=sha256:ec2bf8d5799c4b5bbfbae30a4a1dfcb06512f2e17e9ee60ba7e1d390318582fc \ + --hash=sha256:f0da78ef960f57aec8a6854821a99fa7a520dad77631b19becb68b2ebf8dbc2d \ + --hash=sha256:f56aa4940aa4ee98fd6f3e0a648b8ae1e6a27f5007d64d406aeadc51451dc13b \ + --hash=sha256:fa28b1a335adb5bad04b4a50382cbcfcc6c8d68413ba35e2cd3f657a1dc76347 +colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and (platform_system == "Windows" or sys_platform == "win32") \ + --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \ + --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6 +compliance-trestle==2.5.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:60faaaed194687060cb8309f53b315aec8dde086cadecf5faa20425fe159d5ce \ + --hash=sha256:67bc7ae5e5d02520a8a9f9370ff6c1760d739d2e17434dcd2bf5399a61b4f497 +complianceio @ git+https://github.com/CivicActions/compliance-io.git@fc15d75697e86260e61c39bb8557658cfa44a176 ; python_version >= "3.10" and python_version < "4.0" +cryptography==41.0.6 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:068bc551698c234742c40049e46840843f3d98ad7ce265fd2bd4ec0d11306596 \ + --hash=sha256:0f27acb55a4e77b9be8d550d762b0513ef3fc658cd3eb15110ebbcbd626db12c \ + --hash=sha256:2132d5865eea673fe6712c2ed5fb4fa49dba10768bb4cc798345748380ee3660 \ + --hash=sha256:3288acccef021e3c3c10d58933f44e8602cf04dba96d9796d70d537bb2f4bbc4 \ + --hash=sha256:35f3f288e83c3f6f10752467c48919a7a94b7d88cc00b0668372a0d2ad4f8ead \ + --hash=sha256:398ae1fc711b5eb78e977daa3cbf47cec20f2c08c5da129b7a296055fbb22aed \ + --hash=sha256:422e3e31d63743855e43e5a6fcc8b4acab860f560f9321b0ee6269cc7ed70cc3 \ + --hash=sha256:48783b7e2bef51224020efb61b42704207dde583d7e371ef8fc2a5fb6c0aabc7 \ + --hash=sha256:4d03186af98b1c01a4eda396b137f29e4e3fb0173e30f885e27acec8823c1b09 \ + --hash=sha256:5daeb18e7886a358064a68dbcaf441c036cbdb7da52ae744e7b9207b04d3908c \ + --hash=sha256:60e746b11b937911dc70d164060d28d273e31853bb359e2b2033c9e93e6f3c43 \ + --hash=sha256:742ae5e9a2310e9dade7932f9576606836ed174da3c7d26bc3d3ab4bd49b9f65 \ + --hash=sha256:7e00fb556bda398b99b0da289ce7053639d33b572847181d6483ad89835115f6 \ + --hash=sha256:85abd057699b98fce40b41737afb234fef05c67e116f6f3650782c10862c43da \ + --hash=sha256:8efb2af8d4ba9dbc9c9dd8f04d19a7abb5b49eab1f3694e7b5a16a5fc2856f5c \ + --hash=sha256:ae236bb8760c1e55b7a39b6d4d32d2279bc6c7c8500b7d5a13b6fb9fc97be35b \ + --hash=sha256:afda76d84b053923c27ede5edc1ed7d53e3c9f475ebaf63c68e69f1403c405a8 \ + --hash=sha256:b27a7fd4229abef715e064269d98a7e2909ebf92eb6912a9603c7e14c181928c \ + --hash=sha256:b648fe2a45e426aaee684ddca2632f62ec4613ef362f4d681a9a6283d10e079d \ + --hash=sha256:c5a550dc7a3b50b116323e3d376241829fd326ac47bc195e04eb33a8170902a9 \ + --hash=sha256:da46e2b5df770070412c46f87bac0849b8d685c5f2679771de277a422c7d0b86 \ + --hash=sha256:f39812f70fc5c71a15aa3c97b2bbe213c3f2a460b79bd21c40d033bb34a9bf36 \ + --hash=sha256:ff369dd19e8fe0528b02e8df9f2aeb2479f89b1270d90f96a63500afe9af5cae +datamodel-code-generator[http]==0.26.5 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:c4a94a7dbf7972129882732d9bcee44c9ae090f57c82edd58d237b9d48c40dd0 \ + --hash=sha256:e32f986b9914a2b45093947043aa0192d704650be93151f78acf5c95676601ce +defusedxml==0.7.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69 \ + --hash=sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 +dnspython==2.7.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:b4c34b7d10b51bcc3a5071e7b8dee77939f1e878477eeecc965e9835f63c6c86 \ + --hash=sha256:ce9c432eda0dc91cf618a5cedf1a4e142651196bbcd2c80e89ed5a907e5cfaf1 +email-validator==2.2.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:561977c2d73ce3611850a06fa56b414621e0c8faa9d66f2611407d87465da631 \ + --hash=sha256:cb690f344c617a714f22e66ae771445a1ceb46821152df8e165c5f9a364582b7 +et-xmlfile==2.0.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:7a91720bc756843502c3b7504c77b8fe44217c85c537d85037f0f536151b2caa \ + --hash=sha256:dab3f4764309081ce75662649be815c4c9081e88f0837825f90fd28317d4da54 +exceptiongroup==1.2.2 ; python_version >= "3.10" and python_version < "3.11" \ + --hash=sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b \ + --hash=sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc +fpyutils==4.0.1 ; python_version >= "3.10" and python_version < "4" \ + --hash=sha256:006cfbdbd87915d8a1c5b7062b6c8d2f4f9fd12c3e707d89c27e6abd6c67c6b2 \ + --hash=sha256:5ee8448b09863d5905ad22cf5f6c8af79d3b314617ac8fbded48eb2a414988e6 +furl==2.1.3 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:5a6188fe2666c484a12159c18be97a1977a71d632ef5bb867ef15f54af39cc4e \ + --hash=sha256:9ab425062c4217f9802508e45feb4a83e54324273ac4b202f1850363309666c0 +genson==1.3.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:468feccd00274cc7e4c09e84b08704270ba8d95232aa280f65b986139cec67f7 \ + --hash=sha256:e02db9ac2e3fd29e65b5286f7135762e2cd8a986537c075b06fc5f1517308e37 +gitdb==4.0.12 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:5ef71f855d191a3326fcfbc0d5da835f26b13fbcba60c32c21091c349ffdb571 \ + --hash=sha256:67073e15955400952c6565cc3e707c554a4eea2e428946f7a4c162fab9bd9bcf +gitpython==3.1.44 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:9e0e10cda9bed1ee64bc9a6de50e7e38a9c9943241cd7f585f6df3ed28011110 \ + --hash=sha256:c87e30b26253bf5418b01b0660f818967f3c503193838337fe5e573331249269 +h11==0.14.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d \ + --hash=sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761 +httpcore==1.0.7 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:8551cb62a169ec7162ac7be8d4817d561f60e08eaa485234898414bb5a8a0b4c \ + --hash=sha256:a3fff8f43dc260d5bd363d9f9cf1830fa3a458b332856f34282de498ed420edd +httpx==0.28.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \ + --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad +idna==3.10 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9 \ + --hash=sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3 +ilcli==0.3.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:8a56b053836f8b0e1bbbdda884288d18dc966bd8e90fdf9b340914dba625cd7f \ + --hash=sha256:dfb7d2da49c63ef92c5a589eb5f765d073d7ea83275c3dd2aea8ae5cbe4c5be2 +inflect==5.6.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:aadc7ed73928f5e014129794bbac03058cca35d0a973a5fc4eb45c7fa26005f9 \ + --hash=sha256:b45d91a4a28a4e617ff1821117439b06eaa86e2a4573154af0149e9be6687238 +iniconfig==2.0.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \ + --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374 +isort==5.13.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109 \ + --hash=sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6 +jinja2==3.1.5 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb \ + --hash=sha256:aba0f4dc9ed8013c424088f68a5c226f7d6097ed89b246d7749c2ec4175c6adb +markupsafe==3.0.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4 \ + --hash=sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30 \ + --hash=sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0 \ + --hash=sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9 \ + --hash=sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396 \ + --hash=sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13 \ + --hash=sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028 \ + --hash=sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca \ + --hash=sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557 \ + --hash=sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832 \ + --hash=sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0 \ + --hash=sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b \ + --hash=sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579 \ + --hash=sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a \ + --hash=sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c \ + --hash=sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff \ + --hash=sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c \ + --hash=sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22 \ + --hash=sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094 \ + --hash=sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb \ + --hash=sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e \ + --hash=sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5 \ + --hash=sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a \ + --hash=sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d \ + --hash=sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a \ + --hash=sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b \ + --hash=sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8 \ + --hash=sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225 \ + --hash=sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c \ + --hash=sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144 \ + --hash=sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f \ + --hash=sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87 \ + --hash=sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d \ + --hash=sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93 \ + --hash=sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf \ + --hash=sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158 \ + --hash=sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84 \ + --hash=sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb \ + --hash=sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48 \ + --hash=sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171 \ + --hash=sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c \ + --hash=sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6 \ + --hash=sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd \ + --hash=sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d \ + --hash=sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1 \ + --hash=sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d \ + --hash=sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca \ + --hash=sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a \ + --hash=sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29 \ + --hash=sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe \ + --hash=sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798 \ + --hash=sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c \ + --hash=sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8 \ + --hash=sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f \ + --hash=sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f \ + --hash=sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a \ + --hash=sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178 \ + --hash=sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0 \ + --hash=sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79 \ + --hash=sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430 \ + --hash=sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50 +md-toc==9.0.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:a4e73b59f71c20b94c8c16bc6ef3bc2e80d1d40c398050101f80c3567fda7271 \ + --hash=sha256:dfd57de2faf252be1d6faf9bed7eab506e1caa7c4486ab6d6d04556426d5a7a5 +mypy-extensions==1.0.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d \ + --hash=sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782 +openpyxl==3.1.5 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:5282c12b107bffeef825f4617dc029afaf41d0ea60823bbb665ef3079dc79de2 \ + --hash=sha256:cf0e3cf56142039133628b5acffe8ef0c12bc902d2aadd3e0fe5878dc08d1050 +orderedmultidict==1.0.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:04070bbb5e87291cc9bfa51df413677faf2141c73c61d2a5f7b26bea3cd882ad \ + --hash=sha256:43c839a17ee3cdd62234c47deca1a8508a3f2ca1d0678a3bf791c87cf84adbf3 +orjson==3.10.15 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:035fb83585e0f15e076759b6fedaf0abb460d1765b6a36f48018a52858443514 \ + --hash=sha256:05ca7fe452a2e9d8d9d706a2984c95b9c2ebc5db417ce0b7a49b91d50642a23e \ + --hash=sha256:0a4f27ea5617828e6b58922fdbec67b0aa4bb844e2d363b9244c47fa2180e665 \ + --hash=sha256:13242f12d295e83c2955756a574ddd6741c81e5b99f2bef8ed8d53e47a01e4b7 \ + --hash=sha256:17085a6aa91e1cd70ca8533989a18b5433e15d29c574582f76f821737c8d5806 \ + --hash=sha256:1e6d33efab6b71d67f22bf2962895d3dc6f82a6273a965fab762e64fa90dc399 \ + --hash=sha256:208beedfa807c922da4e81061dafa9c8489c6328934ca2a562efa707e049e561 \ + --hash=sha256:295c70f9dc154307777ba30fe29ff15c1bcc9dfc5c48632f37d20a607e9ba85a \ + --hash=sha256:305b38b2b8f8083cc3d618927d7f424349afce5975b316d33075ef0f73576b60 \ + --hash=sha256:33aedc3d903378e257047fee506f11e0833146ca3e57a1a1fb0ddb789876c1e1 \ + --hash=sha256:3614ea508d522a621384c1d6639016a5a2e4f027f3e4a1c93a51867615d28829 \ + --hash=sha256:3766ac4702f8f795ff3fa067968e806b4344af257011858cc3d6d8721588b53f \ + --hash=sha256:3a63bb41559b05360ded9132032239e47983a39b151af1201f07ec9370715c82 \ + --hash=sha256:43e17289ffdbbac8f39243916c893d2ae41a2ea1a9cbb060a56a4d75286351ae \ + --hash=sha256:552c883d03ad185f720d0c09583ebde257e41b9521b74ff40e08b7dec4559c04 \ + --hash=sha256:5dd9ef1639878cc3efffed349543cbf9372bdbd79f478615a1c633fe4e4180d1 \ + --hash=sha256:5e8afd6200e12771467a1a44e5ad780614b86abb4b11862ec54861a82d677746 \ + --hash=sha256:616e3e8d438d02e4854f70bfdc03a6bcdb697358dbaa6bcd19cbe24d24ece1f8 \ + --hash=sha256:63309e3ff924c62404923c80b9e2048c1f74ba4b615e7584584389ada50ed428 \ + --hash=sha256:6875210307d36c94873f553786a808af2788e362bd0cf4c8e66d976791e7b528 \ + --hash=sha256:6fd9bc64421e9fe9bd88039e7ce8e58d4fead67ca88e3a4014b143cec7684fd4 \ + --hash=sha256:7066b74f9f259849629e0d04db6609db4cf5b973248f455ba5d3bd58a4daaa5b \ + --hash=sha256:73cb85490aa6bf98abd20607ab5c8324c0acb48d6da7863a51be48505646c814 \ + --hash=sha256:763dadac05e4e9d2bc14938a45a2d0560549561287d41c465d3c58aec818b164 \ + --hash=sha256:7723ad949a0ea502df656948ddd8b392780a5beaa4c3b5f97e525191b102fff0 \ + --hash=sha256:781d54657063f361e89714293c095f506c533582ee40a426cb6489c48a637b81 \ + --hash=sha256:7946922ada8f3e0b7b958cc3eb22cfcf6c0df83d1fe5521b4a100103e3fa84c8 \ + --hash=sha256:7a1c73dcc8fadbd7c55802d9aa093b36878d34a3b3222c41052ce6b0fc65f8e8 \ + --hash=sha256:7c203f6f969210128af3acae0ef9ea6aab9782939f45f6fe02d05958fe761ef9 \ + --hash=sha256:7c2c79fa308e6edb0ffab0a31fd75a7841bf2a79a20ef08a3c6e3b26814c8ca8 \ + --hash=sha256:7c864a80a2d467d7786274fce0e4f93ef2a7ca4ff31f7fc5634225aaa4e9e98c \ + --hash=sha256:88dc3f65a026bd3175eb157fea994fca6ac7c4c8579fc5a86fc2114ad05705b7 \ + --hash=sha256:8918719572d662e18b8af66aef699d8c21072e54b6c82a3f8f6404c1f5ccd5e0 \ + --hash=sha256:9d11c0714fc85bfcf36ada1179400862da3288fc785c30e8297844c867d7505a \ + --hash=sha256:9e590a0477b23ecd5b0ac865b1b907b01b3c5535f5e8a8f6ab0e503efb896334 \ + --hash=sha256:9e992fd5cfb8b9f00bfad2fd7a05a4299db2bbe92e6440d9dd2fab27655b3182 \ + --hash=sha256:a2f708c62d026fb5340788ba94a55c23df4e1869fec74be455e0b2f5363b8507 \ + --hash=sha256:a330b9b4734f09a623f74a7490db713695e13b67c959713b78369f26b3dee6bf \ + --hash=sha256:a61a4622b7ff861f019974f73d8165be1bd9a0855e1cad18ee167acacabeb061 \ + --hash=sha256:a6be38bd103d2fd9bdfa31c2720b23b5d47c6796bcb1d1b598e3924441b4298d \ + --hash=sha256:abc7abecdbf67a173ef1316036ebbf54ce400ef2300b4e26a7b843bd446c2480 \ + --hash=sha256:acd271247691574416b3228db667b84775c497b245fa275c6ab90dc1ffbbd2b3 \ + --hash=sha256:b0482b21d0462eddd67e7fce10b89e0b6ac56570424662b685a0d6fccf581e13 \ + --hash=sha256:b299383825eafe642cbab34be762ccff9fd3408d72726a6b2a4506d410a71ab3 \ + --hash=sha256:b342567e5465bd99faa559507fe45e33fc76b9fb868a63f1642c6bc0735ad02a \ + --hash=sha256:b48f59114fe318f33bbaee8ebeda696d8ccc94c9e90bc27dbe72153094e26f41 \ + --hash=sha256:b7155eb1623347f0f22c38c9abdd738b287e39b9982e1da227503387b81b34ca \ + --hash=sha256:bae0e6ec2b7ba6895198cd981b7cca95d1487d0147c8ed751e5632ad16f031a6 \ + --hash=sha256:bb00b7bfbdf5d34a13180e4805d76b4567025da19a197645ca746fc2fb536586 \ + --hash=sha256:bb5cc3527036ae3d98b65e37b7986a918955f85332c1ee07f9d3f82f3a6899b5 \ + --hash=sha256:c03cd6eea1bd3b949d0d007c8d57049aa2b39bd49f58b4b2af571a5d3833d890 \ + --hash=sha256:c25774c9e88a3e0013d7d1a6c8056926b607a61edd423b50eb5c88fd7f2823ae \ + --hash=sha256:c33be3795e299f565681d69852ac8c1bc5c84863c0b0030b2b3468843be90388 \ + --hash=sha256:c4cc83960ab79a4031f3119cc4b1a1c627a3dc09df125b27c4201dff2af7eaa6 \ + --hash=sha256:cf45e0214c593660339ef63e875f32ddd5aa3b4adc15e662cdb80dc49e194f8e \ + --hash=sha256:d13b7fe322d75bf84464b075eafd8e7dd9eae05649aa2a5354cfa32f43c59f17 \ + --hash=sha256:d433bf32a363823863a96561a555227c18a522a8217a6f9400f00ddc70139ae2 \ + --hash=sha256:d569c1c462912acdd119ccbf719cf7102ea2c67dd03b99edcb1a3048651ac96b \ + --hash=sha256:d5ac11b659fd798228a7adba3e37c010e0152b78b1982897020a8e019a94882e \ + --hash=sha256:da03392674f59a95d03fa5fb9fe3a160b0511ad84b7a3914699ea5a1b3a38da2 \ + --hash=sha256:da9a18c500f19273e9e104cca8c1f0b40a6470bcccfc33afcc088045d0bf5ea6 \ + --hash=sha256:dadba0e7b6594216c214ef7894c4bd5f08d7c0135f4dd0145600be4fbcc16767 \ + --hash=sha256:dba5a1e85d554e3897fa9fe6fbcff2ed32d55008973ec9a2b992bd9a65d2352d \ + --hash=sha256:dd0099ae6aed5eb1fc84c9eb72b95505a3df4267e6962eb93cdd5af03be71c98 \ + --hash=sha256:ddbeef2481d895ab8be5185f2432c334d6dec1f5d1933a9c83014d188e102cef \ + --hash=sha256:e117eb299a35f2634e25ed120c37c641398826c2f5a3d3cc39f5993b96171b9e \ + --hash=sha256:e4759b109c37f635aa5c5cc93a1b26927bfde24b254bcc0e1149a9fada253d2d \ + --hash=sha256:e78c211d0074e783d824ce7bb85bf459f93a233eb67a5b5003498232ddfb0e8a \ + --hash=sha256:eca81f83b1b8c07449e1d6ff7074e82e3fd6777e588f1a6632127f286a968825 \ + --hash=sha256:eea80037b9fae5339b214f59308ef0589fc06dc870578b7cce6d71eb2096764c \ + --hash=sha256:ef5b87e7aa9545ddadd2309efe6824bd3dd64ac101c15dae0f2f597911d46eaa \ + --hash=sha256:efcf6c735c3d22ef60c4aa27a5238f1a477df85e9b15f2142f9d669beb2d13fd \ + --hash=sha256:f71eae9651465dff70aa80db92586ad5b92df46a9373ee55252109bb6b703307 \ + --hash=sha256:f93ce145b2db1252dd86af37d4165b6faa83072b46e3995ecc95d4b2301b725a \ + --hash=sha256:f95fb363d79366af56c3f26b71df40b9a583b07bbaaf5b317407c4d58497852e \ + --hash=sha256:f9875f5fea7492da8ec2444839dcc439b0ef298978f311103d0b7dfd775898ab \ + --hash=sha256:fd56a26a04f6ba5fb2045b0acc487a63162a958ed837648c5781e1fe3316cfbf \ + --hash=sha256:ff4f6edb1578960ed628a3b998fa54d78d9bb3e2eb2cfc5c2a09732431c678d0 \ + --hash=sha256:ffe19f3e8d68111e8644d4f4e267a069ca427926855582ff01fc012496d19969 +packaging==24.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759 \ + --hash=sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f +paramiko==3.4.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:43f0b51115a896f9c00f59618023484cb3a14b98bbceab43394a39c6739b7ee7 \ + --hash=sha256:aac08f26a31dc4dffd92821527d1682d99d52f9ef6851968114a8728f3c274d3 +pathspec==0.12.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08 \ + --hash=sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712 +platformdirs==4.3.6 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:357fb2acbc885b0419afd3ce3ed34564c13c9b95c89360cd9563f73aa5e2b907 \ + --hash=sha256:73e575e1408ab8103900836b97580d5307456908a03e92031bab39e4554cc3fb +pluggy==1.5.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1 \ + --hash=sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669 +poetry-core==2.0.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:10177c2772469d9032a49f0d8707af761b1c597cea3b4fb31546e5cd436eb157 \ + --hash=sha256:a3c7009536522cda4eb0fb3805c9dc935b5537f8727dd01efb9c15e51a17552b +pycparser==2.22 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc +pydantic==1.10.21 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:0067935d35044950be781933ab91b9a708eaff124bf860fa2f70aeb1c4be7212 \ + --hash=sha256:08caa8c0468172d27c669abfe9e7d96a8b1655ec0833753e117061febaaadef5 \ + --hash=sha256:0bb58bbe65a43483d49f66b6c8474424d551a3fbe8a7796c42da314bac712738 \ + --hash=sha256:185d5f1dff1fead51766da9b2de4f3dc3b8fca39e59383c273f34a6ae254e3e2 \ + --hash=sha256:1d7c332685eafacb64a1a7645b409a166eb7537f23142d26895746f628a3149b \ + --hash=sha256:245e486e0fec53ec2366df9cf1cba36e0bbf066af7cd9c974bbbd9ba10e1e586 \ + --hash=sha256:266ecfc384861d7b0b9c214788ddff75a2ea123aa756bcca6b2a1175edeca0fe \ + --hash=sha256:298d6f765e3c9825dfa78f24c1efd29af91c3ab1b763e1fd26ae4d9e1749e5c8 \ + --hash=sha256:2b6a04efdcd25486b27f24c1648d5adc1633ad8b4506d0e96e5367f075ed2e0b \ + --hash=sha256:2c9b782db6f993a36092480eeaab8ba0609f786041b01f39c7c52252bda6d85f \ + --hash=sha256:2ed4a5f13cf160d64aa331ab9017af81f3481cd9fd0e49f1d707b57fe1b9f3ae \ + --hash=sha256:35b263b60c519354afb3a60107d20470dd5250b3ce54c08753f6975c406d949b \ + --hash=sha256:36ceadef055af06e7756eb4b871cdc9e5a27bdc06a45c820cd94b443de019bbf \ + --hash=sha256:38e6d35cf7cd1727822c79e324fa0677e1a08c88a34f56695101f5ad4d5e20e5 \ + --hash=sha256:3b7693bb6ed3fbe250e222f9415abb73111bb09b73ab90d2d4d53f6390e0ccc1 \ + --hash=sha256:3c96fed246ccc1acb2df032ff642459e4ae18b315ecbab4d95c95cfa292e8517 \ + --hash=sha256:46cffa24891b06269e12f7e1ec50b73f0c9ab4ce71c2caa4ccf1fb36845e1ff7 \ + --hash=sha256:57f0101e6c97b411f287a0b7cf5ebc4e5d3b18254bf926f45a11615d29475793 \ + --hash=sha256:5d387940f0f1a0adb3c44481aa379122d06df8486cc8f652a7b3b0caf08435f7 \ + --hash=sha256:5e8148c2ce4894ce7e5a4925d9d3fdce429fb0e821b5a8783573f3611933a251 \ + --hash=sha256:61da798c05a06a362a2f8c5e3ff0341743e2818d0f530eaac0d6898f1b187f1f \ + --hash=sha256:64b48e2b609a6c22178a56c408ee1215a7206077ecb8a193e2fda31858b2362a \ + --hash=sha256:662bf5ce3c9b1cef32a32a2f4debe00d2f4839fefbebe1d6956e681122a9c839 \ + --hash=sha256:6a497bc66b3374b7d105763d1d3de76d949287bf28969bff4656206ab8a53aa9 \ + --hash=sha256:6b64708009cfabd9c2211295144ff455ec7ceb4c4fb45a07a804309598f36187 \ + --hash=sha256:6c54f8d4c151c1de784c5b93dfbb872067e3414619e10e21e695f7bb84d1d1fd \ + --hash=sha256:79577cc045d3442c4e845df53df9f9202546e2ba54954c057d253fc17cd16cb1 \ + --hash=sha256:7ce64d23d4e71d9698492479505674c5c5b92cda02b07c91dfc13633b2eef805 \ + --hash=sha256:8a148410fa0e971ba333358d11a6dea7b48e063de127c2b09ece9d1c1137dde4 \ + --hash=sha256:8b6350b68566bb6b164fb06a3772e878887f3c857c46c0c534788081cb48adf4 \ + --hash=sha256:90e85834f0370d737c77a386ce505c21b06bfe7086c1c568b70e15a568d9670d \ + --hash=sha256:935b19fdcde236f4fbf691959fa5c3e2b6951fff132964e869e57c70f2ad1ba3 \ + --hash=sha256:98737c3ab5a2f8a85f2326eebcd214510f898881a290a7939a45ec294743c875 \ + --hash=sha256:9e3e4000cd54ef455694b8be9111ea20f66a686fc155feda1ecacf2322b115da \ + --hash=sha256:a4973232c98b9b44c78b1233693e5e1938add5af18042f031737e1214455f9b8 \ + --hash=sha256:a621742da75ce272d64ea57bd7651ee2a115fa67c0f11d66d9dcfc18c2f1b106 \ + --hash=sha256:b6b73ab347284719f818acb14f7cd80696c6fdf1bd34feee1955d7a72d2e64ce \ + --hash=sha256:b8460bc256bf0de821839aea6794bb38a4c0fbd48f949ea51093f6edce0be459 \ + --hash=sha256:b92893ebefc0151474f682e7debb6ab38552ce56a90e39a8834734c81f37c8a9 \ + --hash=sha256:c0501e1d12df6ab1211b8cad52d2f7b2cd81f8e8e776d39aa5e71e2998d0379f \ + --hash=sha256:c1ba253eb5af8d89864073e6ce8e6c8dec5f49920cff61f38f5c3383e38b1c9f \ + --hash=sha256:c261127c275d7bce50b26b26c7d8427dcb5c4803e840e913f8d9df3f99dca55f \ + --hash=sha256:c677aa39ec737fec932feb68e4a2abe142682f2885558402602cd9746a1c92e8 \ + --hash=sha256:d356aa5b18ef5a24d8081f5c5beb67c0a2a6ff2a953ee38d65a2aa96526b274f \ + --hash=sha256:db70c920cba9d05c69ad4a9e7f8e9e83011abb2c6490e561de9ae24aee44925c \ + --hash=sha256:e23a97a6c2f2db88995496db9387cd1727acdacc85835ba8619dce826c0b11a6 \ + --hash=sha256:e622314542fb48542c09c7bd1ac51d71c5632dd3c92dc82ede6da233f55f4848 \ + --hash=sha256:e7f0cda108b36a30c8fc882e4fc5b7eec8ef584aa43aa43694c6a7b274fb2b56 \ + --hash=sha256:f198c8206640f4c0ef5a76b779241efb1380a300d88b1bce9bfe95a6362e674d \ + --hash=sha256:f2f4a2305f15eff68f874766d982114ac89468f1c2c0b97640e719cf1a078374 +pydantic[email]==1.10.21 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:0067935d35044950be781933ab91b9a708eaff124bf860fa2f70aeb1c4be7212 \ + --hash=sha256:08caa8c0468172d27c669abfe9e7d96a8b1655ec0833753e117061febaaadef5 \ + --hash=sha256:0bb58bbe65a43483d49f66b6c8474424d551a3fbe8a7796c42da314bac712738 \ + --hash=sha256:185d5f1dff1fead51766da9b2de4f3dc3b8fca39e59383c273f34a6ae254e3e2 \ + --hash=sha256:1d7c332685eafacb64a1a7645b409a166eb7537f23142d26895746f628a3149b \ + --hash=sha256:245e486e0fec53ec2366df9cf1cba36e0bbf066af7cd9c974bbbd9ba10e1e586 \ + --hash=sha256:266ecfc384861d7b0b9c214788ddff75a2ea123aa756bcca6b2a1175edeca0fe \ + --hash=sha256:298d6f765e3c9825dfa78f24c1efd29af91c3ab1b763e1fd26ae4d9e1749e5c8 \ + --hash=sha256:2b6a04efdcd25486b27f24c1648d5adc1633ad8b4506d0e96e5367f075ed2e0b \ + --hash=sha256:2c9b782db6f993a36092480eeaab8ba0609f786041b01f39c7c52252bda6d85f \ + --hash=sha256:2ed4a5f13cf160d64aa331ab9017af81f3481cd9fd0e49f1d707b57fe1b9f3ae \ + --hash=sha256:35b263b60c519354afb3a60107d20470dd5250b3ce54c08753f6975c406d949b \ + --hash=sha256:36ceadef055af06e7756eb4b871cdc9e5a27bdc06a45c820cd94b443de019bbf \ + --hash=sha256:38e6d35cf7cd1727822c79e324fa0677e1a08c88a34f56695101f5ad4d5e20e5 \ + --hash=sha256:3b7693bb6ed3fbe250e222f9415abb73111bb09b73ab90d2d4d53f6390e0ccc1 \ + --hash=sha256:3c96fed246ccc1acb2df032ff642459e4ae18b315ecbab4d95c95cfa292e8517 \ + --hash=sha256:46cffa24891b06269e12f7e1ec50b73f0c9ab4ce71c2caa4ccf1fb36845e1ff7 \ + --hash=sha256:57f0101e6c97b411f287a0b7cf5ebc4e5d3b18254bf926f45a11615d29475793 \ + --hash=sha256:5d387940f0f1a0adb3c44481aa379122d06df8486cc8f652a7b3b0caf08435f7 \ + --hash=sha256:5e8148c2ce4894ce7e5a4925d9d3fdce429fb0e821b5a8783573f3611933a251 \ + --hash=sha256:61da798c05a06a362a2f8c5e3ff0341743e2818d0f530eaac0d6898f1b187f1f \ + --hash=sha256:64b48e2b609a6c22178a56c408ee1215a7206077ecb8a193e2fda31858b2362a \ + --hash=sha256:662bf5ce3c9b1cef32a32a2f4debe00d2f4839fefbebe1d6956e681122a9c839 \ + --hash=sha256:6a497bc66b3374b7d105763d1d3de76d949287bf28969bff4656206ab8a53aa9 \ + --hash=sha256:6b64708009cfabd9c2211295144ff455ec7ceb4c4fb45a07a804309598f36187 \ + --hash=sha256:6c54f8d4c151c1de784c5b93dfbb872067e3414619e10e21e695f7bb84d1d1fd \ + --hash=sha256:79577cc045d3442c4e845df53df9f9202546e2ba54954c057d253fc17cd16cb1 \ + --hash=sha256:7ce64d23d4e71d9698492479505674c5c5b92cda02b07c91dfc13633b2eef805 \ + --hash=sha256:8a148410fa0e971ba333358d11a6dea7b48e063de127c2b09ece9d1c1137dde4 \ + --hash=sha256:8b6350b68566bb6b164fb06a3772e878887f3c857c46c0c534788081cb48adf4 \ + --hash=sha256:90e85834f0370d737c77a386ce505c21b06bfe7086c1c568b70e15a568d9670d \ + --hash=sha256:935b19fdcde236f4fbf691959fa5c3e2b6951fff132964e869e57c70f2ad1ba3 \ + --hash=sha256:98737c3ab5a2f8a85f2326eebcd214510f898881a290a7939a45ec294743c875 \ + --hash=sha256:9e3e4000cd54ef455694b8be9111ea20f66a686fc155feda1ecacf2322b115da \ + --hash=sha256:a4973232c98b9b44c78b1233693e5e1938add5af18042f031737e1214455f9b8 \ + --hash=sha256:a621742da75ce272d64ea57bd7651ee2a115fa67c0f11d66d9dcfc18c2f1b106 \ + --hash=sha256:b6b73ab347284719f818acb14f7cd80696c6fdf1bd34feee1955d7a72d2e64ce \ + --hash=sha256:b8460bc256bf0de821839aea6794bb38a4c0fbd48f949ea51093f6edce0be459 \ + --hash=sha256:b92893ebefc0151474f682e7debb6ab38552ce56a90e39a8834734c81f37c8a9 \ + --hash=sha256:c0501e1d12df6ab1211b8cad52d2f7b2cd81f8e8e776d39aa5e71e2998d0379f \ + --hash=sha256:c1ba253eb5af8d89864073e6ce8e6c8dec5f49920cff61f38f5c3383e38b1c9f \ + --hash=sha256:c261127c275d7bce50b26b26c7d8427dcb5c4803e840e913f8d9df3f99dca55f \ + --hash=sha256:c677aa39ec737fec932feb68e4a2abe142682f2885558402602cd9746a1c92e8 \ + --hash=sha256:d356aa5b18ef5a24d8081f5c5beb67c0a2a6ff2a953ee38d65a2aa96526b274f \ + --hash=sha256:db70c920cba9d05c69ad4a9e7f8e9e83011abb2c6490e561de9ae24aee44925c \ + --hash=sha256:e23a97a6c2f2db88995496db9387cd1727acdacc85835ba8619dce826c0b11a6 \ + --hash=sha256:e622314542fb48542c09c7bd1ac51d71c5632dd3c92dc82ede6da233f55f4848 \ + --hash=sha256:e7f0cda108b36a30c8fc882e4fc5b7eec8ef584aa43aa43694c6a7b274fb2b56 \ + --hash=sha256:f198c8206640f4c0ef5a76b779241efb1380a300d88b1bce9bfe95a6362e674d \ + --hash=sha256:f2f4a2305f15eff68f874766d982114ac89468f1c2c0b97640e719cf1a078374 +pynacl==1.5.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858 \ + --hash=sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d \ + --hash=sha256:20f42270d27e1b6a29f54032090b972d97f0a1b0948cc52392041ef7831fee93 \ + --hash=sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1 \ + --hash=sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92 \ + --hash=sha256:61f642bf2378713e2c2e1de73444a3778e5f0a38be6fee0fe532fe30060282ff \ + --hash=sha256:8ac7448f09ab85811607bdd21ec2464495ac8b7c66d146bf545b0f08fb9220ba \ + --hash=sha256:a36d4a9dda1f19ce6e03c9a784a2921a4b726b02e1c736600ca9c22029474394 \ + --hash=sha256:a422368fc821589c228f4c49438a368831cb5bbc0eab5ebe1d7fac9dded6567b \ + --hash=sha256:e46dae94e34b085175f8abb3b0aaa7da40767865ac82c928eeb9e57e1ea8a543 +pypandoc==1.15 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:4ededcc76c8770f27aaca6dff47724578428eca84212a31479403a9731fc2b16 \ + --hash=sha256:ea25beebe712ae41d63f7410c08741a3cab0e420f6703f95bc9b3a749192ce13 +pytest==7.4.4 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:2cf0005922c6ace4a3e2ec8b4080eb0d9753fdc93107415332f50ce9e7994280 \ + --hash=sha256:b090cdf5ed60bf4c45261be03239c2c1c22df034fbffe691abe93cd80cea01d8 +python-dotenv==1.0.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:e324ee90a023d808f1959c46bcbc04446a10ced277783dc6ee09987c37ec10ca \ + --hash=sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a +python-frontmatter==1.1.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:335465556358d9d0e6c98bbeb69b1c969f2a4a21360587b9873bfc3b213407c1 \ + --hash=sha256:7118d2bd56af9149625745c58c9b51fb67e8d1294a0c76796dafdc72c36e5f6d +python-slugify==8.0.4 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:276540b79961052b66b7d116620b36518847f52d5fd9e3a70164fc8c50faa6b8 \ + --hash=sha256:59202371d1d05b54a9e7720c5e038f928f45daaffe41dd10822f3907b937c856 +pywin32==308 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows" \ + --hash=sha256:00b3e11ef09ede56c6a43c71f2d31857cf7c54b0ab6e78ac659497abd2834f47 \ + --hash=sha256:100a5442b7332070983c4cd03f2e906a5648a5104b8a7f50175f7906efd16bb6 \ + --hash=sha256:13dcb914ed4347019fbec6697a01a0aec61019c1046c2b905410d197856326a6 \ + --hash=sha256:1c44539a37a5b7b21d02ab34e6a4d314e0788f1690d65b48e9b0b89f31abbbed \ + --hash=sha256:1f696ab352a2ddd63bd07430080dd598e6369152ea13a25ebcdd2f503a38f1ff \ + --hash=sha256:3b92622e29d651c6b783e368ba7d6722b1634b8e70bd376fd7610fe1992e19de \ + --hash=sha256:4fc888c59b3c0bef905ce7eb7e2106a07712015ea1c8234b703a088d46110e8e \ + --hash=sha256:575621b90f0dc2695fec346b2d6302faebd4f0f45c05ea29404cefe35d89442b \ + --hash=sha256:5794e764ebcabf4ff08c555b31bd348c9025929371763b2183172ff4708152f0 \ + --hash=sha256:587f3e19696f4bf96fde9d8a57cec74a57021ad5f204c9e627e15c33ff568897 \ + --hash=sha256:5d8c8015b24a7d6855b1550d8e660d8daa09983c80e5daf89a273e5c6fb5095a \ + --hash=sha256:71b3322d949b4cc20776436a9c9ba0eeedcbc9c650daa536df63f0ff111bb920 \ + --hash=sha256:7873ca4dc60ab3287919881a7d4f88baee4a6e639aa6962de25a98ba6b193341 \ + --hash=sha256:796ff4426437896550d2981b9c2ac0ffd75238ad9ea2d3bfa67a1abd546d262e \ + --hash=sha256:9b4de86c8d909aed15b7011182c8cab38c8850de36e6afb1f0db22b8959e3091 \ + --hash=sha256:a5ab5381813b40f264fa3495b98af850098f814a25a63589a8e9eb12560f450c \ + --hash=sha256:ef313c46d4c18dfb82a2431e3051ac8f112ccee1a34f29c263c583c568db63cd \ + --hash=sha256:fd380990e792eaf6827fcb7e187b2b4b1cede0585e3d0c9e84201ec27b9905e4 +pyyaml==6.0.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff \ + --hash=sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48 \ + --hash=sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086 \ + --hash=sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e \ + --hash=sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133 \ + --hash=sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5 \ + --hash=sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484 \ + --hash=sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee \ + --hash=sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5 \ + --hash=sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68 \ + --hash=sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a \ + --hash=sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf \ + --hash=sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99 \ + --hash=sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8 \ + --hash=sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85 \ + --hash=sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19 \ + --hash=sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc \ + --hash=sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a \ + --hash=sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1 \ + --hash=sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317 \ + --hash=sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c \ + --hash=sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631 \ + --hash=sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d \ + --hash=sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652 \ + --hash=sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5 \ + --hash=sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e \ + --hash=sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b \ + --hash=sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8 \ + --hash=sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476 \ + --hash=sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706 \ + --hash=sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563 \ + --hash=sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237 \ + --hash=sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b \ + --hash=sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083 \ + --hash=sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180 \ + --hash=sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425 \ + --hash=sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e \ + --hash=sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f \ + --hash=sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725 \ + --hash=sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183 \ + --hash=sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab \ + --hash=sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774 \ + --hash=sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725 \ + --hash=sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e \ + --hash=sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5 \ + --hash=sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d \ + --hash=sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290 \ + --hash=sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44 \ + --hash=sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed \ + --hash=sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4 \ + --hash=sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba \ + --hash=sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12 \ + --hash=sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4 +requests==2.32.3 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ + --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 +rtyaml==1.0.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:589129e75ecb2ba0def3dcc094bb462f68faed48e42a8fa0fcf4a9d6119fd725 \ + --hash=sha256:66aa6e2f2c8c29ccab9d1713072a4e06c52c6cdcfe27ebd50706df09638c4586 +ruamel-yaml-clib==0.2.12 ; platform_python_implementation == "CPython" and python_version < "3.13" and python_version >= "3.10" \ + --hash=sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b \ + --hash=sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4 \ + --hash=sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef \ + --hash=sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5 \ + --hash=sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3 \ + --hash=sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632 \ + --hash=sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6 \ + --hash=sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7 \ + --hash=sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680 \ + --hash=sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf \ + --hash=sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da \ + --hash=sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6 \ + --hash=sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a \ + --hash=sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01 \ + --hash=sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519 \ + --hash=sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6 \ + --hash=sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f \ + --hash=sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd \ + --hash=sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2 \ + --hash=sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52 \ + --hash=sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd \ + --hash=sha256:943f32bc9dedb3abff9879edc134901df92cfce2c3d5c9348f172f62eb2d771d \ + --hash=sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c \ + --hash=sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6 \ + --hash=sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb \ + --hash=sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a \ + --hash=sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969 \ + --hash=sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28 \ + --hash=sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d \ + --hash=sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e \ + --hash=sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45 \ + --hash=sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4 \ + --hash=sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12 \ + --hash=sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31 \ + --hash=sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642 \ + --hash=sha256:d84318609196d6bd6da0edfa25cedfbabd8dbde5140a0a23af29ad4b8f91fb1e \ + --hash=sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285 \ + --hash=sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed \ + --hash=sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1 \ + --hash=sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7 \ + --hash=sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3 \ + --hash=sha256:e7e3736715fbf53e9be2a79eb4db68e4ed857017344d697e8b9749444ae57475 \ + --hash=sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5 \ + --hash=sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76 \ + --hash=sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987 \ + --hash=sha256:fd5415dded15c3822597455bc02bcd66e81ef8b7a48cb71a33628fc9fdde39df +ruamel-yaml==0.18.10 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:20c86ab29ac2153f80a428e1254a8adf686d3383df04490514ca3b79a362db58 \ + --hash=sha256:30f22513ab2301b3d2b577adc121c6471f28734d3d9728581245f1e76468b4f1 +six==1.17.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ + --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 +slugify==0.0.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:c5703cc11c1a6947536f3ce8bb306766b8bb5a84a53717f5a703ce0f18235e4c +smmap==5.0.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:26ea65a03958fa0c8a1c7e8c7a58fdc77221b8910f6be2131affade476898ad5 \ + --hash=sha256:b30115f0def7d7531d22a0fb6502488d879e75b260a9db4d0819cfb25403af5e +sniffio==1.3.1 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2 \ + --hash=sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc +text-unidecode==1.3 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:1311f10e8b895935241623731c2ba64f4c455287888b18189350b67134a822e8 \ + --hash=sha256:bad6603bb14d279193107714b288be206cac565dfa49aa5b105294dd5c4aab93 +toml==0.10.2 ; python_version >= "3.10" and python_version < "3.11" \ + --hash=sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b \ + --hash=sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f +tomli==2.2.1 ; python_version >= "3.10" and python_version < "3.11" \ + --hash=sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6 \ + --hash=sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd \ + --hash=sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c \ + --hash=sha256:2d0f2fdd22b02c6d81637a3c95f8cd77f995846af7414c5c4b8d0545afa1bc4b \ + --hash=sha256:33580bccab0338d00994d7f16f4c4ec25b776af3ffaac1ed74e0b3fc95e885a8 \ + --hash=sha256:400e720fe168c0f8521520190686ef8ef033fb19fc493da09779e592861b78c6 \ + --hash=sha256:40741994320b232529c802f8bc86da4e1aa9f413db394617b9a256ae0f9a7f77 \ + --hash=sha256:465af0e0875402f1d226519c9904f37254b3045fc5084697cefb9bdde1ff99ff \ + --hash=sha256:4a8f6e44de52d5e6c657c9fe83b562f5f4256d8ebbfe4ff922c495620a7f6cea \ + --hash=sha256:4e340144ad7ae1533cb897d406382b4b6fede8890a03738ff1683af800d54192 \ + --hash=sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249 \ + --hash=sha256:6972ca9c9cc9f0acaa56a8ca1ff51e7af152a9f87fb64623e31d5c83700080ee \ + --hash=sha256:7fc04e92e1d624a4a63c76474610238576942d6b8950a2d7f908a340494e67e4 \ + --hash=sha256:889f80ef92701b9dbb224e49ec87c645ce5df3fa2cc548664eb8a25e03127a98 \ + --hash=sha256:8d57ca8095a641b8237d5b079147646153d22552f1c637fd3ba7f4b0b29167a8 \ + --hash=sha256:8dd28b3e155b80f4d54beb40a441d366adcfe740969820caf156c019fb5c7ec4 \ + --hash=sha256:9316dc65bed1684c9a98ee68759ceaed29d229e985297003e494aa825ebb0281 \ + --hash=sha256:a198f10c4d1b1375d7687bc25294306e551bf1abfa4eace6650070a5c1ae2744 \ + --hash=sha256:a38aa0308e754b0e3c67e344754dff64999ff9b513e691d0e786265c93583c69 \ + --hash=sha256:a92ef1a44547e894e2a17d24e7557a5e85a9e1d0048b0b5e7541f76c5032cb13 \ + --hash=sha256:ac065718db92ca818f8d6141b5f66369833d4a80a9d74435a268c52bdfa73140 \ + --hash=sha256:b82ebccc8c8a36f2094e969560a1b836758481f3dc360ce9a3277c65f374285e \ + --hash=sha256:c954d2250168d28797dd4e3ac5cf812a406cd5a92674ee4c8f123c889786aa8e \ + --hash=sha256:cb55c73c5f4408779d0cf3eef9f762b9c9f147a77de7b258bef0a5628adc85cc \ + --hash=sha256:cd45e1dc79c835ce60f7404ec8119f2eb06d38b1deba146f07ced3bbc44505ff \ + --hash=sha256:d3f5614314d758649ab2ab3a62d4f2004c825922f9e370b29416484086b264ec \ + --hash=sha256:d920f33822747519673ee656a4b6ac33e382eca9d331c87770faa3eef562aeb2 \ + --hash=sha256:db2b95f9de79181805df90bedc5a5ab4c165e6ec3fe99f970d0e302f384ad222 \ + --hash=sha256:e59e304978767a54663af13c07b3d1af22ddee3bb2fb0618ca1593e4f593a106 \ + --hash=sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272 \ + --hash=sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a \ + --hash=sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7 +typing-extensions==4.12.2 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d \ + --hash=sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8 +urllib3==2.3.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df \ + --hash=sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d From bd6c97c830a2a2611fe991ab061b8db4614b15b4 Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Thu, 30 Jan 2025 17:43:53 -0500 Subject: [PATCH 3/7] Adding file watcher. --- Dockerfile | 31 ++++++++ docker-compose.yml | 10 +++ poetry.lock | 125 ++++++++++++++++++++++++++++++- pyproject.toml | 1 + requirements.txt | 90 +++++++++------------- results/.gitkeep | 0 tools/createfiles/createfiles.py | 47 +++++------- tools/watcher.py | 59 +++++++++++++++ 8 files changed, 277 insertions(+), 86 deletions(-) create mode 100644 Dockerfile create mode 100644 docker-compose.yml create mode 100644 results/.gitkeep create mode 100644 tools/watcher.py diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..bc0d0b5 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,31 @@ +FROM python:3.10-slim AS python-base + +RUN apt update && apt install -y --no-install-recommends \ + gcc \ + g++ \ + libffi-dev \ + musl-dev \ + build-essential \ + && apt clean && rm -rf /var/lib/apt/lists/* + +ENV PYTHONUNBUFFERED=1 \ + PYTHONDONTWRITEBYTECODE=1 \ + PIP_NO_CACHE_DIR=off \ + POETRY_VERSION=2.0.1 \ + POETRY_HOME="/opt/poetry" \ + POETRY_VIRTUALENVS_IN_PROJECT=true \ + POETRY_NO_INTERACTION=1 + +RUN pip install "poetry==$POETRY_VERSION" + +ENV PATH="$POETRY_HOME/bin:$PATH" + +WORKDIR /app + +COPY . ./ + +RUN poetry config virtualenvs.create false + +RUN poetry install + +CMD ["python", "tools/watcher.py"] diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..3fd2275 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,10 @@ +services: + file_watcher: + user: 1000:1000 + environment: + - UID=${UID} + - GID=${GID} + build: . + volumes: + - .:/app + command: python tools/watcher.py diff --git a/poetry.lock b/poetry.lock index 378821f..9e1d5c2 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.0.1 and should not be changed by hand. [[package]] name = "anyio" @@ -6,6 +6,7 @@ version = "4.8.0" description = "High level compatibility layer for multiple asynchronous event loop implementations" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "anyio-4.8.0-py3-none-any.whl", hash = "sha256:b5011f270ab5eb0abf13385f851315585cc37ef330dd88e27ec3d34d651fd47a"}, {file = "anyio-4.8.0.tar.gz", hash = "sha256:1d9fe889df5212298c0c0723fa20479d1b94883a2df44bd3897aa91083316f7a"}, @@ -28,6 +29,7 @@ version = "3.5.3" description = "Bash tab completion for argparse" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "argcomplete-3.5.3-py3-none-any.whl", hash = "sha256:2ab2c4a215c59fd6caaff41a869480a23e8f6a5f910b266c1808037f4e375b61"}, {file = "argcomplete-3.5.3.tar.gz", hash = "sha256:c12bf50eded8aebb298c7b7da7a5ff3ee24dffd9f5281867dfe1424b58c55392"}, @@ -42,6 +44,7 @@ version = "25.1.0" description = "Classes Without Boilerplate" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "attrs-25.1.0-py3-none-any.whl", hash = "sha256:c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a"}, {file = "attrs-25.1.0.tar.gz", hash = "sha256:1c97078a80c814273a76b2a298a932eb681c87415c11dee0a6921de7f1b02c3e"}, @@ -61,6 +64,7 @@ version = "4.2.1" description = "Modern password hashing for your software and your servers" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "bcrypt-4.2.1-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:1340411a0894b7d3ef562fb233e4b6ed58add185228650942bdc885362f32c17"}, {file = "bcrypt-4.2.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b1ee315739bc8387aa36ff127afc99120ee452924e0df517a8f3e4c0187a0f5f"}, @@ -99,6 +103,7 @@ version = "25.1.0" description = "The uncompromising code formatter." optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "black-25.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32"}, {file = "black-25.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da"}, @@ -145,6 +150,7 @@ version = "1.9.0" description = "Fast, simple object-to-object and broadcast signaling" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "blinker-1.9.0-py3-none-any.whl", hash = "sha256:ba0efaa9080b619ff2f3459d1d500c57bddea4a6b424b60a91141db6fd2f08bc"}, {file = "blinker-1.9.0.tar.gz", hash = "sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf"}, @@ -156,6 +162,7 @@ version = "2024.12.14" description = "Python package for providing Mozilla's CA Bundle." optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "certifi-2024.12.14-py3-none-any.whl", hash = "sha256:1275f7a45be9464efc1173084eaa30f866fe2e47d389406136d332ed4967ec56"}, {file = "certifi-2024.12.14.tar.gz", hash = "sha256:b650d30f370c2b724812bee08008be0c4163b163ddaec3f2546c1caf65f191db"}, @@ -167,6 +174,7 @@ version = "1.17.1" description = "Foreign Function Interface for Python calling C code." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "cffi-1.17.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14"}, {file = "cffi-1.17.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67"}, @@ -246,6 +254,7 @@ version = "3.4.1" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "charset_normalizer-3.4.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:91b36a978b5ae0ee86c394f5a54d6ef44db1de0815eb43de826d41d21e4af3de"}, {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7461baadb4dc00fd9e0acbe254e3d7d2112e7f92ced2adc96e54ef6501c5f176"}, @@ -347,6 +356,7 @@ version = "8.1.8" description = "Composable command line interface toolkit" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "click-8.1.8-py3-none-any.whl", hash = "sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2"}, {file = "click-8.1.8.tar.gz", hash = "sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a"}, @@ -361,6 +371,7 @@ version = "0.6.0" description = "Minimal bindings to GitHub's fork of cmark" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "cmarkgfm-0.6.0-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:02f14c7e77fcddf044df14cc227d7703027ee720bac719616ac505af29812b73"}, {file = "cmarkgfm-0.6.0-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:786e8a06f7eec6eb3f3789353a586c8b065570d2db9811fdcdaced736a36ce53"}, @@ -423,6 +434,8 @@ version = "0.4.6" description = "Cross-platform colored terminal text." optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" +groups = ["main"] +markers = "platform_system == \"Windows\" or sys_platform == \"win32\"" files = [ {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, @@ -434,6 +447,7 @@ version = "2.5.0" description = "Tools to manage & autogenerate python objects representing the OSCAL layers/models" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "compliance-trestle-2.5.0.tar.gz", hash = "sha256:60faaaed194687060cb8309f53b315aec8dde086cadecf5faa20425fe159d5ce"}, {file = "compliance_trestle-2.5.0-py2.py3-none-any.whl", hash = "sha256:67bc7ae5e5d02520a8a9f9370ff6c1760d739d2e17434dcd2bf5399a61b4f497"}, @@ -467,6 +481,7 @@ version = "0.1.0-alpha.3" description = "Python library for reading/writing compliance as code" optional = false python-versions = "^3.10" +groups = ["main"] files = [] develop = false @@ -494,6 +509,7 @@ version = "41.0.6" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "cryptography-41.0.6-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:0f27acb55a4e77b9be8d550d762b0513ef3fc658cd3eb15110ebbcbd626db12c"}, {file = "cryptography-41.0.6-cp37-abi3-macosx_10_12_x86_64.whl", hash = "sha256:ae236bb8760c1e55b7a39b6d4d32d2279bc6c7c8500b7d5a13b6fb9fc97be35b"}, @@ -539,6 +555,7 @@ version = "0.26.5" description = "Datamodel Code Generator" optional = false python-versions = "<4.0,>=3.8" +groups = ["main"] files = [ {file = "datamodel_code_generator-0.26.5-py3-none-any.whl", hash = "sha256:e32f986b9914a2b45093947043aa0192d704650be93151f78acf5c95676601ce"}, {file = "datamodel_code_generator-0.26.5.tar.gz", hash = "sha256:c4a94a7dbf7972129882732d9bcee44c9ae090f57c82edd58d237b9d48c40dd0"}, @@ -573,6 +590,7 @@ version = "0.7.1" description = "XML bomb protection for Python stdlib modules" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +groups = ["main"] files = [ {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"}, {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"}, @@ -584,6 +602,7 @@ version = "2.7.0" description = "DNS toolkit" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "dnspython-2.7.0-py3-none-any.whl", hash = "sha256:b4c34b7d10b51bcc3a5071e7b8dee77939f1e878477eeecc965e9835f63c6c86"}, {file = "dnspython-2.7.0.tar.gz", hash = "sha256:ce9c432eda0dc91cf618a5cedf1a4e142651196bbcd2c80e89ed5a907e5cfaf1"}, @@ -604,6 +623,7 @@ version = "2.2.0" description = "A robust email address syntax and deliverability validation library." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "email_validator-2.2.0-py3-none-any.whl", hash = "sha256:561977c2d73ce3611850a06fa56b414621e0c8faa9d66f2611407d87465da631"}, {file = "email_validator-2.2.0.tar.gz", hash = "sha256:cb690f344c617a714f22e66ae771445a1ceb46821152df8e165c5f9a364582b7"}, @@ -619,6 +639,7 @@ version = "2.0.0" description = "An implementation of lxml.xmlfile for the standard library" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "et_xmlfile-2.0.0-py3-none-any.whl", hash = "sha256:7a91720bc756843502c3b7504c77b8fe44217c85c537d85037f0f536151b2caa"}, {file = "et_xmlfile-2.0.0.tar.gz", hash = "sha256:dab3f4764309081ce75662649be815c4c9081e88f0837825f90fd28317d4da54"}, @@ -630,6 +651,8 @@ version = "1.2.2" description = "Backport of PEP 654 (exception groups)" optional = false python-versions = ">=3.7" +groups = ["main"] +markers = "python_version < \"3.11\"" files = [ {file = "exceptiongroup-1.2.2-py3-none-any.whl", hash = "sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b"}, {file = "exceptiongroup-1.2.2.tar.gz", hash = "sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc"}, @@ -644,6 +667,7 @@ version = "4.0.1" description = "A collection of useful non-standard Python functions which aim to be simple to use, highly readable but not efficient." optional = false python-versions = "<4,>=3.7" +groups = ["main"] files = [ {file = "fpyutils-4.0.1-py3-none-any.whl", hash = "sha256:006cfbdbd87915d8a1c5b7062b6c8d2f4f9fd12c3e707d89c27e6abd6c67c6b2"}, {file = "fpyutils-4.0.1.tar.gz", hash = "sha256:5ee8448b09863d5905ad22cf5f6c8af79d3b314617ac8fbded48eb2a414988e6"}, @@ -655,6 +679,7 @@ version = "2.1.3" description = "URL manipulation made simple." optional = false python-versions = "*" +groups = ["main"] files = [ {file = "furl-2.1.3-py2.py3-none-any.whl", hash = "sha256:9ab425062c4217f9802508e45feb4a83e54324273ac4b202f1850363309666c0"}, {file = "furl-2.1.3.tar.gz", hash = "sha256:5a6188fe2666c484a12159c18be97a1977a71d632ef5bb867ef15f54af39cc4e"}, @@ -670,6 +695,7 @@ version = "1.3.0" description = "GenSON is a powerful, user-friendly JSON Schema generator." optional = false python-versions = "*" +groups = ["main"] files = [ {file = "genson-1.3.0-py3-none-any.whl", hash = "sha256:468feccd00274cc7e4c09e84b08704270ba8d95232aa280f65b986139cec67f7"}, {file = "genson-1.3.0.tar.gz", hash = "sha256:e02db9ac2e3fd29e65b5286f7135762e2cd8a986537c075b06fc5f1517308e37"}, @@ -681,6 +707,7 @@ version = "4.0.12" description = "Git Object Database" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "gitdb-4.0.12-py3-none-any.whl", hash = "sha256:67073e15955400952c6565cc3e707c554a4eea2e428946f7a4c162fab9bd9bcf"}, {file = "gitdb-4.0.12.tar.gz", hash = "sha256:5ef71f855d191a3326fcfbc0d5da835f26b13fbcba60c32c21091c349ffdb571"}, @@ -695,6 +722,7 @@ version = "3.1.44" description = "GitPython is a Python library used to interact with Git repositories" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "GitPython-3.1.44-py3-none-any.whl", hash = "sha256:9e0e10cda9bed1ee64bc9a6de50e7e38a9c9943241cd7f585f6df3ed28011110"}, {file = "gitpython-3.1.44.tar.gz", hash = "sha256:c87e30b26253bf5418b01b0660f818967f3c503193838337fe5e573331249269"}, @@ -713,6 +741,7 @@ version = "0.14.0" description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"}, {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"}, @@ -724,6 +753,7 @@ version = "1.0.7" description = "A minimal low-level HTTP client." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "httpcore-1.0.7-py3-none-any.whl", hash = "sha256:a3fff8f43dc260d5bd363d9f9cf1830fa3a458b332856f34282de498ed420edd"}, {file = "httpcore-1.0.7.tar.gz", hash = "sha256:8551cb62a169ec7162ac7be8d4817d561f60e08eaa485234898414bb5a8a0b4c"}, @@ -745,6 +775,7 @@ version = "0.28.1" description = "The next generation HTTP client." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "httpx-0.28.1-py3-none-any.whl", hash = "sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad"}, {file = "httpx-0.28.1.tar.gz", hash = "sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc"}, @@ -769,6 +800,7 @@ version = "3.10" description = "Internationalized Domain Names in Applications (IDNA)" optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"}, {file = "idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"}, @@ -783,6 +815,7 @@ version = "0.3.2" description = "i like command-line interfaces" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "ilcli-0.3.2-py2.py3-none-any.whl", hash = "sha256:dfb7d2da49c63ef92c5a589eb5f765d073d7ea83275c3dd2aea8ae5cbe4c5be2"}, {file = "ilcli-0.3.2.tar.gz", hash = "sha256:8a56b053836f8b0e1bbbdda884288d18dc966bd8e90fdf9b340914dba625cd7f"}, @@ -797,6 +830,7 @@ version = "5.6.2" description = "Correctly generate plurals, singular nouns, ordinals, indefinite articles; convert numbers to words" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "inflect-5.6.2-py3-none-any.whl", hash = "sha256:b45d91a4a28a4e617ff1821117439b06eaa86e2a4573154af0149e9be6687238"}, {file = "inflect-5.6.2.tar.gz", hash = "sha256:aadc7ed73928f5e014129794bbac03058cca35d0a973a5fc4eb45c7fa26005f9"}, @@ -812,6 +846,7 @@ version = "2.0.0" description = "brain-dead simple config-ini parsing" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, @@ -823,6 +858,7 @@ version = "5.13.2" description = "A Python utility / library to sort Python imports." optional = false python-versions = ">=3.8.0" +groups = ["main"] files = [ {file = "isort-5.13.2-py3-none-any.whl", hash = "sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6"}, {file = "isort-5.13.2.tar.gz", hash = "sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109"}, @@ -837,6 +873,7 @@ version = "3.1.5" description = "A very fast and expressive template engine." optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "jinja2-3.1.5-py3-none-any.whl", hash = "sha256:aba0f4dc9ed8013c424088f68a5c226f7d6097ed89b246d7749c2ec4175c6adb"}, {file = "jinja2-3.1.5.tar.gz", hash = "sha256:8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb"}, @@ -854,6 +891,7 @@ version = "3.0.2" description = "Safely add untrusted strings to HTML/XML markup." optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8"}, {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158"}, @@ -924,6 +962,7 @@ version = "9.0.0" description = "Automatically generate and add an accurate table of contents to markdown files" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "md_toc-9.0.0-py3-none-any.whl", hash = "sha256:dfd57de2faf252be1d6faf9bed7eab506e1caa7c4486ab6d6d04556426d5a7a5"}, {file = "md_toc-9.0.0.tar.gz", hash = "sha256:a4e73b59f71c20b94c8c16bc6ef3bc2e80d1d40c398050101f80c3567fda7271"}, @@ -938,6 +977,7 @@ version = "1.0.0" description = "Type system extensions for programs checked with the mypy type checker." optional = false python-versions = ">=3.5" +groups = ["main"] files = [ {file = "mypy_extensions-1.0.0-py3-none-any.whl", hash = "sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d"}, {file = "mypy_extensions-1.0.0.tar.gz", hash = "sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782"}, @@ -949,6 +989,7 @@ version = "3.1.5" description = "A Python library to read/write Excel 2010 xlsx/xlsm files" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "openpyxl-3.1.5-py2.py3-none-any.whl", hash = "sha256:5282c12b107bffeef825f4617dc029afaf41d0ea60823bbb665ef3079dc79de2"}, {file = "openpyxl-3.1.5.tar.gz", hash = "sha256:cf0e3cf56142039133628b5acffe8ef0c12bc902d2aadd3e0fe5878dc08d1050"}, @@ -963,6 +1004,7 @@ version = "1.0.1" description = "Ordered Multivalue Dictionary" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "orderedmultidict-1.0.1-py2.py3-none-any.whl", hash = "sha256:43c839a17ee3cdd62234c47deca1a8508a3f2ca1d0678a3bf791c87cf84adbf3"}, {file = "orderedmultidict-1.0.1.tar.gz", hash = "sha256:04070bbb5e87291cc9bfa51df413677faf2141c73c61d2a5f7b26bea3cd882ad"}, @@ -977,6 +1019,7 @@ version = "3.10.15" description = "Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "orjson-3.10.15-cp310-cp310-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:552c883d03ad185f720d0c09583ebde257e41b9521b74ff40e08b7dec4559c04"}, {file = "orjson-3.10.15-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:616e3e8d438d02e4854f70bfdc03a6bcdb697358dbaa6bcd19cbe24d24ece1f8"}, @@ -1065,6 +1108,7 @@ version = "24.2" description = "Core utilities for Python packages" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759"}, {file = "packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f"}, @@ -1076,6 +1120,7 @@ version = "3.4.0" description = "SSH2 protocol library" optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "paramiko-3.4.0-py3-none-any.whl", hash = "sha256:43f0b51115a896f9c00f59618023484cb3a14b98bbceab43394a39c6739b7ee7"}, {file = "paramiko-3.4.0.tar.gz", hash = "sha256:aac08f26a31dc4dffd92821527d1682d99d52f9ef6851968114a8728f3c274d3"}, @@ -1097,6 +1142,7 @@ version = "0.12.1" description = "Utility library for gitignore style pattern matching of file paths." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "pathspec-0.12.1-py3-none-any.whl", hash = "sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08"}, {file = "pathspec-0.12.1.tar.gz", hash = "sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"}, @@ -1108,6 +1154,7 @@ version = "4.3.6" description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "platformdirs-4.3.6-py3-none-any.whl", hash = "sha256:73e575e1408ab8103900836b97580d5307456908a03e92031bab39e4554cc3fb"}, {file = "platformdirs-4.3.6.tar.gz", hash = "sha256:357fb2acbc885b0419afd3ce3ed34564c13c9b95c89360cd9563f73aa5e2b907"}, @@ -1124,6 +1171,7 @@ version = "1.5.0" description = "plugin and hook calling mechanisms for python" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"}, {file = "pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1"}, @@ -1139,6 +1187,7 @@ version = "2.0.1" description = "Poetry PEP 517 Build Backend" optional = false python-versions = "<4.0,>=3.9" +groups = ["main"] files = [ {file = "poetry_core-2.0.1-py3-none-any.whl", hash = "sha256:a3c7009536522cda4eb0fb3805c9dc935b5537f8727dd01efb9c15e51a17552b"}, {file = "poetry_core-2.0.1.tar.gz", hash = "sha256:10177c2772469d9032a49f0d8707af761b1c597cea3b4fb31546e5cd436eb157"}, @@ -1150,6 +1199,7 @@ version = "2.22" description = "C parser in Python" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"}, {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"}, @@ -1161,6 +1211,7 @@ version = "1.10.21" description = "Data validation and settings management using python type hints" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "pydantic-1.10.21-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:245e486e0fec53ec2366df9cf1cba36e0bbf066af7cd9c974bbbd9ba10e1e586"}, {file = "pydantic-1.10.21-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:6c54f8d4c151c1de784c5b93dfbb872067e3414619e10e21e695f7bb84d1d1fd"}, @@ -1228,6 +1279,7 @@ version = "1.5.0" description = "Python binding to the Networking and Cryptography (NaCl) library" optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "PyNaCl-1.5.0-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1"}, {file = "PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92"}, @@ -1254,6 +1306,7 @@ version = "1.15" description = "Thin wrapper for pandoc." optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "pypandoc-1.15-py3-none-any.whl", hash = "sha256:4ededcc76c8770f27aaca6dff47724578428eca84212a31479403a9731fc2b16"}, {file = "pypandoc-1.15.tar.gz", hash = "sha256:ea25beebe712ae41d63f7410c08741a3cab0e420f6703f95bc9b3a749192ce13"}, @@ -1265,6 +1318,7 @@ version = "7.4.4" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "pytest-7.4.4-py3-none-any.whl", hash = "sha256:b090cdf5ed60bf4c45261be03239c2c1c22df034fbffe691abe93cd80cea01d8"}, {file = "pytest-7.4.4.tar.gz", hash = "sha256:2cf0005922c6ace4a3e2ec8b4080eb0d9753fdc93107415332f50ce9e7994280"}, @@ -1287,6 +1341,7 @@ version = "1.0.1" description = "Read key-value pairs from a .env file and set them as environment variables" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "python-dotenv-1.0.1.tar.gz", hash = "sha256:e324ee90a023d808f1959c46bcbc04446a10ced277783dc6ee09987c37ec10ca"}, {file = "python_dotenv-1.0.1-py3-none-any.whl", hash = "sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a"}, @@ -1301,6 +1356,7 @@ version = "1.1.0" description = "Parse and manage posts with YAML (or other) frontmatter" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "python-frontmatter-1.1.0.tar.gz", hash = "sha256:7118d2bd56af9149625745c58c9b51fb67e8d1294a0c76796dafdc72c36e5f6d"}, {file = "python_frontmatter-1.1.0-py3-none-any.whl", hash = "sha256:335465556358d9d0e6c98bbeb69b1c969f2a4a21360587b9873bfc3b213407c1"}, @@ -1319,6 +1375,7 @@ version = "8.0.4" description = "A Python slugify application that also handles Unicode" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "python-slugify-8.0.4.tar.gz", hash = "sha256:59202371d1d05b54a9e7720c5e038f928f45daaffe41dd10822f3907b937c856"}, {file = "python_slugify-8.0.4-py2.py3-none-any.whl", hash = "sha256:276540b79961052b66b7d116620b36518847f52d5fd9e3a70164fc8c50faa6b8"}, @@ -1336,6 +1393,8 @@ version = "308" description = "Python for Window Extensions" optional = false python-versions = "*" +groups = ["main"] +markers = "platform_system == \"Windows\"" files = [ {file = "pywin32-308-cp310-cp310-win32.whl", hash = "sha256:796ff4426437896550d2981b9c2ac0ffd75238ad9ea2d3bfa67a1abd546d262e"}, {file = "pywin32-308-cp310-cp310-win_amd64.whl", hash = "sha256:4fc888c59b3c0bef905ce7eb7e2106a07712015ea1c8234b703a088d46110e8e"}, @@ -1363,6 +1422,7 @@ version = "6.0.2" description = "YAML parser and emitter for Python" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"}, {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"}, @@ -1425,6 +1485,7 @@ version = "2.32.3" description = "Python HTTP for Humans." optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"}, {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"}, @@ -1446,6 +1507,7 @@ version = "1.0.0" description = "All the annoying things to make YAML usable in a source controlled environment." optional = false python-versions = "*" +groups = ["main"] files = [ {file = "rtyaml-1.0.0-py2.py3-none-any.whl", hash = "sha256:589129e75ecb2ba0def3dcc094bb462f68faed48e42a8fa0fcf4a9d6119fd725"}, {file = "rtyaml-1.0.0.tar.gz", hash = "sha256:66aa6e2f2c8c29ccab9d1713072a4e06c52c6cdcfe27ebd50706df09638c4586"}, @@ -1460,6 +1522,7 @@ version = "0.18.10" description = "ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "ruamel.yaml-0.18.10-py3-none-any.whl", hash = "sha256:30f22513ab2301b3d2b577adc121c6471f28734d3d9728581245f1e76468b4f1"}, {file = "ruamel.yaml-0.18.10.tar.gz", hash = "sha256:20c86ab29ac2153f80a428e1254a8adf686d3383df04490514ca3b79a362db58"}, @@ -1478,6 +1541,8 @@ version = "0.2.12" description = "C version of reader, parser and emitter for ruamel.yaml derived from libyaml" optional = false python-versions = ">=3.9" +groups = ["main"] +markers = "platform_python_implementation == \"CPython\" and python_version < \"3.13\"" files = [ {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-macosx_13_0_arm64.whl", hash = "sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux2014_aarch64.whl", hash = "sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969"}, @@ -1533,6 +1598,7 @@ version = "1.17.0" description = "Python 2 and 3 compatibility utilities" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" +groups = ["main"] files = [ {file = "six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274"}, {file = "six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81"}, @@ -1544,6 +1610,7 @@ version = "0.0.1" description = "A generic slugifier." optional = false python-versions = "*" +groups = ["main"] files = [ {file = "slugify-0.0.1.tar.gz", hash = "sha256:c5703cc11c1a6947536f3ce8bb306766b8bb5a84a53717f5a703ce0f18235e4c"}, ] @@ -1554,6 +1621,7 @@ version = "5.0.2" description = "A pure Python implementation of a sliding window memory map manager" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "smmap-5.0.2-py3-none-any.whl", hash = "sha256:b30115f0def7d7531d22a0fb6502488d879e75b260a9db4d0819cfb25403af5e"}, {file = "smmap-5.0.2.tar.gz", hash = "sha256:26ea65a03958fa0c8a1c7e8c7a58fdc77221b8910f6be2131affade476898ad5"}, @@ -1565,6 +1633,7 @@ version = "1.3.1" description = "Sniff out which async library your code is running under" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "sniffio-1.3.1-py3-none-any.whl", hash = "sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2"}, {file = "sniffio-1.3.1.tar.gz", hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc"}, @@ -1576,6 +1645,7 @@ version = "1.3" description = "The most basic Text::Unidecode port" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "text-unidecode-1.3.tar.gz", hash = "sha256:bad6603bb14d279193107714b288be206cac565dfa49aa5b105294dd5c4aab93"}, {file = "text_unidecode-1.3-py2.py3-none-any.whl", hash = "sha256:1311f10e8b895935241623731c2ba64f4c455287888b18189350b67134a822e8"}, @@ -1587,6 +1657,8 @@ version = "0.10.2" description = "Python Library for Tom's Obvious, Minimal Language" optional = false python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" +groups = ["main"] +markers = "python_version < \"3.11\"" files = [ {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"}, {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"}, @@ -1598,6 +1670,8 @@ version = "2.2.1" description = "A lil' TOML parser" optional = false python-versions = ">=3.8" +groups = ["main"] +markers = "python_version < \"3.11\"" files = [ {file = "tomli-2.2.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249"}, {file = "tomli-2.2.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6"}, @@ -1639,6 +1713,7 @@ version = "4.12.2" description = "Backported and Experimental Type Hints for Python 3.8+" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "typing_extensions-4.12.2-py3-none-any.whl", hash = "sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d"}, {file = "typing_extensions-4.12.2.tar.gz", hash = "sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8"}, @@ -1650,6 +1725,7 @@ version = "2.3.0" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "urllib3-2.3.0-py3-none-any.whl", hash = "sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df"}, {file = "urllib3-2.3.0.tar.gz", hash = "sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d"}, @@ -1661,7 +1737,50 @@ h2 = ["h2 (>=4,<5)"] socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] zstd = ["zstandard (>=0.18.0)"] +[[package]] +name = "watchdog" +version = "6.0.0" +description = "Filesystem events monitoring" +optional = false +python-versions = ">=3.9" +groups = ["main"] +files = [ + {file = "watchdog-6.0.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d1cdb490583ebd691c012b3d6dae011000fe42edb7a82ece80965b42abd61f26"}, + {file = "watchdog-6.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:bc64ab3bdb6a04d69d4023b29422170b74681784ffb9463ed4870cf2f3e66112"}, + {file = "watchdog-6.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c897ac1b55c5a1461e16dae288d22bb2e412ba9807df8397a635d88f671d36c3"}, + {file = "watchdog-6.0.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6eb11feb5a0d452ee41f824e271ca311a09e250441c262ca2fd7ebcf2461a06c"}, + {file = "watchdog-6.0.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ef810fbf7b781a5a593894e4f439773830bdecb885e6880d957d5b9382a960d2"}, + {file = "watchdog-6.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:afd0fe1b2270917c5e23c2a65ce50c2a4abb63daafb0d419fde368e272a76b7c"}, + {file = "watchdog-6.0.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:bdd4e6f14b8b18c334febb9c4425a878a2ac20efd1e0b231978e7b150f92a948"}, + {file = "watchdog-6.0.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:c7c15dda13c4eb00d6fb6fc508b3c0ed88b9d5d374056b239c4ad1611125c860"}, + {file = "watchdog-6.0.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6f10cb2d5902447c7d0da897e2c6768bca89174d0c6e1e30abec5421af97a5b0"}, + {file = "watchdog-6.0.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:490ab2ef84f11129844c23fb14ecf30ef3d8a6abafd3754a6f75ca1e6654136c"}, + {file = "watchdog-6.0.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:76aae96b00ae814b181bb25b1b98076d5fc84e8a53cd8885a318b42b6d3a5134"}, + {file = "watchdog-6.0.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a175f755fc2279e0b7312c0035d52e27211a5bc39719dd529625b1930917345b"}, + {file = "watchdog-6.0.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:e6f0e77c9417e7cd62af82529b10563db3423625c5fce018430b249bf977f9e8"}, + {file = "watchdog-6.0.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:90c8e78f3b94014f7aaae121e6b909674df5b46ec24d6bebc45c44c56729af2a"}, + {file = "watchdog-6.0.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e7631a77ffb1f7d2eefa4445ebbee491c720a5661ddf6df3498ebecae5ed375c"}, + {file = "watchdog-6.0.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:c7ac31a19f4545dd92fc25d200694098f42c9a8e391bc00bdd362c5736dbf881"}, + {file = "watchdog-6.0.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:9513f27a1a582d9808cf21a07dae516f0fab1cf2d7683a742c498b93eedabb11"}, + {file = "watchdog-6.0.0-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:7a0e56874cfbc4b9b05c60c8a1926fedf56324bb08cfbc188969777940aef3aa"}, + {file = "watchdog-6.0.0-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:e6439e374fc012255b4ec786ae3c4bc838cd7309a540e5fe0952d03687d8804e"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_aarch64.whl", hash = "sha256:7607498efa04a3542ae3e05e64da8202e58159aa1fa4acddf7678d34a35d4f13"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_armv7l.whl", hash = "sha256:9041567ee8953024c83343288ccc458fd0a2d811d6a0fd68c4c22609e3490379"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_i686.whl", hash = "sha256:82dc3e3143c7e38ec49d61af98d6558288c415eac98486a5c581726e0737c00e"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_ppc64.whl", hash = "sha256:212ac9b8bf1161dc91bd09c048048a95ca3a4c4f5e5d4a7d1b1a7d5752a7f96f"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:e3df4cbb9a450c6d49318f6d14f4bbc80d763fa587ba46ec86f99f9e6876bb26"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_s390x.whl", hash = "sha256:2cce7cfc2008eb51feb6aab51251fd79b85d9894e98ba847408f662b3395ca3c"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_x86_64.whl", hash = "sha256:20ffe5b202af80ab4266dcd3e91aae72bf2da48c0d33bdb15c66658e685e94e2"}, + {file = "watchdog-6.0.0-py3-none-win32.whl", hash = "sha256:07df1fdd701c5d4c8e55ef6cf55b8f0120fe1aef7ef39a1c6fc6bc2e606d517a"}, + {file = "watchdog-6.0.0-py3-none-win_amd64.whl", hash = "sha256:cbafb470cf848d93b5d013e2ecb245d4aa1c8fd0504e863ccefa32445359d680"}, + {file = "watchdog-6.0.0-py3-none-win_ia64.whl", hash = "sha256:a1914259fa9e1454315171103c6a30961236f508b9b623eae470268bbcc6a22f"}, + {file = "watchdog-6.0.0.tar.gz", hash = "sha256:9ddf7c82fda3ae8e24decda1338ede66e1c99883db93711d8fb941eaa2d8c282"}, +] + +[package.extras] +watchmedo = ["PyYAML (>=3.10)"] + [metadata] -lock-version = "2.0" +lock-version = "2.1" python-versions = "^3.10" -content-hash = "2a50a0e91633901df507ce54e205748bbee5aad0dbe5acc0c33a6bfcd8a59ae9" +content-hash = "54af746d30fe74837a3fe91e731bafd81f979a051e4959feacdc4205ea7cd9ef" diff --git a/pyproject.toml b/pyproject.toml index 1a70942..cc385d5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,6 +22,7 @@ complianceio = {git = "https://github.com/CivicActions/compliance-io.git"} pytest = "^7.4.0" pypandoc = "^1.11" poetry-core = "^2.0.1" +watchdog = "^6.0.0" [build-system] requires = ["poetry-core"] diff --git a/requirements.txt b/requirements.txt index 92a0a54..707d40e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -277,7 +277,7 @@ cmarkgfm==0.6.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:f0da78ef960f57aec8a6854821a99fa7a520dad77631b19becb68b2ebf8dbc2d \ --hash=sha256:f56aa4940aa4ee98fd6f3e0a648b8ae1e6a27f5007d64d406aeadc51451dc13b \ --hash=sha256:fa28b1a335adb5bad04b4a50382cbcfcc6c8d68413ba35e2cd3f657a1dc76347 -colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and (platform_system == "Windows" or sys_platform == "win32") \ +colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows" or python_version >= "3.10" and python_version < "4.0" and sys_platform == "win32" \ --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \ --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6 compliance-trestle==2.5.0 ; python_version >= "3.10" and python_version < "4.0" \ @@ -308,7 +308,7 @@ cryptography==41.0.6 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:da46e2b5df770070412c46f87bac0849b8d685c5f2679771de277a422c7d0b86 \ --hash=sha256:f39812f70fc5c71a15aa3c97b2bbe213c3f2a460b79bd21c40d033bb34a9bf36 \ --hash=sha256:ff369dd19e8fe0528b02e8df9f2aeb2479f89b1270d90f96a63500afe9af5cae -datamodel-code-generator[http]==0.26.5 ; python_version >= "3.10" and python_version < "4.0" \ +datamodel-code-generator==0.26.5 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:c4a94a7dbf7972129882732d9bcee44c9ae090f57c82edd58d237b9d48c40dd0 \ --hash=sha256:e32f986b9914a2b45093947043aa0192d704650be93151f78acf5c95676601ce defusedxml==0.7.1 ; python_version >= "3.10" and python_version < "4.0" \ @@ -326,7 +326,7 @@ et-xmlfile==2.0.0 ; python_version >= "3.10" and python_version < "4.0" \ exceptiongroup==1.2.2 ; python_version >= "3.10" and python_version < "3.11" \ --hash=sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b \ --hash=sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc -fpyutils==4.0.1 ; python_version >= "3.10" and python_version < "4" \ +fpyutils==4.0.1 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:006cfbdbd87915d8a1c5b7062b6c8d2f4f9fd12c3e707d89c27e6abd6c67c6b2 \ --hash=sha256:5ee8448b09863d5905ad22cf5f6c8af79d3b314617ac8fbded48eb2a414988e6 furl==2.1.3 ; python_version >= "3.10" and python_version < "4.0" \ @@ -594,57 +594,6 @@ pydantic==1.10.21 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:e7f0cda108b36a30c8fc882e4fc5b7eec8ef584aa43aa43694c6a7b274fb2b56 \ --hash=sha256:f198c8206640f4c0ef5a76b779241efb1380a300d88b1bce9bfe95a6362e674d \ --hash=sha256:f2f4a2305f15eff68f874766d982114ac89468f1c2c0b97640e719cf1a078374 -pydantic[email]==1.10.21 ; python_version >= "3.10" and python_version < "4.0" \ - --hash=sha256:0067935d35044950be781933ab91b9a708eaff124bf860fa2f70aeb1c4be7212 \ - --hash=sha256:08caa8c0468172d27c669abfe9e7d96a8b1655ec0833753e117061febaaadef5 \ - --hash=sha256:0bb58bbe65a43483d49f66b6c8474424d551a3fbe8a7796c42da314bac712738 \ - --hash=sha256:185d5f1dff1fead51766da9b2de4f3dc3b8fca39e59383c273f34a6ae254e3e2 \ - --hash=sha256:1d7c332685eafacb64a1a7645b409a166eb7537f23142d26895746f628a3149b \ - --hash=sha256:245e486e0fec53ec2366df9cf1cba36e0bbf066af7cd9c974bbbd9ba10e1e586 \ - --hash=sha256:266ecfc384861d7b0b9c214788ddff75a2ea123aa756bcca6b2a1175edeca0fe \ - --hash=sha256:298d6f765e3c9825dfa78f24c1efd29af91c3ab1b763e1fd26ae4d9e1749e5c8 \ - --hash=sha256:2b6a04efdcd25486b27f24c1648d5adc1633ad8b4506d0e96e5367f075ed2e0b \ - --hash=sha256:2c9b782db6f993a36092480eeaab8ba0609f786041b01f39c7c52252bda6d85f \ - --hash=sha256:2ed4a5f13cf160d64aa331ab9017af81f3481cd9fd0e49f1d707b57fe1b9f3ae \ - --hash=sha256:35b263b60c519354afb3a60107d20470dd5250b3ce54c08753f6975c406d949b \ - --hash=sha256:36ceadef055af06e7756eb4b871cdc9e5a27bdc06a45c820cd94b443de019bbf \ - --hash=sha256:38e6d35cf7cd1727822c79e324fa0677e1a08c88a34f56695101f5ad4d5e20e5 \ - --hash=sha256:3b7693bb6ed3fbe250e222f9415abb73111bb09b73ab90d2d4d53f6390e0ccc1 \ - --hash=sha256:3c96fed246ccc1acb2df032ff642459e4ae18b315ecbab4d95c95cfa292e8517 \ - --hash=sha256:46cffa24891b06269e12f7e1ec50b73f0c9ab4ce71c2caa4ccf1fb36845e1ff7 \ - --hash=sha256:57f0101e6c97b411f287a0b7cf5ebc4e5d3b18254bf926f45a11615d29475793 \ - --hash=sha256:5d387940f0f1a0adb3c44481aa379122d06df8486cc8f652a7b3b0caf08435f7 \ - --hash=sha256:5e8148c2ce4894ce7e5a4925d9d3fdce429fb0e821b5a8783573f3611933a251 \ - --hash=sha256:61da798c05a06a362a2f8c5e3ff0341743e2818d0f530eaac0d6898f1b187f1f \ - --hash=sha256:64b48e2b609a6c22178a56c408ee1215a7206077ecb8a193e2fda31858b2362a \ - --hash=sha256:662bf5ce3c9b1cef32a32a2f4debe00d2f4839fefbebe1d6956e681122a9c839 \ - --hash=sha256:6a497bc66b3374b7d105763d1d3de76d949287bf28969bff4656206ab8a53aa9 \ - --hash=sha256:6b64708009cfabd9c2211295144ff455ec7ceb4c4fb45a07a804309598f36187 \ - --hash=sha256:6c54f8d4c151c1de784c5b93dfbb872067e3414619e10e21e695f7bb84d1d1fd \ - --hash=sha256:79577cc045d3442c4e845df53df9f9202546e2ba54954c057d253fc17cd16cb1 \ - --hash=sha256:7ce64d23d4e71d9698492479505674c5c5b92cda02b07c91dfc13633b2eef805 \ - --hash=sha256:8a148410fa0e971ba333358d11a6dea7b48e063de127c2b09ece9d1c1137dde4 \ - --hash=sha256:8b6350b68566bb6b164fb06a3772e878887f3c857c46c0c534788081cb48adf4 \ - --hash=sha256:90e85834f0370d737c77a386ce505c21b06bfe7086c1c568b70e15a568d9670d \ - --hash=sha256:935b19fdcde236f4fbf691959fa5c3e2b6951fff132964e869e57c70f2ad1ba3 \ - --hash=sha256:98737c3ab5a2f8a85f2326eebcd214510f898881a290a7939a45ec294743c875 \ - --hash=sha256:9e3e4000cd54ef455694b8be9111ea20f66a686fc155feda1ecacf2322b115da \ - --hash=sha256:a4973232c98b9b44c78b1233693e5e1938add5af18042f031737e1214455f9b8 \ - --hash=sha256:a621742da75ce272d64ea57bd7651ee2a115fa67c0f11d66d9dcfc18c2f1b106 \ - --hash=sha256:b6b73ab347284719f818acb14f7cd80696c6fdf1bd34feee1955d7a72d2e64ce \ - --hash=sha256:b8460bc256bf0de821839aea6794bb38a4c0fbd48f949ea51093f6edce0be459 \ - --hash=sha256:b92893ebefc0151474f682e7debb6ab38552ce56a90e39a8834734c81f37c8a9 \ - --hash=sha256:c0501e1d12df6ab1211b8cad52d2f7b2cd81f8e8e776d39aa5e71e2998d0379f \ - --hash=sha256:c1ba253eb5af8d89864073e6ce8e6c8dec5f49920cff61f38f5c3383e38b1c9f \ - --hash=sha256:c261127c275d7bce50b26b26c7d8427dcb5c4803e840e913f8d9df3f99dca55f \ - --hash=sha256:c677aa39ec737fec932feb68e4a2abe142682f2885558402602cd9746a1c92e8 \ - --hash=sha256:d356aa5b18ef5a24d8081f5c5beb67c0a2a6ff2a953ee38d65a2aa96526b274f \ - --hash=sha256:db70c920cba9d05c69ad4a9e7f8e9e83011abb2c6490e561de9ae24aee44925c \ - --hash=sha256:e23a97a6c2f2db88995496db9387cd1727acdacc85835ba8619dce826c0b11a6 \ - --hash=sha256:e622314542fb48542c09c7bd1ac51d71c5632dd3c92dc82ede6da233f55f4848 \ - --hash=sha256:e7f0cda108b36a30c8fc882e4fc5b7eec8ef584aa43aa43694c6a7b274fb2b56 \ - --hash=sha256:f198c8206640f4c0ef5a76b779241efb1380a300d88b1bce9bfe95a6362e674d \ - --hash=sha256:f2f4a2305f15eff68f874766d982114ac89468f1c2c0b97640e719cf1a078374 pynacl==1.5.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858 \ --hash=sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d \ @@ -750,7 +699,7 @@ requests==2.32.3 ; python_version >= "3.10" and python_version < "4.0" \ rtyaml==1.0.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:589129e75ecb2ba0def3dcc094bb462f68faed48e42a8fa0fcf4a9d6119fd725 \ --hash=sha256:66aa6e2f2c8c29ccab9d1713072a4e06c52c6cdcfe27ebd50706df09638c4586 -ruamel-yaml-clib==0.2.12 ; platform_python_implementation == "CPython" and python_version < "3.13" and python_version >= "3.10" \ +ruamel-yaml-clib==0.2.12 ; python_version >= "3.10" and python_version < "3.13" and platform_python_implementation == "CPython" \ --hash=sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b \ --hash=sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4 \ --hash=sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef \ @@ -856,3 +805,34 @@ typing-extensions==4.12.2 ; python_version >= "3.10" and python_version < "4.0" urllib3==2.3.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df \ --hash=sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d +watchdog==6.0.0 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:07df1fdd701c5d4c8e55ef6cf55b8f0120fe1aef7ef39a1c6fc6bc2e606d517a \ + --hash=sha256:20ffe5b202af80ab4266dcd3e91aae72bf2da48c0d33bdb15c66658e685e94e2 \ + --hash=sha256:212ac9b8bf1161dc91bd09c048048a95ca3a4c4f5e5d4a7d1b1a7d5752a7f96f \ + --hash=sha256:2cce7cfc2008eb51feb6aab51251fd79b85d9894e98ba847408f662b3395ca3c \ + --hash=sha256:490ab2ef84f11129844c23fb14ecf30ef3d8a6abafd3754a6f75ca1e6654136c \ + --hash=sha256:6eb11feb5a0d452ee41f824e271ca311a09e250441c262ca2fd7ebcf2461a06c \ + --hash=sha256:6f10cb2d5902447c7d0da897e2c6768bca89174d0c6e1e30abec5421af97a5b0 \ + --hash=sha256:7607498efa04a3542ae3e05e64da8202e58159aa1fa4acddf7678d34a35d4f13 \ + --hash=sha256:76aae96b00ae814b181bb25b1b98076d5fc84e8a53cd8885a318b42b6d3a5134 \ + --hash=sha256:7a0e56874cfbc4b9b05c60c8a1926fedf56324bb08cfbc188969777940aef3aa \ + --hash=sha256:82dc3e3143c7e38ec49d61af98d6558288c415eac98486a5c581726e0737c00e \ + --hash=sha256:9041567ee8953024c83343288ccc458fd0a2d811d6a0fd68c4c22609e3490379 \ + --hash=sha256:90c8e78f3b94014f7aaae121e6b909674df5b46ec24d6bebc45c44c56729af2a \ + --hash=sha256:9513f27a1a582d9808cf21a07dae516f0fab1cf2d7683a742c498b93eedabb11 \ + --hash=sha256:9ddf7c82fda3ae8e24decda1338ede66e1c99883db93711d8fb941eaa2d8c282 \ + --hash=sha256:a175f755fc2279e0b7312c0035d52e27211a5bc39719dd529625b1930917345b \ + --hash=sha256:a1914259fa9e1454315171103c6a30961236f508b9b623eae470268bbcc6a22f \ + --hash=sha256:afd0fe1b2270917c5e23c2a65ce50c2a4abb63daafb0d419fde368e272a76b7c \ + --hash=sha256:bc64ab3bdb6a04d69d4023b29422170b74681784ffb9463ed4870cf2f3e66112 \ + --hash=sha256:bdd4e6f14b8b18c334febb9c4425a878a2ac20efd1e0b231978e7b150f92a948 \ + --hash=sha256:c7ac31a19f4545dd92fc25d200694098f42c9a8e391bc00bdd362c5736dbf881 \ + --hash=sha256:c7c15dda13c4eb00d6fb6fc508b3c0ed88b9d5d374056b239c4ad1611125c860 \ + --hash=sha256:c897ac1b55c5a1461e16dae288d22bb2e412ba9807df8397a635d88f671d36c3 \ + --hash=sha256:cbafb470cf848d93b5d013e2ecb245d4aa1c8fd0504e863ccefa32445359d680 \ + --hash=sha256:d1cdb490583ebd691c012b3d6dae011000fe42edb7a82ece80965b42abd61f26 \ + --hash=sha256:e3df4cbb9a450c6d49318f6d14f4bbc80d763fa587ba46ec86f99f9e6876bb26 \ + --hash=sha256:e6439e374fc012255b4ec786ae3c4bc838cd7309a540e5fe0952d03687d8804e \ + --hash=sha256:e6f0e77c9417e7cd62af82529b10563db3423625c5fce018430b249bf977f9e8 \ + --hash=sha256:e7631a77ffb1f7d2eefa4445ebbee491c720a5661ddf6df3498ebecae5ed375c \ + --hash=sha256:ef810fbf7b781a5a593894e4f439773830bdecb885e6880d957d5b9382a960d2 diff --git a/results/.gitkeep b/results/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/tools/createfiles/createfiles.py b/tools/createfiles/createfiles.py index afe295f..ba869ba 100755 --- a/tools/createfiles/createfiles.py +++ b/tools/createfiles/createfiles.py @@ -1,5 +1,5 @@ """ -Copyright 2019-2024 CivicActions, Inc. See the README file at the top-level +Copyright 2019-2025 CivicActions, Inc. See the README file at the top-level directory of this distribution and at https://github.com/CivicActions/ssp-toolkit#copyright. @@ -9,7 +9,6 @@ variable replacement. """ -from itertools import dropwhile, zip_longest from pathlib import Path import click @@ -22,10 +21,10 @@ @click.option( "--templates", "-t", - "templates", + "input_template", required=False, default="templates/", - type=click.Path(exists=True, dir_okay=True, file_okay=False), + type=click.Path(exists=True, dir_okay=True, file_okay=True), help="Template directory", ) @click.option( @@ -37,33 +36,35 @@ required=False, help="Output directory (default: current directory)", ) -def main(templates: str, output_dir: str): +def main(input_template: str, output_dir: str): template_args = load_template_args() output_to = Path(output_dir) - template_dir = Path(templates) + templates = Path(input_template) if not output_to.is_dir(): output_to.mkdir(parents=True, exist_ok=True) - template_path = Path(template_dir).rglob("*") - template_files = [x for x in template_path if x.is_file()] + if templates.is_dir(): + template_path = Path(templates).rglob("*") + template_files = [ + template_file for template_file in template_path if template_file.is_file() + ] + elif templates.is_file(): + template_files = [templates] + else: + raise FileNotFoundError(f"{templates.as_posix()} doesn't exist") for template in template_files: - new_file = Path( - rewrite( - template_file=template, - template_dir=template_dir, - output_dir=output_to, - ) + new_file = Path("results").joinpath(*template.parts[1:]) + new_file = ( + new_file.with_name(new_file.stem) if new_file.suffix == ".j2" else new_file ) - if new_file.suffix == ".j2": - new_file = new_file.with_name(new_file.stem) if not new_file.parent.is_dir(): new_file.parent.mkdir(parents=True, exist_ok=True) - print(f"Creating file: {new_file} from {template}") + print(f"Creating file: {new_file} from {input_template}") secrender.secrender( - template_path=template.as_posix(), + template_path=input_template, template_args=template_args, output_path=new_file.as_posix(), ) @@ -71,15 +72,5 @@ def main(templates: str, output_dir: str): find_toc_tag(file=str(new_file)) -def rewrite(template_file: Path, template_dir: Path, output_dir: Path) -> str: - sub_path = [ - p[0] - for p in dropwhile( - lambda f: f[0] == f[1], zip_longest(template_file.parts, template_dir.parts) - ) - ] - return str(output_dir / Path(*sub_path)) - - if __name__ == "__main__": main() diff --git a/tools/watcher.py b/tools/watcher.py new file mode 100644 index 0000000..7c96897 --- /dev/null +++ b/tools/watcher.py @@ -0,0 +1,59 @@ +import asyncio +from pathlib import Path + +from watchdog.events import FileSystemEventHandler +from watchdog.observers import Observer + + +class WatchTemplatesHandler(FileSystemEventHandler): + def __init__(self): + self.queue = asyncio.Queue() + + def on_modified(self, event): + asyncio.run_coroutine_threadsafe(self.queue.put(event), loop) + + async def process_events(self): + while True: + event = await self.queue.get() + await self.create_files(file_path=event.src_path) + + @staticmethod + async def create_files(file_path: str): + if not Path(file_path).is_dir(): + filepath = file_path.rstrip("~") + print(f"File modified: {file_path}") + proc = await asyncio.create_subprocess_shell( + f"python tools/createfiles/createfiles.py -t {filepath} -o results", + stdout=asyncio.subprocess.PIPE, + stderr=asyncio.subprocess.PIPE, + ) + stdout, stderr = await proc.communicate() + if stdout: + print(f"Script output:\n{stdout.decode()}") + if stderr: + print(f"Script error:\n{stderr.decode()}") + + +async def watch_directory(path): + handler = WatchTemplatesHandler() + observer = Observer() + observer.schedule(handler, path, recursive=True) + observer.start() + + try: + await handler.process_events() + finally: + observer.stop() + observer.join() + + +async def main(): + await asyncio.gather( + watch_directory("./templates"), + # Add other async tasks here + ) + + +if __name__ == "__main__": + loop = asyncio.get_event_loop() + loop.run_until_complete(main()) From 3ea103626ebb5a57558c3a724db2f382365dee88 Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Thu, 30 Jan 2025 21:21:21 -0500 Subject: [PATCH 4/7] Moving watchers. --- .../appendices/configuration-management.md | 371 ++++++++++++++++++ tools/watcher.py | 48 +-- tools/watchers/templates.py | 80 ++++ 3 files changed, 453 insertions(+), 46 deletions(-) create mode 100644 results/appendices/configuration-management.md create mode 100644 tools/watchers/templates.py diff --git a/results/appendices/configuration-management.md b/results/appendices/configuration-management.md new file mode 100644 index 0000000..516d605 --- /dev/null +++ b/results/appendices/configuration-management.md @@ -0,0 +1,371 @@ +# Project Full Name Configuration Management Plan + +This document describes how the CivicActions/Project team approaches +configuration management of the Project General Services platform. + +## Contents + + +- [Contents](#contents) +- [Overview](#overview) + - [Purpose](#purpose) + - [Scope](#scope) + - [Roles and responsibilities](#roles-and-responsibilities) + - [Definitions](#definitions) +- [What goes into configuration management?](#what-goes-into-configuration-management) +- [Where should all this configuration go](#where-should-all-this-configuration-go) +- [How do we test these changes](#how-do-we-test-these-changes) +- [Change workflow](#change-workflow) +- [What if a configuration is changed, and it is not in Configuration Management?](#what-if-a-configuration-is-changed-and-it-is-not-in-configuration-management) +- [Server configuration](#server-configuration) +- [Application configuration](#application-configuration) +- [GitLab contribution guidelines](#gitlab-contribution-guidelines) +- [Forking](#forking) + - [Branching](#branching) + - [Squashing commits](#squashing-commits) + - [Rebase or merge](#rebase-or-merge) + - [When should a Merge Request (MR) be created?](#when-should-a-merge-request-mr-be-created) + - [Should MRs be assigned?](#should-mrs-be-assigned) + - [When reviewing an MR, should the change be tested locally?](#when-reviewing-an-mr-should-the-change-be-tested-locally) + + + +## Overview +new +Project employs a combination of AWS CloudFormation templates and the Ansible software +and configuration provisioning engine. Using CloudFormation, CivicActions is able to +create virtual machines for each step of the CI/CD pipeline. + +The server software update process, AIDE-based intrusion detection, and Git management of /etc are all +managed by Ansible. Drupal application updates both security and feature based, make use of a scripted +deployment process. A Git repository is used to manage and record configuration in code, templates and +playbooks. Peer review, automated testing and a stakeholder review on a staging server ensure that +configuration updates are deployed without problems. Should a problem be discovered, rollback to a +previous version is seamlessly managed by re-deploying the previous release stored in Git. + +### Purpose + +The purpose of this document is to identify and describe the Configuration Management (CM) process for +the Project Full Name and provide CivicActions with the necessary structure to efficiently +and securely manage the configuration standards for software baselines and changes to assets within the +Project authorization boundary. This plan describes the processes required to ensure that +the inevitable changes to Project occur within an identifiable and controlled environment. + +The Project CM Plan will ensure the following requirements are met: + +- Formally documented CM roles, responsibilities, and procedures; +- A configuration control board that implements procedures to ensure a security review and approval of all + proposed information system changes, to include interconnections to other information systems; +- A testing process to verify proposed configuration changes prior to implementation in the operational + environment; and +- A verification process to provide additional assurance that the CM process is working effectively and that + changes outside the CM process are technically or procedurally not permitted. + +### Scope + +This Configuration Management Plan and associated processes apply to all employees, contractors and vendors +that manage change or otherwise affect the operations of the Project system including but +not limited to the hardware, software, facilities or information resources. The scope of the Configuration +Management Plan is to establish policy and procedures to ensure that: + +- The revision status of the Project Baseline can be clearly identified, accurately recorded, + and provided to at any given point in time; +- The integrity of the approved Authorization and status of the Project baseline is maintained + throughout all program phases/sprints; +- Coordination of approved changes are vetted in an effective and timely manner; and +- Changes to the defined Baseline is controlled and evaluated for impact on all related system aspects + including security, and incorporated only after review and approval by the personnel. + +### Roles and responsibilities + +Project shall maintain an active Configuration Control Board (CCB) which will be established +as a formal approval authority for changes. It primarily exists to control changes to the +Project architecture (e.g., deployment of new software, code, or major architectural change). + +The following **Roles** will be involved in configuration management activities and make up the Configuration +Control Board: + +- Project Program Manager +- Information Systems Security Manager (ISSM) +- CivicActions Team + - Project Manager (PM) + - Information Systems Security Officer (ISSO) + - Infrastructure Support Team + - Technology Lead (TL) + - Development Team +- Project Managers + +The **Program Manager** or a **Designated Representative (DR)** shall: + +- ensure that appropriate roles, responsibilities, and access controls are assigned to support an effective + Configuration Management Process; +- manage the Change Control Process, Change Management policy, and associated processes that are essential + to the integrity of the Change Control Board; +- provide direction for Project sprints, ensuring that changes requiring modifications to + the contract are submitted as required; and +- attend Configuration Control Board meetings. + +The **Information Systems Security Manager (ISSM)** is the liaison between the PM and the +CivicActions Team for CM-related actions, and shall: + +- lead monthly Configuration Management meetings; +- ensure that CM changes are accurately assessed, documented, and disseminated to prevent any potential + impact to the Project Authorization; +- analyze changes to Project to determine potential security impacts prior to change + implementation; +- ensure that required stakeholders maintain active participation within the Project CCB; and +- attend Configuration Control Board meetings. + +The **CivicActions Team** is responsible for the Project architecture and +its components. The CivicActions Team tests and deploys Project components, modifies +existing software components, and identifies potential Project enhancements. The team is +composed of several roles: + +- The **Project Manager (PM)** is responsible for shepherding the Agile process that is used to develop and + maintain Project throughout any requested or required configuration changes. +- The **Information Systems Security Officer (ISSO)** develops and implements processes and procedures to + insure the security of the Project General Service as it grows and changes through use + and updates. +- The **Infrastructure Support Team** is authorized to make changes to the underlying Project + infrastructure and components. This team shall ensure that a central inventory is maintained and updated as + information system components are modified/added/removed to/from the Project environment. +- The **Technology Lead (TL)** manages the change process of the Project application, oversees + the testing and staging operations, and is directly involved in the deployment of new releases. +- The **Development Team** is tasked with implementing newly requested features, mitigating reported bugs, and + developing test systems to ensure the proper operation of the system as it undergoes changes. + +The **Project Managers** are responsible for the day-to-day operation of the +Project Platform system, and maintain close communication with Project users +and/or organizations. This team is responsible for acting as a liaison between the Project +user base and the CivicActions Team to ensure that the Project system is up and +operational, and coordinating minor changes to the Project Baseline. Attends Configuration +Control Board meetings as needed. + +#### Project Working Group + +The Project Working Group (WG) consists of the members of the current sprint, including at +a minimum, the Program Manager or DR, a Project Manager, and a Technology Lead. The WG coordinates minor +Project changes (e.g., setting changes within the Drupal application and minor operating +system updates) between the CivicActions Team and Project Managers. +The Project CCB delegates this authority to the Project WG to provide a more +streamlined CM control mechanism for changes that do not affect the authorization of the +Project system. Although the WG is less formal than the CCB, all requests and decisions must +still be documented through the JIRA ticketing system. + +### Definitions + +The Configuration Management Process consists of a collection of activities focused on establishing and +maintaining the integrity of the Project baseline, through control of the processes for +initializing, changing, and monitoring the configurations of assets within the Project +authorization boundary. This process is administered by CivicActions in collaboration with the +Project Program Manager. The Program Manager, in collaboration with the ISSM shall ensure +define and implement configuration baseline process and standards for: + +#### Configuration Item (CI) + +An identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination +thereof) that is a discrete target of configuration control processes. + +#### Baseline configuration + +A set of specifications for a system, or CI within a system, that has been formally reviewed and agreed +on at a given point in time, and which can be changed only through change control procedures. The baseline +configuration is used as a basis for future builds, releases, and/or changes. + +#### Configuration Management Plan (CM Plan) + +A comprehensive description of the roles, responsibilities, policies, and procedures that apply when +managing the configuration of products and systems. The basic parts of a CM Plan include: + +##### Configuration Item Identification + +Methodology for selecting and naming configuration items that need to be placed under CM. + +##### Configuration Change Control + +Process for managing updates to the baseline configurations for the configuration items. + +Other Commonly used terms used within the Configuration Management Process include: + +**Baseline** - A current and comprehensive baseline inventory of all components required to support +Project operations; these components are part of the System Inventory and can be +changed only through formal change control procedures. The baseline includes sufficient detail to +re-create the Project General Service. Baselines exist for Software and Infrastructure, +and redundant copies of the Baseline are stored by CivicActions in a location separate +from the Information System. + +**Baseline Change Request (BCR)** - A formal written request to initiate a change to a baseline document. + +**Configuration Control Board (CCB)** - A review panel that evaluates and/or approves changes to the +Project baseline. + +**Code Commit** - A definitive change to any source code that defines the Project software, +or Project virtual infrastructure, or other supporting Project asset or +document which contributes to the Project Information System. Each code commit is assigned +a unique ID, and all code commits are part of a permanent record. All changes to Infrastructure and Software +Baselines are executed through code commits. It should be noted that not all code commits result in changes +to Baselines. + +**Version** or **Release** - (1) A uniquely identified snapshot of a build that represents some identifiable +milestone of functions and capabilities of the Information System; or (2) a uniquely identified snapshot of +a document representing some identifiable milestone of content. + +## What goes into configuration management? + +In short, everything needed to run and operate the platform that is not a _secret_. +(_tbd: secret key management_) + +Here are some examples that are in configuration management: + +- CI/CD pipeline +- Infrastructure/network configuration (CloudFormation and Ansible) +- VM setup and quantity (CloudFormation and Ansible) +- Server software configuration (Ansible) +- CivicActions-developed code (Git) +- Application configuration (Drupal features in Git) + +## Where should all this configuration go + +All configuration must be stored in GitLab using the following "Change Workflow" unless it is a _secret_. + +## How do we test these changes + +If possible, changes should be tested locally first. If local testing is successful, upload the changes to +a development environment for manual or automated testing. + +Security tests need to be executed in the development environment where changes are applied. + +## Change workflow + +1. All configuration changes must flow through a Git repository, centrally managed through GitLab, unless + they contain sensitive information. +2. A change is initiated and discussed as a "Backlog" JIRA ticket in the + [JIRA ticket management system](https://project.atlassian.net/secure/) +3. During Sprint Planning, the ticket is prioritized and may get moved from "Backlog" to "ToDo". +4. The ticket moves from "ToDo" to "In Progress" when it is assigned to a developer. +5. During development, code commits are checked for style and security using `githooks`. +6. After development and local testing, the developer initiates a "Merge Request" (MR). +7. The MR is reviewed by someone other than the committer. Pairing via screen-sharing is encouraged and + qualifies as a review. Review should include assessment of architectural design, DRY principles, + security and code quality. +8. The reviewer merges the MR. +9. A continuous integration (CI) server handles automated tests and continuous deployment (CD) of the + merged changes. + - All changes are deployed to a newly created test environment. + - Any and all automated tests are run. + - If all tests pass, changes can be promoted for deployment to production in the pipeline. +10. The CI/CD tool uses GitLab repositories as the single source of truth for what the platform should + look like. If there are manual changes, the CI/CD tool resets the state of all systems to match. + +## What if a configuration is changed, and it is not in Configuration Management? + +If possible, Configuration Management tools should always roll back to a known state. Other than that, +these tools need to be able to "recreate" all settings from known configurations. + +## Server configuration + +Server configuration is handled via CloudFormation templates and Ansible playbooks and managed using Git. +Once a change has been committed and pushed to the Git repository, a merge request is created. Creating the +merge request triggers the CI/CD build pipeline which contains the following phases: + +- **Deploy infrastructure:** In this phase the containers are created using the CloudFormation templates and Ansible playbooks. +- **Deploy services:** Services defined in the CloudFormation template are deployed. The services include the bastion host, the Drupal application, the Ilias CMS, Solr searching, and the Amazon RDS databases. +- **Validate platform:** During the validation phase, the server configuation is tested for drift detection in order to catch configuation settings that have deviated from the baseline configuation, as well as checks to determine if the applications are up and running and accessible. Nmap, OpenSCAP and Zap scans are also performed during this phase. +- **Post validation:** During the post validation, the hardened Amazon Machine Image (AMI) is checked to see if there are any updates available and, if so, they are installed. + +## Application configuration + +Configuration management in Drupal is handled using Drupal's Configuration Management and hook_update_N modules to make the necessary changes to site configuration. + +Each site has its own site_deploy module that orchestrates deployments. + +When code is deployed to sandbox, development, staging or production environments, `drush config:import`, which imports changes to configuration, is run, and `drush updatedb` is run, which runs any new hook_update_N functions. + +For many of the common configuration tasks, Hook Update Deploy Tools methods make sure that all hook_update_N modules follow this model:: + +- make the change, +- verify it was made, and then +- report that it was made. + +Records of these events are output to the terminal of the engineer deploying the code, and to Drupal Watchdog. + + +## GitLab contribution guidelines + +Project is built and maintained by CivicActions, and the +CivicActions Team follows standard code development guidelines. + +## Forking + +Forking is a method that can be used to modify the code base. + +The CivicActions Team maintains the Project code base in a GitLab +repository. The _master_ is the most current version that has been deployed to production. When starting +a new project, the CivicActions Team makes a copy of the _master_ in GitLab; the copy, +called a _fork_, is where project-specific code changes shall be maintained going forward. + +Code changes are implemented using the following workflow: + +1. The CivicActions Team uses the _master_ to create a _fork_ for project-specific code changes. +2. During the project, individual team members create branches, and then work in those branches until the code + changes are ready to be committed to the fork. +3. When code changes are ready to be integrated from a team member branch into the fork, a team member creates + a merge request in GitLab. (All code changes are implemented using merge requests.) +4. Another team member reviews the merge request, performs a code review, and approves the merge request so + that the code changes can be integrated into the fork. + +### Branching + +Branching is another method that can be used to modify the code base. + +Each code repository has at least two branches: + +1. **Master branch.** The master is used for development. The CivicActions Team can rebase and create merge + requests in the master branch. +2. **Production branch.** The production branch is deployed to the production server. When deploying changes + to production, the release manager copies code from the master branch to the production branch. + +The CivicActions Team might create a branch from the upstream repository when multiple +developers need to collaborate on something that cannot be continuously merged into the master branch. The +rationale for branching within a team is that paired collaboration on a single branch avoids certain types of +friction: + +- Having to process merge requests from multiple forks in order to integrate changes to the upstream branch +- Having to add team members to forks as _collaborators_ so that they can contribute in short-lived forks + +When team members contribute directly in a branch, CivicActions can modify work-in-progress +(WIP) merge requests and encourage collaboration across the Cloud Operations team. + +### Squashing commits + +[Squashing commits](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History#Squashing-Commits) is allowed +and encouraged within an engineer's branch, but discouraged, except in rare instances in master and production +branches which are fast-forward only and block force pushes. + +### Rebase or merge + +The team prefers [rebasing over merging](https://www.atlassian.com/git/tutorials/merging-vs-rebasing/). Ongoing +work should always be rebased upon the master branch. + +### When should a Merge Request (MR) be created? + +Work-in-progress MRs are encouraged. If you create a work-in-progress MR, you might also make it plain in the +MR name with a `[WIP]` prefix. When an MR is ready for review, remove the `[WIP]` label. An MR with a WIP label +is blocked from merging by GitLab. + +Merge requests should be created whenever code is ready for review, prior to being merged into the master +branch. + +### Should MRs be assigned? + +MRs are typically not assigned in GitLab, unless someone specifically needs to sign off on the change. + +You can request a review using GitLab's built-in tools, mention someone in the MR with the `@` notation, or +contact them outside the GitLab context to request a review. + +### When reviewing an MR, should the change be tested locally? + +Whenever possible, the proposed changes should be tested locally. Because of the nature of many of the +Project repositories and deployment environments, local testing is not always possible or +practical. Visual code review, however, is always required. In the event that merged code breaks the dev +environment, the decision will be made at the time whether to revert the merge. diff --git a/tools/watcher.py b/tools/watcher.py index 7c96897..bae7a8e 100644 --- a/tools/watcher.py +++ b/tools/watcher.py @@ -1,55 +1,11 @@ import asyncio -from pathlib import Path -from watchdog.events import FileSystemEventHandler -from watchdog.observers import Observer - - -class WatchTemplatesHandler(FileSystemEventHandler): - def __init__(self): - self.queue = asyncio.Queue() - - def on_modified(self, event): - asyncio.run_coroutine_threadsafe(self.queue.put(event), loop) - - async def process_events(self): - while True: - event = await self.queue.get() - await self.create_files(file_path=event.src_path) - - @staticmethod - async def create_files(file_path: str): - if not Path(file_path).is_dir(): - filepath = file_path.rstrip("~") - print(f"File modified: {file_path}") - proc = await asyncio.create_subprocess_shell( - f"python tools/createfiles/createfiles.py -t {filepath} -o results", - stdout=asyncio.subprocess.PIPE, - stderr=asyncio.subprocess.PIPE, - ) - stdout, stderr = await proc.communicate() - if stdout: - print(f"Script output:\n{stdout.decode()}") - if stderr: - print(f"Script error:\n{stderr.decode()}") - - -async def watch_directory(path): - handler = WatchTemplatesHandler() - observer = Observer() - observer.schedule(handler, path, recursive=True) - observer.start() - - try: - await handler.process_events() - finally: - observer.stop() - observer.join() +from tools.watchers.templates import watch_templates async def main(): await asyncio.gather( - watch_directory("./templates"), + watch_templates("./templates", loop=loop), # Add other async tasks here ) diff --git a/tools/watchers/templates.py b/tools/watchers/templates.py new file mode 100644 index 0000000..6cbebd7 --- /dev/null +++ b/tools/watchers/templates.py @@ -0,0 +1,80 @@ +import asyncio +from pathlib import Path + +from watchdog.events import ( + DirDeletedEvent, + FileCreatedEvent, + FileDeletedEvent, + FileModifiedEvent, + FileSystemEventHandler, +) +from watchdog.observers import Observer + + +class WatchTemplatesHandler(FileSystemEventHandler): + def __init__(self, loop: asyncio.AbstractEventLoop): + self.event_type = None + self.queue: asyncio.Queue = asyncio.Queue() + self.loop = loop + + def on_modified(self, event: FileModifiedEvent) -> None: + self.event_type = event + asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) + + def on_created(self, event: FileCreatedEvent) -> None: + self.event_type = event + asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) + + def on_deleted(self, event: DirDeletedEvent | FileDeletedEvent) -> None: + self.event_type = event + asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) + + async def process_events(self): + while True: + if isinstance(self.event_type, (DirDeletedEvent, FileDeletedEvent)): + event = await self.queue.get() + await self.delete_file(file_path=event.src_path) + elif isinstance(self.event_type, (FileCreatedEvent, FileModifiedEvent)): + event = await self.queue.get() + await self.create_files(file_path=event.src_path) + + @staticmethod + async def create_files(file_path: str): + if not Path(file_path).is_dir(): + filepath = file_path.rstrip("~") + proc = await asyncio.create_subprocess_shell( + f"python tools/createfiles/createfiles.py -t {filepath} -o results", + stdout=asyncio.subprocess.PIPE, + stderr=asyncio.subprocess.PIPE, + ) + stdout, stderr = await proc.communicate() + if stdout: + print(f"Script output:\n{stdout.decode()}") + if stderr: + print(f"Script error:\n{stderr.decode()}") + + @staticmethod + async def delete_file(file_path: str): + deleted_file = Path(file_path.rstrip("~")) + to_delete = Path("results").joinpath(*deleted_file.parts[1:]) + to_delete_path = to_delete.parent + to_delete = ( + to_delete_path.joinpath(to_delete.stem) + if to_delete.suffix == ".j2" + else to_delete + ) + if to_delete.is_file(): + to_delete.unlink() + + +async def watch_templates(path: str, loop: asyncio.AbstractEventLoop): + handler = WatchTemplatesHandler(loop=loop) + observer = Observer() + observer.schedule(handler, path, recursive=True) + observer.start() + + try: + await handler.process_events() + finally: + observer.stop() + observer.join() From 9873311a36634c8369051c5b734f967a0f3268e4 Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Fri, 31 Jan 2025 09:02:15 -0500 Subject: [PATCH 5/7] Adding component watcher. --- appendices/configuration-management.md | 371 --------- components/AWS/AC-ACCESS_CONTROL.yaml | 51 -- opencontrol.yaml | 12 +- pyproject.toml | 4 +- .../appendices/configuration-management.md | 371 --------- .../appendices}/contingency-plan.md | 0 .../appendices}/justifications.md | 0 .../appendices}/laws-regulations.md | 0 .../appendices}/privacy-impact-assessment.md | 0 .../appendices}/risk-management.md | 0 {appendices => results/appendices}/sdlc.md | 0 .../appendices}/security-irp-checklist.md | 0 .../appendices}/security-irp.md | 0 .../appendices}/system-continuity-plan.md | 0 .../AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 0 .../AWS/CM-CONFIGURATION_MANAGEMENT.yaml | 0 .../AWS/CP-CONTINGENCY_PLANNING.yaml | 0 .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 0 .../components}/AWS/IR-INCIDENT_RESPONSE.yaml | 0 .../components}/AWS/MA-MAINTENANCE.yaml | 0 .../components}/AWS/MP-MEDIA_PROTECTION.yaml | 0 ...PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml | 0 .../components}/AWS/PL-PLANNING.yaml | 0 .../AWS/PS-PERSONNEL_SECURITY.yaml | 0 .../components}/AWS/RA-RISK_ASSESSMENT.yaml | 0 .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 0 ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 0 .../components}/AWS/component.yaml | 0 .../Contractor/AC-ACCESS_CONTROL.yaml | 0 .../Contractor/AT-AWARENESS_AND_TRAINING.yaml | 0 .../AU-AUDIT_AND_ACCOUNTABILITY.yaml | 0 ...SESSMENT_AUTHORIZATION_AND_MONITORING.yaml | 0 .../CM-CONFIGURATION_MANAGEMENT.yaml | 0 .../Contractor/CP-CONTINGENCY_PLANNING.yaml | 0 .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 0 .../Contractor/IR-INCIDENT_RESPONSE.yaml | 0 .../Contractor/MA-MAINTENANCE.yaml | 0 .../Contractor/MP-MEDIA_PROTECTION.yaml | 0 .../components}/Contractor/PL-PLANNING.yaml | 0 .../Contractor/PS-PERSONNEL_SECURITY.yaml | 0 .../Contractor/RA-RISK_ASSESSMENT.yaml | 0 .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 0 ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 0 .../SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml | 0 .../components}/Contractor/component.yaml | 0 .../components}/Drupal/AC-ACCESS_CONTROL.yaml | 0 .../Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 0 ...SESSMENT_AUTHORIZATION_AND_MONITORING.yaml | 0 .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 0 ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 0 .../components}/Drupal/component.yaml | 0 .../components}/Ilias/AC-ACCESS_CONTROL.yaml | 0 .../Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 0 ...SESSMENT_AUTHORIZATION_AND_MONITORING.yaml | 0 .../Ilias/CM-CONFIGURATION_MANAGEMENT.yaml | 0 .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 0 .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 0 ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 0 .../SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml | 0 .../components}/Ilias/component.yaml | 0 .../Project/AC-ACCESS_CONTROL.yaml | 0 .../Project/AT-AWARENESS_AND_TRAINING.yaml | 0 .../Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml | 0 ...SESSMENT_AUTHORIZATION_AND_MONITORING.yaml | 0 .../Project/CM-CONFIGURATION_MANAGEMENT.yaml | 0 .../Project/CP-CONTINGENCY_PLANNING.yaml | 0 .../IA-IDENTIFICATION_AND_AUTHENTICATION.yaml | 0 .../Project/IR-INCIDENT_RESPONSE.yaml | 0 .../components}/Project/MA-MAINTENANCE.yaml | 0 .../Project/MP-MEDIA_PROTECTION.yaml | 0 .../components}/Project/PL-PLANNING.yaml | 0 .../Project/PS-PERSONNEL_SECURITY.yaml | 0 .../Project/RA-RISK_ASSESSMENT.yaml | 0 .../SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml | 0 ...-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml | 0 .../SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml | 0 .../components}/Project/component.yaml | 0 .../components}/SSH/AC-ACCESS_CONTROL.yaml | 0 .../components}/SSH/component.yaml | 0 .../components}/file_hashes.json | 0 results/docs/controls.md | 162 ++++ results/docs/controls/AC.md | 539 +++++++++++++ results/docs/controls/AT.md | 185 +++++ results/docs/controls/AU.md | 536 +++++++++++++ results/docs/controls/CA.md | 312 ++++++++ results/docs/controls/CM.md | 304 +++++++ results/docs/controls/CP.md | 251 ++++++ results/docs/controls/IA.md | 742 ++++++++++++++++++ results/docs/controls/IR.md | 341 ++++++++ results/docs/controls/MA.md | 186 +++++ results/docs/controls/MP.md | 103 +++ results/docs/controls/PE.md | 216 +++++ results/docs/controls/PL.md | 244 ++++++ results/docs/controls/PS.md | 382 +++++++++ results/docs/controls/RA.md | 255 ++++++ results/docs/controls/SA.md | 491 ++++++++++++ results/docs/controls/SC.md | 263 +++++++ results/docs/controls/SI.md | 337 ++++++++ .../components/AWS/AC-ACCESS_CONTROL.yaml | 2 +- tools/createfiles/createfiles.py | 4 +- tools/makefamilies/makefamilies.py | 6 +- tools/watcher.py | 5 +- tools/watchers/component_watcher.py | 55 ++ .../{templates.py => template_watcher.py} | 15 +- 104 files changed, 5926 insertions(+), 819 deletions(-) delete mode 100644 appendices/configuration-management.md delete mode 100644 components/AWS/AC-ACCESS_CONTROL.yaml delete mode 100644 results/appendices/configuration-management.md rename {appendices => results/appendices}/contingency-plan.md (100%) rename {appendices => results/appendices}/justifications.md (100%) rename {appendices => results/appendices}/laws-regulations.md (100%) rename {appendices => results/appendices}/privacy-impact-assessment.md (100%) rename {appendices => results/appendices}/risk-management.md (100%) rename {appendices => results/appendices}/sdlc.md (100%) rename {appendices => results/appendices}/security-irp-checklist.md (100%) rename {appendices => results/appendices}/security-irp.md (100%) rename {appendices => results/appendices}/system-continuity-plan.md (100%) rename {components => results/components}/AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml (100%) rename {components => results/components}/AWS/CM-CONFIGURATION_MANAGEMENT.yaml (100%) rename {components => results/components}/AWS/CP-CONTINGENCY_PLANNING.yaml (100%) rename {components => results/components}/AWS/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml (100%) rename {components => results/components}/AWS/IR-INCIDENT_RESPONSE.yaml (100%) rename {components => results/components}/AWS/MA-MAINTENANCE.yaml (100%) rename {components => results/components}/AWS/MP-MEDIA_PROTECTION.yaml (100%) rename {components => results/components}/AWS/PE-PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml (100%) rename {components => results/components}/AWS/PL-PLANNING.yaml (100%) rename {components => results/components}/AWS/PS-PERSONNEL_SECURITY.yaml (100%) rename {components => results/components}/AWS/RA-RISK_ASSESSMENT.yaml (100%) rename {components => results/components}/AWS/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml (100%) rename {components => results/components}/AWS/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml (100%) rename {components => results/components}/AWS/component.yaml (100%) rename {components => results/components}/Contractor/AC-ACCESS_CONTROL.yaml (100%) rename {components => results/components}/Contractor/AT-AWARENESS_AND_TRAINING.yaml (100%) rename {components => results/components}/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml (100%) rename {components => results/components}/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml (100%) rename {components => results/components}/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml (100%) rename {components => results/components}/Contractor/CP-CONTINGENCY_PLANNING.yaml (100%) rename {components => results/components}/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml (100%) rename {components => results/components}/Contractor/IR-INCIDENT_RESPONSE.yaml (100%) rename {components => results/components}/Contractor/MA-MAINTENANCE.yaml (100%) rename {components => results/components}/Contractor/MP-MEDIA_PROTECTION.yaml (100%) rename {components => results/components}/Contractor/PL-PLANNING.yaml (100%) rename {components => results/components}/Contractor/PS-PERSONNEL_SECURITY.yaml (100%) rename {components => results/components}/Contractor/RA-RISK_ASSESSMENT.yaml (100%) rename {components => results/components}/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml (100%) rename {components => results/components}/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml (100%) rename {components => results/components}/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml (100%) rename {components => results/components}/Contractor/component.yaml (100%) rename {components => results/components}/Drupal/AC-ACCESS_CONTROL.yaml (100%) rename {components => results/components}/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml (100%) rename {components => results/components}/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml (100%) rename {components => results/components}/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml (100%) rename {components => results/components}/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml (100%) rename {components => results/components}/Drupal/component.yaml (100%) rename {components => results/components}/Ilias/AC-ACCESS_CONTROL.yaml (100%) rename {components => results/components}/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml (100%) rename {components => results/components}/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml (100%) rename {components => results/components}/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml (100%) rename {components => results/components}/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml (100%) rename {components => results/components}/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml (100%) rename {components => results/components}/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml (100%) rename {components => results/components}/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml (100%) rename {components => results/components}/Ilias/component.yaml (100%) rename {components => results/components}/Project/AC-ACCESS_CONTROL.yaml (100%) rename {components => results/components}/Project/AT-AWARENESS_AND_TRAINING.yaml (100%) rename {components => results/components}/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml (100%) rename {components => results/components}/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml (100%) rename {components => results/components}/Project/CM-CONFIGURATION_MANAGEMENT.yaml (100%) rename {components => results/components}/Project/CP-CONTINGENCY_PLANNING.yaml (100%) rename {components => results/components}/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml (100%) rename {components => results/components}/Project/IR-INCIDENT_RESPONSE.yaml (100%) rename {components => results/components}/Project/MA-MAINTENANCE.yaml (100%) rename {components => results/components}/Project/MP-MEDIA_PROTECTION.yaml (100%) rename {components => results/components}/Project/PL-PLANNING.yaml (100%) rename {components => results/components}/Project/PS-PERSONNEL_SECURITY.yaml (100%) rename {components => results/components}/Project/RA-RISK_ASSESSMENT.yaml (100%) rename {components => results/components}/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml (100%) rename {components => results/components}/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml (100%) rename {components => results/components}/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml (100%) rename {components => results/components}/Project/component.yaml (100%) rename {components => results/components}/SSH/AC-ACCESS_CONTROL.yaml (100%) rename {components => results/components}/SSH/component.yaml (100%) rename {components => results/components}/file_hashes.json (100%) create mode 100644 results/docs/controls.md create mode 100644 results/docs/controls/AC.md create mode 100644 results/docs/controls/AT.md create mode 100644 results/docs/controls/AU.md create mode 100644 results/docs/controls/CA.md create mode 100644 results/docs/controls/CM.md create mode 100644 results/docs/controls/CP.md create mode 100644 results/docs/controls/IA.md create mode 100644 results/docs/controls/IR.md create mode 100644 results/docs/controls/MA.md create mode 100644 results/docs/controls/MP.md create mode 100644 results/docs/controls/PE.md create mode 100644 results/docs/controls/PL.md create mode 100644 results/docs/controls/PS.md create mode 100644 results/docs/controls/RA.md create mode 100644 results/docs/controls/SA.md create mode 100644 results/docs/controls/SC.md create mode 100644 results/docs/controls/SI.md create mode 100644 tools/watchers/component_watcher.py rename tools/watchers/{templates.py => template_watcher.py} (82%) diff --git a/appendices/configuration-management.md b/appendices/configuration-management.md deleted file mode 100644 index a43cc7a..0000000 --- a/appendices/configuration-management.md +++ /dev/null @@ -1,371 +0,0 @@ -# Project Full Name Configuration Management Plan - -This document describes how the CivicActions/Project team approaches -configuration management of the Project General Services platform. - -## Contents - - -- [Contents](#contents) -- [Overview](#overview) - - [Purpose](#purpose) - - [Scope](#scope) - - [Roles and responsibilities](#roles-and-responsibilities) - - [Definitions](#definitions) -- [What goes into configuration management?](#what-goes-into-configuration-management) -- [Where should all this configuration go](#where-should-all-this-configuration-go) -- [How do we test these changes](#how-do-we-test-these-changes) -- [Change workflow](#change-workflow) -- [What if a configuration is changed, and it is not in Configuration Management?](#what-if-a-configuration-is-changed-and-it-is-not-in-configuration-management) -- [Server configuration](#server-configuration) -- [Application configuration](#application-configuration) -- [GitLab contribution guidelines](#gitlab-contribution-guidelines) -- [Forking](#forking) - - [Branching](#branching) - - [Squashing commits](#squashing-commits) - - [Rebase or merge](#rebase-or-merge) - - [When should a Merge Request (MR) be created?](#when-should-a-merge-request-mr-be-created) - - [Should MRs be assigned?](#should-mrs-be-assigned) - - [When reviewing an MR, should the change be tested locally?](#when-reviewing-an-mr-should-the-change-be-tested-locally) - - - -## Overview - -Project employs a combination of AWS CloudFormation templates and the Ansible software -and configuration provisioning engine. Using CloudFormation, CivicActions is able to -create virtual machines for each step of the CI/CD pipeline. - -The server software update process, AIDE-based intrusion detection, and Git management of /etc are all -managed by Ansible. Drupal application updates both security and feature based, make use of a scripted -deployment process. A Git repository is used to manage and record configuration in code, templates and -playbooks. Peer review, automated testing and a stakeholder review on a staging server ensure that -configuration updates are deployed without problems. Should a problem be discovered, rollback to a -previous version is seamlessly managed by re-deploying the previous release stored in Git. - -### Purpose - -The purpose of this document is to identify and describe the Configuration Management (CM) process for -the Project Full Name and provide CivicActions with the necessary structure to efficiently -and securely manage the configuration standards for software baselines and changes to assets within the -Project authorization boundary. This plan describes the processes required to ensure that -the inevitable changes to Project occur within an identifiable and controlled environment. - -The Project CM Plan will ensure the following requirements are met: - -- Formally documented CM roles, responsibilities, and procedures; -- A configuration control board that implements procedures to ensure a security review and approval of all - proposed information system changes, to include interconnections to other information systems; -- A testing process to verify proposed configuration changes prior to implementation in the operational - environment; and -- A verification process to provide additional assurance that the CM process is working effectively and that - changes outside the CM process are technically or procedurally not permitted. - -### Scope - -This Configuration Management Plan and associated processes apply to all employees, contractors and vendors -that manage change or otherwise affect the operations of the Project system including but -not limited to the hardware, software, facilities or information resources. The scope of the Configuration -Management Plan is to establish policy and procedures to ensure that: - -- The revision status of the Project Baseline can be clearly identified, accurately recorded, - and provided to at any given point in time; -- The integrity of the approved Authorization and status of the Project baseline is maintained - throughout all program phases/sprints; -- Coordination of approved changes are vetted in an effective and timely manner; and -- Changes to the defined Baseline is controlled and evaluated for impact on all related system aspects - including security, and incorporated only after review and approval by the personnel. - -### Roles and responsibilities - -Project shall maintain an active Configuration Control Board (CCB) which will be established -as a formal approval authority for changes. It primarily exists to control changes to the -Project architecture (e.g., deployment of new software, code, or major architectural change). - -The following **Roles** will be involved in configuration management activities and make up the Configuration -Control Board: - -- Project Program Manager -- Information Systems Security Manager (ISSM) -- CivicActions Team - - Project Manager (PM) - - Information Systems Security Officer (ISSO) - - Infrastructure Support Team - - Technology Lead (TL) - - Development Team -- Project Managers - -The **Program Manager** or a **Designated Representative (DR)** shall: - -- ensure that appropriate roles, responsibilities, and access controls are assigned to support an effective - Configuration Management Process; -- manage the Change Control Process, Change Management policy, and associated processes that are essential - to the integrity of the Change Control Board; -- provide direction for Project sprints, ensuring that changes requiring modifications to - the contract are submitted as required; and -- attend Configuration Control Board meetings. - -The **Information Systems Security Manager (ISSM)** is the liaison between the PM and the -CivicActions Team for CM-related actions, and shall: - -- lead monthly Configuration Management meetings; -- ensure that CM changes are accurately assessed, documented, and disseminated to prevent any potential - impact to the Project Authorization; -- analyze changes to Project to determine potential security impacts prior to change - implementation; -- ensure that required stakeholders maintain active participation within the Project CCB; and -- attend Configuration Control Board meetings. - -The **CivicActions Team** is responsible for the Project architecture and -its components. The CivicActions Team tests and deploys Project components, modifies -existing software components, and identifies potential Project enhancements. The team is -composed of several roles: - -- The **Project Manager (PM)** is responsible for shepherding the Agile process that is used to develop and - maintain Project throughout any requested or required configuration changes. -- The **Information Systems Security Officer (ISSO)** develops and implements processes and procedures to - insure the security of the Project General Service as it grows and changes through use - and updates. -- The **Infrastructure Support Team** is authorized to make changes to the underlying Project - infrastructure and components. This team shall ensure that a central inventory is maintained and updated as - information system components are modified/added/removed to/from the Project environment. -- The **Technology Lead (TL)** manages the change process of the Project application, oversees - the testing and staging operations, and is directly involved in the deployment of new releases. -- The **Development Team** is tasked with implementing newly requested features, mitigating reported bugs, and - developing test systems to ensure the proper operation of the system as it undergoes changes. - -The **Project Managers** are responsible for the day-to-day operation of the -Project Platform system, and maintain close communication with Project users -and/or organizations. This team is responsible for acting as a liaison between the Project -user base and the CivicActions Team to ensure that the Project system is up and -operational, and coordinating minor changes to the Project Baseline. Attends Configuration -Control Board meetings as needed. - -#### Project Working Group - -The Project Working Group (WG) consists of the members of the current sprint, including at -a minimum, the Program Manager or DR, a Project Manager, and a Technology Lead. The WG coordinates minor -Project changes (e.g., setting changes within the Drupal application and minor operating -system updates) between the CivicActions Team and Project Managers. -The Project CCB delegates this authority to the Project WG to provide a more -streamlined CM control mechanism for changes that do not affect the authorization of the -Project system. Although the WG is less formal than the CCB, all requests and decisions must -still be documented through the JIRA ticketing system. - -### Definitions - -The Configuration Management Process consists of a collection of activities focused on establishing and -maintaining the integrity of the Project baseline, through control of the processes for -initializing, changing, and monitoring the configurations of assets within the Project -authorization boundary. This process is administered by CivicActions in collaboration with the -Project Program Manager. The Program Manager, in collaboration with the ISSM shall ensure -define and implement configuration baseline process and standards for: - -#### Configuration Item (CI) - -An identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination -thereof) that is a discrete target of configuration control processes. - -#### Baseline configuration - -A set of specifications for a system, or CI within a system, that has been formally reviewed and agreed -on at a given point in time, and which can be changed only through change control procedures. The baseline -configuration is used as a basis for future builds, releases, and/or changes. - -#### Configuration Management Plan (CM Plan) - -A comprehensive description of the roles, responsibilities, policies, and procedures that apply when -managing the configuration of products and systems. The basic parts of a CM Plan include: - -##### Configuration Item Identification - -Methodology for selecting and naming configuration items that need to be placed under CM. - -##### Configuration Change Control - -Process for managing updates to the baseline configurations for the configuration items. - -Other Commonly used terms used within the Configuration Management Process include: - -**Baseline** - A current and comprehensive baseline inventory of all components required to support -Project operations; these components are part of the System Inventory and can be -changed only through formal change control procedures. The baseline includes sufficient detail to -re-create the Project General Service. Baselines exist for Software and Infrastructure, -and redundant copies of the Baseline are stored by CivicActions in a location separate -from the Information System. - -**Baseline Change Request (BCR)** - A formal written request to initiate a change to a baseline document. - -**Configuration Control Board (CCB)** - A review panel that evaluates and/or approves changes to the -Project baseline. - -**Code Commit** - A definitive change to any source code that defines the Project software, -or Project virtual infrastructure, or other supporting Project asset or -document which contributes to the Project Information System. Each code commit is assigned -a unique ID, and all code commits are part of a permanent record. All changes to Infrastructure and Software -Baselines are executed through code commits. It should be noted that not all code commits result in changes -to Baselines. - -**Version** or **Release** - (1) A uniquely identified snapshot of a build that represents some identifiable -milestone of functions and capabilities of the Information System; or (2) a uniquely identified snapshot of -a document representing some identifiable milestone of content. - -## What goes into configuration management? - -In short, everything needed to run and operate the platform that is not a _secret_. -(_tbd: secret key management_) - -Here are some examples that are in configuration management: - -- CI/CD pipeline -- Infrastructure/network configuration (CloudFormation and Ansible) -- VM setup and quantity (CloudFormation and Ansible) -- Server software configuration (Ansible) -- CivicActions-developed code (Git) -- Application configuration (Drupal features in Git) - -## Where should all this configuration go - -All configuration must be stored in GitLab using the following "Change Workflow" unless it is a _secret_. - -## How do we test these changes - -If possible, changes should be tested locally first. If local testing is successful, upload the changes to -a development environment for manual or automated testing. - -Security tests need to be executed in the development environment where changes are applied. - -## Change workflow - -1. All configuration changes must flow through a Git repository, centrally managed through GitLab, unless - they contain sensitive information. -2. A change is initiated and discussed as a "Backlog" JIRA ticket in the - [JIRA ticket management system](https://project.atlassian.net/secure/) -3. During Sprint Planning, the ticket is prioritized and may get moved from "Backlog" to "ToDo". -4. The ticket moves from "ToDo" to "In Progress" when it is assigned to a developer. -5. During development, code commits are checked for style and security using `githooks`. -6. After development and local testing, the developer initiates a "Merge Request" (MR). -7. The MR is reviewed by someone other than the committer. Pairing via screen-sharing is encouraged and - qualifies as a review. Review should include assessment of architectural design, DRY principles, - security and code quality. -8. The reviewer merges the MR. -9. A continuous integration (CI) server handles automated tests and continuous deployment (CD) of the - merged changes. - - All changes are deployed to a newly created test environment. - - Any and all automated tests are run. - - If all tests pass, changes can be promoted for deployment to production in the pipeline. -10. The CI/CD tool uses GitLab repositories as the single source of truth for what the platform should - look like. If there are manual changes, the CI/CD tool resets the state of all systems to match. - -## What if a configuration is changed, and it is not in Configuration Management? - -If possible, Configuration Management tools should always roll back to a known state. Other than that, -these tools need to be able to "recreate" all settings from known configurations. - -## Server configuration - -Server configuration is handled via CloudFormation templates and Ansible playbooks and managed using Git. -Once a change has been committed and pushed to the Git repository, a merge request is created. Creating the -merge request triggers the CI/CD build pipeline which contains the following phases: - -- **Deploy infrastructure:** In this phase the containers are created using the CloudFormation templates and Ansible playbooks. -- **Deploy services:** Services defined in the CloudFormation template are deployed. The services include the bastion host, the Drupal application, the Ilias CMS, Solr searching, and the Amazon RDS databases. -- **Validate platform:** During the validation phase, the server configuation is tested for drift detection in order to catch configuation settings that have deviated from the baseline configuation, as well as checks to determine if the applications are up and running and accessible. Nmap, OpenSCAP and Zap scans are also performed during this phase. -- **Post validation:** During the post validation, the hardened Amazon Machine Image (AMI) is checked to see if there are any updates available and, if so, they are installed. - -## Application configuration - -Configuration management in Drupal is handled using Drupal's Configuration Management and hook_update_N modules to make the necessary changes to site configuration. - -Each site has its own site_deploy module that orchestrates deployments. - -When code is deployed to sandbox, development, staging or production environments, `drush config:import`, which imports changes to configuration, is run, and `drush updatedb` is run, which runs any new hook_update_N functions. - -For many of the common configuration tasks, Hook Update Deploy Tools methods make sure that all hook_update_N modules follow this model:: - -- make the change, -- verify it was made, and then -- report that it was made. - -Records of these events are output to the terminal of the engineer deploying the code, and to Drupal Watchdog. - - -## GitLab contribution guidelines - -Project is built and maintained by CivicActions, and the -CivicActions Team follows standard code development guidelines. - -## Forking - -Forking is a method that can be used to modify the code base. - -The CivicActions Team maintains the Project code base in a GitLab -repository. The _master_ is the most current version that has been deployed to production. When starting -a new project, the CivicActions Team makes a copy of the _master_ in GitLab; the copy, -called a _fork_, is where project-specific code changes shall be maintained going forward. - -Code changes are implemented using the following workflow: - -1. The CivicActions Team uses the _master_ to create a _fork_ for project-specific code changes. -2. During the project, individual team members create branches, and then work in those branches until the code - changes are ready to be committed to the fork. -3. When code changes are ready to be integrated from a team member branch into the fork, a team member creates - a merge request in GitLab. (All code changes are implemented using merge requests.) -4. Another team member reviews the merge request, performs a code review, and approves the merge request so - that the code changes can be integrated into the fork. - -### Branching - -Branching is another method that can be used to modify the code base. - -Each code repository has at least two branches: - -1. **Master branch.** The master is used for development. The CivicActions Team can rebase and create merge - requests in the master branch. -2. **Production branch.** The production branch is deployed to the production server. When deploying changes - to production, the release manager copies code from the master branch to the production branch. - -The CivicActions Team might create a branch from the upstream repository when multiple -developers need to collaborate on something that cannot be continuously merged into the master branch. The -rationale for branching within a team is that paired collaboration on a single branch avoids certain types of -friction: - -- Having to process merge requests from multiple forks in order to integrate changes to the upstream branch -- Having to add team members to forks as _collaborators_ so that they can contribute in short-lived forks - -When team members contribute directly in a branch, CivicActions can modify work-in-progress -(WIP) merge requests and encourage collaboration across the Cloud Operations team. - -### Squashing commits - -[Squashing commits](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History#Squashing-Commits) is allowed -and encouraged within an engineer's branch, but discouraged, except in rare instances in master and production -branches which are fast-forward only and block force pushes. - -### Rebase or merge - -The team prefers [rebasing over merging](https://www.atlassian.com/git/tutorials/merging-vs-rebasing/). Ongoing -work should always be rebased upon the master branch. - -### When should a Merge Request (MR) be created? - -Work-in-progress MRs are encouraged. If you create a work-in-progress MR, you might also make it plain in the -MR name with a `[WIP]` prefix. When an MR is ready for review, remove the `[WIP]` label. An MR with a WIP label -is blocked from merging by GitLab. - -Merge requests should be created whenever code is ready for review, prior to being merged into the master -branch. - -### Should MRs be assigned? - -MRs are typically not assigned in GitLab, unless someone specifically needs to sign off on the change. - -You can request a review using GitLab's built-in tools, mention someone in the MR with the `@` notation, or -contact them outside the GitLab context to request a review. - -### When reviewing an MR, should the change be tested locally? - -Whenever possible, the proposed changes should be tested locally. Because of the nature of many of the -Project repositories and deployment environments, local testing is not always possible or -practical. Visual code review, however, is always required. In the event that merged code breaks the dev -environment, the decision will be made at the time whether to revert the merge. diff --git a/components/AWS/AC-ACCESS_CONTROL.yaml b/components/AWS/AC-ACCESS_CONTROL.yaml deleted file mode 100644 index 454eb7f..0000000 --- a/components/AWS/AC-ACCESS_CONTROL.yaml +++ /dev/null @@ -1,51 +0,0 @@ -family: ACCESS CONTROL -documentation_complete: false -satisfies: -- control_key: AC-2 - control_name: ACCOUNT MANAGEMENT - standard_key: NIST SP 800-53 Revision 4 - covered_by: [] - security_control_type: Shared - narrative: - - text: > - The system partially inherits this control from the FedRAMP Provisional ATO granted - to the AWS Cloud dated 1 May 2013 for the following: AWS account management. - - key: a - text: > - In this architecture, the baseline AWS Identity and Access Management (IAM) - groups and roles are associated with access policies to align user - accounts with personnel functions related to infrastructure/platform - management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, - etc.) - - key: g - text: > - In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled, which - provide the audit trail capability for the organization to monitor the use of AWS - Identity and Access Management (IAM) accounts. An Amazon S3 bucket centrally contains - the CloudTrail audit logs. Amazon CloudWatch Alarm is configured to send an - alert when any of the following happen: - - an API call is made to create, update, or delete a Network ACL/Security Group - - AWS account *root user* activity is detected - - multiple API actions or login attempts fail - - IAM Configuration changes are detected - - new IAM access key was created - - changes to the CloudTrail log configuration are detected - implementation_status: partial -- control_key: AC-3 - control_name: ACCESS ENFORCEMENT - standard_key: NIST SP 800-53 Revision 4 - covered_by: [] - security_control_type: Shared - narrative: - - text: > - In this architecture, AWS Identify and Access Management (IAM) and Amazon - Amazon S3 enforce access to the AWS infrastructure and data in Amazon S3 buckets. The - baseline IAM groups and roles are associated with access policies to - align user accounts with personnel functions related to infrastructure/platform - management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. - auditing, etc.) Login/API access is restricted to those users for whom the - organization has authorized and created, or federated, IAM user accounts, - and assigned the appropriate IAM group and/or role memberships. Amazon S3 - buckets have specific access control policies assigned to restrict access - to those IAM users who are assigned the appropriate IAM roles/groups. - implementation_status: partial diff --git a/opencontrol.yaml b/opencontrol.yaml index 412bed4..8aeb0b3 100644 --- a/opencontrol.yaml +++ b/opencontrol.yaml @@ -5,12 +5,12 @@ metadata: maintainers: - CivicActions components: - - ./components/AWS - - ./components/Contractor - - ./components/Drupal - - ./components/Ilias - - ./components/Project - - ./components/SSH + - ./results/components/AWS + - ./results/components/Contractor + - ./results/components/Drupal + - ./results/components/Ilias + - ./results/components/Project + - ./results/components/SSH standards: - ./standards/nist-sp-800-53-rev5.yaml certifications: diff --git a/pyproject.toml b/pyproject.toml index cc385d5..307ac19 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -29,10 +29,10 @@ requires = ["poetry-core"] build-backend = "poetry.core.masonry.api" [tool.poetry.scripts] -createfiles = "tools.createfiles.createfiles:main" +createfiles = "tools.createfiles.createfiles:create_files" creatematrix = "tools.creatematrix.creatematrix:main" exportto = "tools.exportto.exportto:main" -makefamilies = "tools.makefamilies.makefamilies:main" +makefamilies = "tools.makefamilies.makefamilies:make_families" sop = "tools.sop.sop:main" makessp = "tools.makessp.makessp:main" getconfig = "tools.helpers.config:check_config" diff --git a/results/appendices/configuration-management.md b/results/appendices/configuration-management.md deleted file mode 100644 index 516d605..0000000 --- a/results/appendices/configuration-management.md +++ /dev/null @@ -1,371 +0,0 @@ -# Project Full Name Configuration Management Plan - -This document describes how the CivicActions/Project team approaches -configuration management of the Project General Services platform. - -## Contents - - -- [Contents](#contents) -- [Overview](#overview) - - [Purpose](#purpose) - - [Scope](#scope) - - [Roles and responsibilities](#roles-and-responsibilities) - - [Definitions](#definitions) -- [What goes into configuration management?](#what-goes-into-configuration-management) -- [Where should all this configuration go](#where-should-all-this-configuration-go) -- [How do we test these changes](#how-do-we-test-these-changes) -- [Change workflow](#change-workflow) -- [What if a configuration is changed, and it is not in Configuration Management?](#what-if-a-configuration-is-changed-and-it-is-not-in-configuration-management) -- [Server configuration](#server-configuration) -- [Application configuration](#application-configuration) -- [GitLab contribution guidelines](#gitlab-contribution-guidelines) -- [Forking](#forking) - - [Branching](#branching) - - [Squashing commits](#squashing-commits) - - [Rebase or merge](#rebase-or-merge) - - [When should a Merge Request (MR) be created?](#when-should-a-merge-request-mr-be-created) - - [Should MRs be assigned?](#should-mrs-be-assigned) - - [When reviewing an MR, should the change be tested locally?](#when-reviewing-an-mr-should-the-change-be-tested-locally) - - - -## Overview -new -Project employs a combination of AWS CloudFormation templates and the Ansible software -and configuration provisioning engine. Using CloudFormation, CivicActions is able to -create virtual machines for each step of the CI/CD pipeline. - -The server software update process, AIDE-based intrusion detection, and Git management of /etc are all -managed by Ansible. Drupal application updates both security and feature based, make use of a scripted -deployment process. A Git repository is used to manage and record configuration in code, templates and -playbooks. Peer review, automated testing and a stakeholder review on a staging server ensure that -configuration updates are deployed without problems. Should a problem be discovered, rollback to a -previous version is seamlessly managed by re-deploying the previous release stored in Git. - -### Purpose - -The purpose of this document is to identify and describe the Configuration Management (CM) process for -the Project Full Name and provide CivicActions with the necessary structure to efficiently -and securely manage the configuration standards for software baselines and changes to assets within the -Project authorization boundary. This plan describes the processes required to ensure that -the inevitable changes to Project occur within an identifiable and controlled environment. - -The Project CM Plan will ensure the following requirements are met: - -- Formally documented CM roles, responsibilities, and procedures; -- A configuration control board that implements procedures to ensure a security review and approval of all - proposed information system changes, to include interconnections to other information systems; -- A testing process to verify proposed configuration changes prior to implementation in the operational - environment; and -- A verification process to provide additional assurance that the CM process is working effectively and that - changes outside the CM process are technically or procedurally not permitted. - -### Scope - -This Configuration Management Plan and associated processes apply to all employees, contractors and vendors -that manage change or otherwise affect the operations of the Project system including but -not limited to the hardware, software, facilities or information resources. The scope of the Configuration -Management Plan is to establish policy and procedures to ensure that: - -- The revision status of the Project Baseline can be clearly identified, accurately recorded, - and provided to at any given point in time; -- The integrity of the approved Authorization and status of the Project baseline is maintained - throughout all program phases/sprints; -- Coordination of approved changes are vetted in an effective and timely manner; and -- Changes to the defined Baseline is controlled and evaluated for impact on all related system aspects - including security, and incorporated only after review and approval by the personnel. - -### Roles and responsibilities - -Project shall maintain an active Configuration Control Board (CCB) which will be established -as a formal approval authority for changes. It primarily exists to control changes to the -Project architecture (e.g., deployment of new software, code, or major architectural change). - -The following **Roles** will be involved in configuration management activities and make up the Configuration -Control Board: - -- Project Program Manager -- Information Systems Security Manager (ISSM) -- CivicActions Team - - Project Manager (PM) - - Information Systems Security Officer (ISSO) - - Infrastructure Support Team - - Technology Lead (TL) - - Development Team -- Project Managers - -The **Program Manager** or a **Designated Representative (DR)** shall: - -- ensure that appropriate roles, responsibilities, and access controls are assigned to support an effective - Configuration Management Process; -- manage the Change Control Process, Change Management policy, and associated processes that are essential - to the integrity of the Change Control Board; -- provide direction for Project sprints, ensuring that changes requiring modifications to - the contract are submitted as required; and -- attend Configuration Control Board meetings. - -The **Information Systems Security Manager (ISSM)** is the liaison between the PM and the -CivicActions Team for CM-related actions, and shall: - -- lead monthly Configuration Management meetings; -- ensure that CM changes are accurately assessed, documented, and disseminated to prevent any potential - impact to the Project Authorization; -- analyze changes to Project to determine potential security impacts prior to change - implementation; -- ensure that required stakeholders maintain active participation within the Project CCB; and -- attend Configuration Control Board meetings. - -The **CivicActions Team** is responsible for the Project architecture and -its components. The CivicActions Team tests and deploys Project components, modifies -existing software components, and identifies potential Project enhancements. The team is -composed of several roles: - -- The **Project Manager (PM)** is responsible for shepherding the Agile process that is used to develop and - maintain Project throughout any requested or required configuration changes. -- The **Information Systems Security Officer (ISSO)** develops and implements processes and procedures to - insure the security of the Project General Service as it grows and changes through use - and updates. -- The **Infrastructure Support Team** is authorized to make changes to the underlying Project - infrastructure and components. This team shall ensure that a central inventory is maintained and updated as - information system components are modified/added/removed to/from the Project environment. -- The **Technology Lead (TL)** manages the change process of the Project application, oversees - the testing and staging operations, and is directly involved in the deployment of new releases. -- The **Development Team** is tasked with implementing newly requested features, mitigating reported bugs, and - developing test systems to ensure the proper operation of the system as it undergoes changes. - -The **Project Managers** are responsible for the day-to-day operation of the -Project Platform system, and maintain close communication with Project users -and/or organizations. This team is responsible for acting as a liaison between the Project -user base and the CivicActions Team to ensure that the Project system is up and -operational, and coordinating minor changes to the Project Baseline. Attends Configuration -Control Board meetings as needed. - -#### Project Working Group - -The Project Working Group (WG) consists of the members of the current sprint, including at -a minimum, the Program Manager or DR, a Project Manager, and a Technology Lead. The WG coordinates minor -Project changes (e.g., setting changes within the Drupal application and minor operating -system updates) between the CivicActions Team and Project Managers. -The Project CCB delegates this authority to the Project WG to provide a more -streamlined CM control mechanism for changes that do not affect the authorization of the -Project system. Although the WG is less formal than the CCB, all requests and decisions must -still be documented through the JIRA ticketing system. - -### Definitions - -The Configuration Management Process consists of a collection of activities focused on establishing and -maintaining the integrity of the Project baseline, through control of the processes for -initializing, changing, and monitoring the configurations of assets within the Project -authorization boundary. This process is administered by CivicActions in collaboration with the -Project Program Manager. The Program Manager, in collaboration with the ISSM shall ensure -define and implement configuration baseline process and standards for: - -#### Configuration Item (CI) - -An identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination -thereof) that is a discrete target of configuration control processes. - -#### Baseline configuration - -A set of specifications for a system, or CI within a system, that has been formally reviewed and agreed -on at a given point in time, and which can be changed only through change control procedures. The baseline -configuration is used as a basis for future builds, releases, and/or changes. - -#### Configuration Management Plan (CM Plan) - -A comprehensive description of the roles, responsibilities, policies, and procedures that apply when -managing the configuration of products and systems. The basic parts of a CM Plan include: - -##### Configuration Item Identification - -Methodology for selecting and naming configuration items that need to be placed under CM. - -##### Configuration Change Control - -Process for managing updates to the baseline configurations for the configuration items. - -Other Commonly used terms used within the Configuration Management Process include: - -**Baseline** - A current and comprehensive baseline inventory of all components required to support -Project operations; these components are part of the System Inventory and can be -changed only through formal change control procedures. The baseline includes sufficient detail to -re-create the Project General Service. Baselines exist for Software and Infrastructure, -and redundant copies of the Baseline are stored by CivicActions in a location separate -from the Information System. - -**Baseline Change Request (BCR)** - A formal written request to initiate a change to a baseline document. - -**Configuration Control Board (CCB)** - A review panel that evaluates and/or approves changes to the -Project baseline. - -**Code Commit** - A definitive change to any source code that defines the Project software, -or Project virtual infrastructure, or other supporting Project asset or -document which contributes to the Project Information System. Each code commit is assigned -a unique ID, and all code commits are part of a permanent record. All changes to Infrastructure and Software -Baselines are executed through code commits. It should be noted that not all code commits result in changes -to Baselines. - -**Version** or **Release** - (1) A uniquely identified snapshot of a build that represents some identifiable -milestone of functions and capabilities of the Information System; or (2) a uniquely identified snapshot of -a document representing some identifiable milestone of content. - -## What goes into configuration management? - -In short, everything needed to run and operate the platform that is not a _secret_. -(_tbd: secret key management_) - -Here are some examples that are in configuration management: - -- CI/CD pipeline -- Infrastructure/network configuration (CloudFormation and Ansible) -- VM setup and quantity (CloudFormation and Ansible) -- Server software configuration (Ansible) -- CivicActions-developed code (Git) -- Application configuration (Drupal features in Git) - -## Where should all this configuration go - -All configuration must be stored in GitLab using the following "Change Workflow" unless it is a _secret_. - -## How do we test these changes - -If possible, changes should be tested locally first. If local testing is successful, upload the changes to -a development environment for manual or automated testing. - -Security tests need to be executed in the development environment where changes are applied. - -## Change workflow - -1. All configuration changes must flow through a Git repository, centrally managed through GitLab, unless - they contain sensitive information. -2. A change is initiated and discussed as a "Backlog" JIRA ticket in the - [JIRA ticket management system](https://project.atlassian.net/secure/) -3. During Sprint Planning, the ticket is prioritized and may get moved from "Backlog" to "ToDo". -4. The ticket moves from "ToDo" to "In Progress" when it is assigned to a developer. -5. During development, code commits are checked for style and security using `githooks`. -6. After development and local testing, the developer initiates a "Merge Request" (MR). -7. The MR is reviewed by someone other than the committer. Pairing via screen-sharing is encouraged and - qualifies as a review. Review should include assessment of architectural design, DRY principles, - security and code quality. -8. The reviewer merges the MR. -9. A continuous integration (CI) server handles automated tests and continuous deployment (CD) of the - merged changes. - - All changes are deployed to a newly created test environment. - - Any and all automated tests are run. - - If all tests pass, changes can be promoted for deployment to production in the pipeline. -10. The CI/CD tool uses GitLab repositories as the single source of truth for what the platform should - look like. If there are manual changes, the CI/CD tool resets the state of all systems to match. - -## What if a configuration is changed, and it is not in Configuration Management? - -If possible, Configuration Management tools should always roll back to a known state. Other than that, -these tools need to be able to "recreate" all settings from known configurations. - -## Server configuration - -Server configuration is handled via CloudFormation templates and Ansible playbooks and managed using Git. -Once a change has been committed and pushed to the Git repository, a merge request is created. Creating the -merge request triggers the CI/CD build pipeline which contains the following phases: - -- **Deploy infrastructure:** In this phase the containers are created using the CloudFormation templates and Ansible playbooks. -- **Deploy services:** Services defined in the CloudFormation template are deployed. The services include the bastion host, the Drupal application, the Ilias CMS, Solr searching, and the Amazon RDS databases. -- **Validate platform:** During the validation phase, the server configuation is tested for drift detection in order to catch configuation settings that have deviated from the baseline configuation, as well as checks to determine if the applications are up and running and accessible. Nmap, OpenSCAP and Zap scans are also performed during this phase. -- **Post validation:** During the post validation, the hardened Amazon Machine Image (AMI) is checked to see if there are any updates available and, if so, they are installed. - -## Application configuration - -Configuration management in Drupal is handled using Drupal's Configuration Management and hook_update_N modules to make the necessary changes to site configuration. - -Each site has its own site_deploy module that orchestrates deployments. - -When code is deployed to sandbox, development, staging or production environments, `drush config:import`, which imports changes to configuration, is run, and `drush updatedb` is run, which runs any new hook_update_N functions. - -For many of the common configuration tasks, Hook Update Deploy Tools methods make sure that all hook_update_N modules follow this model:: - -- make the change, -- verify it was made, and then -- report that it was made. - -Records of these events are output to the terminal of the engineer deploying the code, and to Drupal Watchdog. - - -## GitLab contribution guidelines - -Project is built and maintained by CivicActions, and the -CivicActions Team follows standard code development guidelines. - -## Forking - -Forking is a method that can be used to modify the code base. - -The CivicActions Team maintains the Project code base in a GitLab -repository. The _master_ is the most current version that has been deployed to production. When starting -a new project, the CivicActions Team makes a copy of the _master_ in GitLab; the copy, -called a _fork_, is where project-specific code changes shall be maintained going forward. - -Code changes are implemented using the following workflow: - -1. The CivicActions Team uses the _master_ to create a _fork_ for project-specific code changes. -2. During the project, individual team members create branches, and then work in those branches until the code - changes are ready to be committed to the fork. -3. When code changes are ready to be integrated from a team member branch into the fork, a team member creates - a merge request in GitLab. (All code changes are implemented using merge requests.) -4. Another team member reviews the merge request, performs a code review, and approves the merge request so - that the code changes can be integrated into the fork. - -### Branching - -Branching is another method that can be used to modify the code base. - -Each code repository has at least two branches: - -1. **Master branch.** The master is used for development. The CivicActions Team can rebase and create merge - requests in the master branch. -2. **Production branch.** The production branch is deployed to the production server. When deploying changes - to production, the release manager copies code from the master branch to the production branch. - -The CivicActions Team might create a branch from the upstream repository when multiple -developers need to collaborate on something that cannot be continuously merged into the master branch. The -rationale for branching within a team is that paired collaboration on a single branch avoids certain types of -friction: - -- Having to process merge requests from multiple forks in order to integrate changes to the upstream branch -- Having to add team members to forks as _collaborators_ so that they can contribute in short-lived forks - -When team members contribute directly in a branch, CivicActions can modify work-in-progress -(WIP) merge requests and encourage collaboration across the Cloud Operations team. - -### Squashing commits - -[Squashing commits](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History#Squashing-Commits) is allowed -and encouraged within an engineer's branch, but discouraged, except in rare instances in master and production -branches which are fast-forward only and block force pushes. - -### Rebase or merge - -The team prefers [rebasing over merging](https://www.atlassian.com/git/tutorials/merging-vs-rebasing/). Ongoing -work should always be rebased upon the master branch. - -### When should a Merge Request (MR) be created? - -Work-in-progress MRs are encouraged. If you create a work-in-progress MR, you might also make it plain in the -MR name with a `[WIP]` prefix. When an MR is ready for review, remove the `[WIP]` label. An MR with a WIP label -is blocked from merging by GitLab. - -Merge requests should be created whenever code is ready for review, prior to being merged into the master -branch. - -### Should MRs be assigned? - -MRs are typically not assigned in GitLab, unless someone specifically needs to sign off on the change. - -You can request a review using GitLab's built-in tools, mention someone in the MR with the `@` notation, or -contact them outside the GitLab context to request a review. - -### When reviewing an MR, should the change be tested locally? - -Whenever possible, the proposed changes should be tested locally. Because of the nature of many of the -Project repositories and deployment environments, local testing is not always possible or -practical. Visual code review, however, is always required. In the event that merged code breaks the dev -environment, the decision will be made at the time whether to revert the merge. diff --git a/appendices/contingency-plan.md b/results/appendices/contingency-plan.md similarity index 100% rename from appendices/contingency-plan.md rename to results/appendices/contingency-plan.md diff --git a/appendices/justifications.md b/results/appendices/justifications.md similarity index 100% rename from appendices/justifications.md rename to results/appendices/justifications.md diff --git a/appendices/laws-regulations.md b/results/appendices/laws-regulations.md similarity index 100% rename from appendices/laws-regulations.md rename to results/appendices/laws-regulations.md diff --git a/appendices/privacy-impact-assessment.md b/results/appendices/privacy-impact-assessment.md similarity index 100% rename from appendices/privacy-impact-assessment.md rename to results/appendices/privacy-impact-assessment.md diff --git a/appendices/risk-management.md b/results/appendices/risk-management.md similarity index 100% rename from appendices/risk-management.md rename to results/appendices/risk-management.md diff --git a/appendices/sdlc.md b/results/appendices/sdlc.md similarity index 100% rename from appendices/sdlc.md rename to results/appendices/sdlc.md diff --git a/appendices/security-irp-checklist.md b/results/appendices/security-irp-checklist.md similarity index 100% rename from appendices/security-irp-checklist.md rename to results/appendices/security-irp-checklist.md diff --git a/appendices/security-irp.md b/results/appendices/security-irp.md similarity index 100% rename from appendices/security-irp.md rename to results/appendices/security-irp.md diff --git a/appendices/system-continuity-plan.md b/results/appendices/system-continuity-plan.md similarity index 100% rename from appendices/system-continuity-plan.md rename to results/appendices/system-continuity-plan.md diff --git a/components/AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/results/components/AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml similarity index 100% rename from components/AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml rename to results/components/AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml diff --git a/components/AWS/CM-CONFIGURATION_MANAGEMENT.yaml b/results/components/AWS/CM-CONFIGURATION_MANAGEMENT.yaml similarity index 100% rename from components/AWS/CM-CONFIGURATION_MANAGEMENT.yaml rename to results/components/AWS/CM-CONFIGURATION_MANAGEMENT.yaml diff --git a/components/AWS/CP-CONTINGENCY_PLANNING.yaml b/results/components/AWS/CP-CONTINGENCY_PLANNING.yaml similarity index 100% rename from components/AWS/CP-CONTINGENCY_PLANNING.yaml rename to results/components/AWS/CP-CONTINGENCY_PLANNING.yaml diff --git a/components/AWS/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/results/components/AWS/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml similarity index 100% rename from components/AWS/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml rename to results/components/AWS/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/components/AWS/IR-INCIDENT_RESPONSE.yaml b/results/components/AWS/IR-INCIDENT_RESPONSE.yaml similarity index 100% rename from components/AWS/IR-INCIDENT_RESPONSE.yaml rename to results/components/AWS/IR-INCIDENT_RESPONSE.yaml diff --git a/components/AWS/MA-MAINTENANCE.yaml b/results/components/AWS/MA-MAINTENANCE.yaml similarity index 100% rename from components/AWS/MA-MAINTENANCE.yaml rename to results/components/AWS/MA-MAINTENANCE.yaml diff --git a/components/AWS/MP-MEDIA_PROTECTION.yaml b/results/components/AWS/MP-MEDIA_PROTECTION.yaml similarity index 100% rename from components/AWS/MP-MEDIA_PROTECTION.yaml rename to results/components/AWS/MP-MEDIA_PROTECTION.yaml diff --git a/components/AWS/PE-PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml b/results/components/AWS/PE-PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml similarity index 100% rename from components/AWS/PE-PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml rename to results/components/AWS/PE-PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml diff --git a/components/AWS/PL-PLANNING.yaml b/results/components/AWS/PL-PLANNING.yaml similarity index 100% rename from components/AWS/PL-PLANNING.yaml rename to results/components/AWS/PL-PLANNING.yaml diff --git a/components/AWS/PS-PERSONNEL_SECURITY.yaml b/results/components/AWS/PS-PERSONNEL_SECURITY.yaml similarity index 100% rename from components/AWS/PS-PERSONNEL_SECURITY.yaml rename to results/components/AWS/PS-PERSONNEL_SECURITY.yaml diff --git a/components/AWS/RA-RISK_ASSESSMENT.yaml b/results/components/AWS/RA-RISK_ASSESSMENT.yaml similarity index 100% rename from components/AWS/RA-RISK_ASSESSMENT.yaml rename to results/components/AWS/RA-RISK_ASSESSMENT.yaml diff --git a/components/AWS/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/results/components/AWS/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml similarity index 100% rename from components/AWS/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml rename to results/components/AWS/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml diff --git a/components/AWS/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/results/components/AWS/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml similarity index 100% rename from components/AWS/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml rename to results/components/AWS/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/components/AWS/component.yaml b/results/components/AWS/component.yaml similarity index 100% rename from components/AWS/component.yaml rename to results/components/AWS/component.yaml diff --git a/components/Contractor/AC-ACCESS_CONTROL.yaml b/results/components/Contractor/AC-ACCESS_CONTROL.yaml similarity index 100% rename from components/Contractor/AC-ACCESS_CONTROL.yaml rename to results/components/Contractor/AC-ACCESS_CONTROL.yaml diff --git a/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml b/results/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml similarity index 100% rename from components/Contractor/AT-AWARENESS_AND_TRAINING.yaml rename to results/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml diff --git a/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/results/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml similarity index 100% rename from components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml rename to results/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml diff --git a/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml b/results/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml rename to results/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml b/results/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml similarity index 100% rename from components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml rename to results/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml diff --git a/components/Contractor/CP-CONTINGENCY_PLANNING.yaml b/results/components/Contractor/CP-CONTINGENCY_PLANNING.yaml similarity index 100% rename from components/Contractor/CP-CONTINGENCY_PLANNING.yaml rename to results/components/Contractor/CP-CONTINGENCY_PLANNING.yaml diff --git a/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/results/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml similarity index 100% rename from components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml rename to results/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/components/Contractor/IR-INCIDENT_RESPONSE.yaml b/results/components/Contractor/IR-INCIDENT_RESPONSE.yaml similarity index 100% rename from components/Contractor/IR-INCIDENT_RESPONSE.yaml rename to results/components/Contractor/IR-INCIDENT_RESPONSE.yaml diff --git a/components/Contractor/MA-MAINTENANCE.yaml b/results/components/Contractor/MA-MAINTENANCE.yaml similarity index 100% rename from components/Contractor/MA-MAINTENANCE.yaml rename to results/components/Contractor/MA-MAINTENANCE.yaml diff --git a/components/Contractor/MP-MEDIA_PROTECTION.yaml b/results/components/Contractor/MP-MEDIA_PROTECTION.yaml similarity index 100% rename from components/Contractor/MP-MEDIA_PROTECTION.yaml rename to results/components/Contractor/MP-MEDIA_PROTECTION.yaml diff --git a/components/Contractor/PL-PLANNING.yaml b/results/components/Contractor/PL-PLANNING.yaml similarity index 100% rename from components/Contractor/PL-PLANNING.yaml rename to results/components/Contractor/PL-PLANNING.yaml diff --git a/components/Contractor/PS-PERSONNEL_SECURITY.yaml b/results/components/Contractor/PS-PERSONNEL_SECURITY.yaml similarity index 100% rename from components/Contractor/PS-PERSONNEL_SECURITY.yaml rename to results/components/Contractor/PS-PERSONNEL_SECURITY.yaml diff --git a/components/Contractor/RA-RISK_ASSESSMENT.yaml b/results/components/Contractor/RA-RISK_ASSESSMENT.yaml similarity index 100% rename from components/Contractor/RA-RISK_ASSESSMENT.yaml rename to results/components/Contractor/RA-RISK_ASSESSMENT.yaml diff --git a/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/results/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml similarity index 100% rename from components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml rename to results/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml diff --git a/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/results/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml similarity index 100% rename from components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml rename to results/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml b/results/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml similarity index 100% rename from components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml rename to results/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml diff --git a/components/Contractor/component.yaml b/results/components/Contractor/component.yaml similarity index 100% rename from components/Contractor/component.yaml rename to results/components/Contractor/component.yaml diff --git a/components/Drupal/AC-ACCESS_CONTROL.yaml b/results/components/Drupal/AC-ACCESS_CONTROL.yaml similarity index 100% rename from components/Drupal/AC-ACCESS_CONTROL.yaml rename to results/components/Drupal/AC-ACCESS_CONTROL.yaml diff --git a/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/results/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml similarity index 100% rename from components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml rename to results/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml diff --git a/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml b/results/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml rename to results/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/results/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml similarity index 100% rename from components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml rename to results/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/results/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml similarity index 100% rename from components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml rename to results/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/components/Drupal/component.yaml b/results/components/Drupal/component.yaml similarity index 100% rename from components/Drupal/component.yaml rename to results/components/Drupal/component.yaml diff --git a/components/Ilias/AC-ACCESS_CONTROL.yaml b/results/components/Ilias/AC-ACCESS_CONTROL.yaml similarity index 100% rename from components/Ilias/AC-ACCESS_CONTROL.yaml rename to results/components/Ilias/AC-ACCESS_CONTROL.yaml diff --git a/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/results/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml similarity index 100% rename from components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml rename to results/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml diff --git a/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml b/results/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml rename to results/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml b/results/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml similarity index 100% rename from components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml rename to results/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml diff --git a/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/results/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml similarity index 100% rename from components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml rename to results/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/results/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml similarity index 100% rename from components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml rename to results/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml diff --git a/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/results/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml similarity index 100% rename from components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml rename to results/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml b/results/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml similarity index 100% rename from components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml rename to results/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml diff --git a/components/Ilias/component.yaml b/results/components/Ilias/component.yaml similarity index 100% rename from components/Ilias/component.yaml rename to results/components/Ilias/component.yaml diff --git a/components/Project/AC-ACCESS_CONTROL.yaml b/results/components/Project/AC-ACCESS_CONTROL.yaml similarity index 100% rename from components/Project/AC-ACCESS_CONTROL.yaml rename to results/components/Project/AC-ACCESS_CONTROL.yaml diff --git a/components/Project/AT-AWARENESS_AND_TRAINING.yaml b/results/components/Project/AT-AWARENESS_AND_TRAINING.yaml similarity index 100% rename from components/Project/AT-AWARENESS_AND_TRAINING.yaml rename to results/components/Project/AT-AWARENESS_AND_TRAINING.yaml diff --git a/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml b/results/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml similarity index 100% rename from components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml rename to results/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml diff --git a/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml b/results/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml similarity index 100% rename from components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml rename to results/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml diff --git a/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml b/results/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml similarity index 100% rename from components/Project/CM-CONFIGURATION_MANAGEMENT.yaml rename to results/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml diff --git a/components/Project/CP-CONTINGENCY_PLANNING.yaml b/results/components/Project/CP-CONTINGENCY_PLANNING.yaml similarity index 100% rename from components/Project/CP-CONTINGENCY_PLANNING.yaml rename to results/components/Project/CP-CONTINGENCY_PLANNING.yaml diff --git a/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml b/results/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml similarity index 100% rename from components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml rename to results/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml diff --git a/components/Project/IR-INCIDENT_RESPONSE.yaml b/results/components/Project/IR-INCIDENT_RESPONSE.yaml similarity index 100% rename from components/Project/IR-INCIDENT_RESPONSE.yaml rename to results/components/Project/IR-INCIDENT_RESPONSE.yaml diff --git a/components/Project/MA-MAINTENANCE.yaml b/results/components/Project/MA-MAINTENANCE.yaml similarity index 100% rename from components/Project/MA-MAINTENANCE.yaml rename to results/components/Project/MA-MAINTENANCE.yaml diff --git a/components/Project/MP-MEDIA_PROTECTION.yaml b/results/components/Project/MP-MEDIA_PROTECTION.yaml similarity index 100% rename from components/Project/MP-MEDIA_PROTECTION.yaml rename to results/components/Project/MP-MEDIA_PROTECTION.yaml diff --git a/components/Project/PL-PLANNING.yaml b/results/components/Project/PL-PLANNING.yaml similarity index 100% rename from components/Project/PL-PLANNING.yaml rename to results/components/Project/PL-PLANNING.yaml diff --git a/components/Project/PS-PERSONNEL_SECURITY.yaml b/results/components/Project/PS-PERSONNEL_SECURITY.yaml similarity index 100% rename from components/Project/PS-PERSONNEL_SECURITY.yaml rename to results/components/Project/PS-PERSONNEL_SECURITY.yaml diff --git a/components/Project/RA-RISK_ASSESSMENT.yaml b/results/components/Project/RA-RISK_ASSESSMENT.yaml similarity index 100% rename from components/Project/RA-RISK_ASSESSMENT.yaml rename to results/components/Project/RA-RISK_ASSESSMENT.yaml diff --git a/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml b/results/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml similarity index 100% rename from components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml rename to results/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml diff --git a/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml b/results/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml similarity index 100% rename from components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml rename to results/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml diff --git a/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml b/results/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml similarity index 100% rename from components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml rename to results/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml diff --git a/components/Project/component.yaml b/results/components/Project/component.yaml similarity index 100% rename from components/Project/component.yaml rename to results/components/Project/component.yaml diff --git a/components/SSH/AC-ACCESS_CONTROL.yaml b/results/components/SSH/AC-ACCESS_CONTROL.yaml similarity index 100% rename from components/SSH/AC-ACCESS_CONTROL.yaml rename to results/components/SSH/AC-ACCESS_CONTROL.yaml diff --git a/components/SSH/component.yaml b/results/components/SSH/component.yaml similarity index 100% rename from components/SSH/component.yaml rename to results/components/SSH/component.yaml diff --git a/components/file_hashes.json b/results/components/file_hashes.json similarity index 100% rename from components/file_hashes.json rename to results/components/file_hashes.json diff --git a/results/docs/controls.md b/results/docs/controls.md new file mode 100644 index 0000000..9aa485f --- /dev/null +++ b/results/docs/controls.md @@ -0,0 +1,162 @@ +* [AC: Access Control](controls/AC.md#ac-access-control) + * [AC-1: Policy and Procedures](controls/AC.md#ac-1-policy-and-procedures) + * [AC-2: Account Management](controls/AC.md#ac-2-account-management) + * [AC-3: Access Enforcement](controls/AC.md#ac-3-access-enforcement) + * [AC-3 (14): Individual Access](controls/AC.md#ac-3-14-individual-access) + * [AC-7: Unsuccessful Logon Attempts](controls/AC.md#ac-7-unsuccessful-logon-attempts) + * [AC-8: System Use Notification](controls/AC.md#ac-8-system-use-notification) + * [AC-14: Permitted Actions Without Identification or Authentication](controls/AC.md#ac-14-permitted-actions-without-identification-or-authentication) + * [AC-17: Remote Access](controls/AC.md#ac-17-remote-access) + * [AC-18: Wireless Access](controls/AC.md#ac-18-wireless-access) + * [AC-19: Access Control for Mobile Devices](controls/AC.md#ac-19-access-control-for-mobile-devices) + * [AC-20: Use of External Systems](controls/AC.md#ac-20-use-of-external-systems) + * [AC-21: Information Sharing](controls/AC.md#ac-21-information-sharing) + * [AC-22: Publicly Accessible Content](controls/AC.md#ac-22-publicly-accessible-content) +* [AT: Awareness And Training](controls/AT.md#at-awareness-and-training) + * [AT-1: Policy and Procedures](controls/AT.md#at-1-policy-and-procedures) + * [AT-2: Literacy Training and Awareness](controls/AT.md#at-2-literacy-training-and-awareness) + * [AT-2 (2): Insider Threat](controls/AT.md#at-2-2-insider-threat) + * [AT-3: Role-based Training](controls/AT.md#at-3-role-based-training) + * [AT-3 (5): Processing Personally Identifiable Information](controls/AT.md#at-3-5-processing-personally-identifiable-information) + * [AT-4: Training Records](controls/AT.md#at-4-training-records) +* [AU: Audit And Accountability](controls/AU.md#au-audit-and-accountability) + * [AU-1: Policy and Procedures](controls/AU.md#au-1-policy-and-procedures) + * [AU-2: Event Logging](controls/AU.md#au-2-event-logging) + * [AU-3: Content of Audit Records](controls/AU.md#au-3-content-of-audit-records) + * [AU-4: Audit Log Storage Capacity](controls/AU.md#au-4-audit-log-storage-capacity) + * [AU-5: Response to Audit Logging Process Failures](controls/AU.md#au-5-response-to-audit-logging-process-failures) + * [AU-6: Audit Record Review, Analysis, and Reporting](controls/AU.md#au-6-audit-record-review,-analysis,-and-reporting) + * [AU-8: Time Stamps](controls/AU.md#au-8-time-stamps) + * [AU-9: Protection of Audit Information](controls/AU.md#au-9-protection-of-audit-information) + * [AU-11: Audit Record Retention](controls/AU.md#au-11-audit-record-retention) + * [AU-12: Audit Record Generation](controls/AU.md#au-12-audit-record-generation) +* [CA: Assessment Authorization And Monitoring](controls/CA.md#ca-assessment-authorization-and-monitoring) + * [CA-1: Policy and Procedures](controls/CA.md#ca-1-policy-and-procedures) + * [CA-2: Control Assessments](controls/CA.md#ca-2-control-assessments) + * [CA-3: Information Exchange](controls/CA.md#ca-3-information-exchange) + * [CA-5: Plan of Action and Milestones](controls/CA.md#ca-5-plan-of-action-and-milestones) + * [CA-6: Authorization](controls/CA.md#ca-6-authorization) + * [CA-7: Continuous Monitoring](controls/CA.md#ca-7-continuous-monitoring) + * [CA-7 (4): Risk Monitoring](controls/CA.md#ca-7-4-risk-monitoring) + * [CA-9: Internal System Connections](controls/CA.md#ca-9-internal-system-connections) +* [CM: Configuration Management](controls/CM.md#cm-configuration-management) + * [CM-1: Policy and Procedures](controls/CM.md#cm-1-policy-and-procedures) + * [CM-2: Baseline Configuration](controls/CM.md#cm-2-baseline-configuration) + * [CM-4: Impact Analyses](controls/CM.md#cm-4-impact-analyses) + * [CM-5: Access Restrictions for Change](controls/CM.md#cm-5-access-restrictions-for-change) + * [CM-6: Configuration Settings](controls/CM.md#cm-6-configuration-settings) + * [CM-7: Least Functionality](controls/CM.md#cm-7-least-functionality) + * [CM-8: System Component Inventory](controls/CM.md#cm-8-system-component-inventory) + * [CM-10: Software Usage Restrictions](controls/CM.md#cm-10-software-usage-restrictions) + * [CM-11: User-installed Software](controls/CM.md#cm-11-user-installed-software) +* [CP: Contingency Planning](controls/CP.md#cp-contingency-planning) + * [CP-1: Policy and Procedures](controls/CP.md#cp-1-policy-and-procedures) + * [CP-2: Contingency Plan](controls/CP.md#cp-2-contingency-plan) + * [CP-3: Contingency Training](controls/CP.md#cp-3-contingency-training) + * [CP-4: Contingency Plan Testing](controls/CP.md#cp-4-contingency-plan-testing) + * [CP-9: System Backup](controls/CP.md#cp-9-system-backup) + * [CP-10: System Recovery and Reconstitution](controls/CP.md#cp-10-system-recovery-and-reconstitution) +* [IA: Identification And Authentication](controls/IA.md#ia-identification-and-authentication) + * [IA-1: Policy and Procedures](controls/IA.md#ia-1-policy-and-procedures) + * [IA-2: Identification and Authentication (organizational Users)](controls/IA.md#ia-2-identification-and-authentication-organizational-users) + * [IA-2 (1): Multi-factor Authentication to Privileged Accounts](controls/IA.md#ia-2-1-multi-factor-authentication-to-privileged-accounts) + * [IA-2 (2): Multi-factor Authentication to Non-privileged Accounts](controls/IA.md#ia-2-2-multi-factor-authentication-to-non-privileged-accounts) + * [IA-2 (8): Access to Accounts — Replay Resistant](controls/IA.md#ia-2-8-access-to-accounts-—-replay-resistant) + * [IA-2 (12): Acceptance of PIV Credentials](controls/IA.md#ia-2-12-acceptance-of-piv-credentials) + * [IA-4: Identifier Management](controls/IA.md#ia-4-identifier-management) + * [IA-5: Authenticator Management](controls/IA.md#ia-5-authenticator-management) + * [IA-5 (1): Password-based Authentication](controls/IA.md#ia-5-1-password-based-authentication) + * [IA-6: Authentication Feedback](controls/IA.md#ia-6-authentication-feedback) + * [IA-7: Cryptographic Module Authentication](controls/IA.md#ia-7-cryptographic-module-authentication) + * [IA-8: Identification and Authentication (non-organizational Users)](controls/IA.md#ia-8-identification-and-authentication-non-organizational-users) + * [IA-8 (1): Acceptance of PIV Credentials from Other Agencies](controls/IA.md#ia-8-1-acceptance-of-piv-credentials-from-other-agencies) + * [IA-8 (2): Acceptance of External Authenticators](controls/IA.md#ia-8-2-acceptance-of-external-authenticators) + * [IA-8 (4): Use of Defined Profiles](controls/IA.md#ia-8-4-use-of-defined-profiles) + * [IA-11: Re-authentication](controls/IA.md#ia-11-re-authentication) +* [IR: Incident Response](controls/IR.md#ir-incident-response) + * [IR-1: Policy and Procedures](controls/IR.md#ir-1-policy-and-procedures) + * [IR-2: Incident Response Training](controls/IR.md#ir-2-incident-response-training) + * [IR-4: Incident Handling](controls/IR.md#ir-4-incident-handling) + * [IR-5: Incident Monitoring](controls/IR.md#ir-5-incident-monitoring) + * [IR-6: Incident Reporting](controls/IR.md#ir-6-incident-reporting) + * [IR-7: Incident Response Assistance](controls/IR.md#ir-7-incident-response-assistance) + * [IR-8: Incident Response Plan](controls/IR.md#ir-8-incident-response-plan) +* [MA: Maintenance](controls/MA.md#ma-maintenance) + * [MA-1: Policy and Procedures](controls/MA.md#ma-1-policy-and-procedures) + * [MA-2: Controlled Maintenance](controls/MA.md#ma-2-controlled-maintenance) + * [MA-4: Nonlocal Maintenance](controls/MA.md#ma-4-nonlocal-maintenance) + * [MA-5: Maintenance Personnel](controls/MA.md#ma-5-maintenance-personnel) +* [MP: Media Protection](controls/MP.md#mp-media-protection) + * [MP-1: Policy and Procedures](controls/MP.md#mp-1-policy-and-procedures) + * [MP-2: Media Access](controls/MP.md#mp-2-media-access) + * [MP-6: Media Sanitization](controls/MP.md#mp-6-media-sanitization) + * [MP-7: Media Use](controls/MP.md#mp-7-media-use) +* [PE: Physical And Environmental Protection](controls/PE.md#pe-physical-and-environmental-protection) + * [PE-1: Policy and Procedures](controls/PE.md#pe-1-policy-and-procedures) + * [PE-2: Physical Access Authorizations](controls/PE.md#pe-2-physical-access-authorizations) + * [PE-3: Physical Access Control](controls/PE.md#pe-3-physical-access-control) + * [PE-6: Monitoring Physical Access](controls/PE.md#pe-6-monitoring-physical-access) + * [PE-8: Visitor Access Records](controls/PE.md#pe-8-visitor-access-records) + * [PE-12: Emergency Lighting](controls/PE.md#pe-12-emergency-lighting) + * [PE-13: Fire Protection](controls/PE.md#pe-13-fire-protection) + * [PE-14: Environmental Controls](controls/PE.md#pe-14-environmental-controls) + * [PE-15: Water Damage Protection](controls/PE.md#pe-15-water-damage-protection) + * [PE-16: Delivery and Removal](controls/PE.md#pe-16-delivery-and-removal) +* [PL: Planning](controls/PL.md#pl-planning) + * [PL-1: Policy and Procedures](controls/PL.md#pl-1-policy-and-procedures) + * [PL-2: System Security and Privacy Plans](controls/PL.md#pl-2-system-security-and-privacy-plans) + * [PL-4: Rules of Behavior](controls/PL.md#pl-4-rules-of-behavior) + * [PL-4 (1): Social Media and External Site/application Usage Restrictions](controls/PL.md#pl-4-1-social-media-and-external-site/application-usage-restrictions) + * [PL-10: Baseline Selection](controls/PL.md#pl-10-baseline-selection) + * [PL-11: Baseline Tailoring](controls/PL.md#pl-11-baseline-tailoring) +* [PS: Personnel Security](controls/PS.md#ps-personnel-security) + * [PS-1: Policy and Procedures](controls/PS.md#ps-1-policy-and-procedures) + * [PS-2: Position Risk Designation](controls/PS.md#ps-2-position-risk-designation) + * [PS-3: Personnel Screening](controls/PS.md#ps-3-personnel-screening) + * [PS-4: Personnel Termination](controls/PS.md#ps-4-personnel-termination) + * [PS-5: Personnel Transfer](controls/PS.md#ps-5-personnel-transfer) + * [PS-6: Access Agreements](controls/PS.md#ps-6-access-agreements) + * [PS-7: External Personnel Security](controls/PS.md#ps-7-external-personnel-security) + * [PS-8: Personnel Sanctions](controls/PS.md#ps-8-personnel-sanctions) + * [PS-9: Position Descriptions](controls/PS.md#ps-9-position-descriptions) +* [RA: Risk Assessment](controls/RA.md#ra-risk-assessment) + * [RA-1: Policy and Procedures](controls/RA.md#ra-1-policy-and-procedures) + * [RA-2: Security Categorization](controls/RA.md#ra-2-security-categorization) + * [RA-3: Risk Assessment](controls/RA.md#ra-3-risk-assessment) + * [RA-3 (1): Supply Chain Risk Assessment](controls/RA.md#ra-3-1-supply-chain-risk-assessment) + * [RA-5: Vulnerability Monitoring and Scanning](controls/RA.md#ra-5-vulnerability-monitoring-and-scanning) + * [RA-5 (2): Update Vulnerabilities to Be Scanned](controls/RA.md#ra-5-2-update-vulnerabilities-to-be-scanned) + * [RA-5 (11): Public Disclosure Program](controls/RA.md#ra-5-11-public-disclosure-program) + * [RA-7: Risk Response](controls/RA.md#ra-7-risk-response) +* [SA: System And Services Acquisition](controls/SA.md#sa-system-and-services-acquisition) + * [SA-1: Policy and Procedures](controls/SA.md#sa-1-policy-and-procedures) + * [SA-2: Allocation of Resources](controls/SA.md#sa-2-allocation-of-resources) + * [SA-3: System Development Life Cycle](controls/SA.md#sa-3-system-development-life-cycle) + * [SA-4: Acquisition Process](controls/SA.md#sa-4-acquisition-process) + * [SA-4 (10): Use of Approved PIV Products](controls/SA.md#sa-4-10-use-of-approved-piv-products) + * [SA-5: System Documentation](controls/SA.md#sa-5-system-documentation) + * [SA-8: Security and Privacy Engineering Principles](controls/SA.md#sa-8-security-and-privacy-engineering-principles) + * [SA-8 (33): Minimization](controls/SA.md#sa-8-33-minimization) + * [SA-9: External System Services](controls/SA.md#sa-9-external-system-services) +* [SC: System And Communications Protection](controls/SC.md#sc-system-and-communications-protection) + * [SC-1: Policy and Procedures](controls/SC.md#sc-1-policy-and-procedures) + * [SC-5: Denial-of-service Protection](controls/SC.md#sc-5-denial-of-service-protection) + * [SC-7: Boundary Protection](controls/SC.md#sc-7-boundary-protection) + * [SC-12: Cryptographic Key Establishment and Management](controls/SC.md#sc-12-cryptographic-key-establishment-and-management) + * [SC-13: Cryptographic Protection](controls/SC.md#sc-13-cryptographic-protection) + * [SC-15: Collaborative Computing Devices and Applications](controls/SC.md#sc-15-collaborative-computing-devices-and-applications) + * [SC-20: Secure Name/address Resolution Service (authoritative Source)](controls/SC.md#sc-20-secure-name/address-resolution-service-authoritative-source) + * [SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)](controls/SC.md#sc-21-secure-name/address-resolution-service-recursive-or-caching-resolver) + * [SC-22: Architecture and Provisioning for Name/address Resolution Service](controls/SC.md#sc-22-architecture-and-provisioning-for-name/address-resolution-service) + * [SC-39: Process Isolation](controls/SC.md#sc-39-process-isolation) +* [SI: System And Information Integrity](controls/SI.md#si-system-and-information-integrity) + * [SI-1: Policy and Procedures](controls/SI.md#si-1-policy-and-procedures) + * [SI-2: Flaw Remediation](controls/SI.md#si-2-flaw-remediation) + * [SI-3: Malicious Code Protection](controls/SI.md#si-3-malicious-code-protection) + * [SI-4: System Monitoring](controls/SI.md#si-4-system-monitoring) + * [SI-5: Security Alerts, Advisories, and Directives](controls/SI.md#si-5-security-alerts,-advisories,-and-directives) + * [SI-12: Information Management and Retention](controls/SI.md#si-12-information-management-and-retention) + * [SI-12 (1): Limit Personally Identifiable Information Elements](controls/SI.md#si-12-1-limit-personally-identifiable-information-elements) + * [SI-12 (2): Minimize Personally Identifiable Information in Testing, Training, and Research](controls/SI.md#si-12-2-minimize-personally-identifiable-information-in-testing,-training,-and-research) + * [SI-12 (3): Information Disposal](controls/SI.md#si-12-3-information-disposal) + * [SI-18: Personally Identifiable Information Quality Operations](controls/SI.md#si-18-personally-identifiable-information-quality-operations) diff --git a/results/docs/controls/AC.md b/results/docs/controls/AC.md new file mode 100644 index 0000000..7fb0f87 --- /dev/null +++ b/results/docs/controls/AC.md @@ -0,0 +1,539 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## AC: Access Control + +### AC-1: Policy and Procedures + +```text +- a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] access control policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; +- b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and - c. Review and update the current access control: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Access Control (AC) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + + + + +##### Project + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +Access control policy and procedures are documented in the Project Full Name SSP. Access to Project operational information or system resources is limited to only authorized users, programs or processes. The Department enforces access control policies to protect the integrity of the Project Full Name. This Department reviews and updates this policy as necessary and it has been being updated, as necessary, since April 2008. + + + +### AC-2: Account Management + +```text + - a. Define and document the types of accounts allowed and specifically prohibited for use within the system; + - b. Assign account managers; + - c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; + - d. Specify: + - 1. Authorized users of the system; + - 2. Group and role membership; and + - 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; + - e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; + - f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; + - g. Monitor the use of accounts; + - h. Notify account managers and [Assignment: organization-defined personnel or roles] within: + - 1. [Assignment: organization-defined time period] when accounts are no longer required; + - 2. [Assignment: organization-defined time period] when users are terminated or transferred; and + - 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; + - i. Authorize access to the system based on: + - 1. A valid access authorization; + - 2. Intended system usage; and + - 3. [Assignment: organization-defined attributes (as required)]; + - j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; + - k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and + - l. Align account management processes with personnel termination and transfer processes. + +``` +**Status:** None +#### a + +##### Drupal + +Drupal provides the following information system account types to support organizational mission/business functions: + +- Anonymous user - readers of the site who either do not have an account or are not + logged in. + +- Authenticated user - All non-anonymous users inherit the "authenticated user role" + that supports personal account management capabilities. + +- Administrator - This role has all permissions enabled by default. + + + + + +##### Ilias + +Ilias provides user accounts for individuals who participate in visiting, contributing to and administering the site with the following roles: +- Anonymous user – Readers of the site who either do not have an account or are not logged in. +- Guest – This role has limited visibility and read permissions +- User - Standard role for registered users. This role grants read access to most objects. +- Administrator - This role has all permissions enabled by default. + + + + + +##### Project + +SSH system accounts are provided to contractors on an as-needed basis. + +Access privileges are used to ensure that only authorized personnel access certain areas of the Project system. User access is controlled by the completion and submission of Project system Rules of Behavior and New User Account Request forms by the user and management. These items are completed and submitted whenever a new user requires access or an existing user requires access changes. The system administrator, based on need-to-know, assigns the proper permissions. The employee’s manager approves the access rights before the initial account is created. Finally, the system administrator implements the access rights according to the New User Account Request form. The security staff and the support contractor review accounts periodically. Accounts no longer in use are removed from the system by the system administrator. + +The Project has implemented user account procedures to disable inactive user accounts after 90-days of inactivity. The Project support staff monitors all user accounts to ensure this procedure is enforced. Section 6.3, Authentication Management, of the Project SSP illustrates the exact procedures the contractor support staff follows to ensure accounts are properly managed. +The Project system does not have guest or anonymous accounts. + + + + + +##### SSH + +Operations, in collaboration with the Security Office, will set up privileged accounts accounts for the following roles: +- Developer - user level account that has access to application features and sanitized databases +- System Administrator - user accounts that enjoy full system administrator (`sudo`) access + + + +#### b + +##### Contractor + +The CivicActions Project Manager assigns the "administrator" role for the management of all accounts issued to internal admin roles supporting the information system. Account requests are initiated by the Project Manager by completing a ticket request and the CivicActions Operation staff manages the account creation process. + + + + + +##### Drupal + +Drupal defines a default set of roles; Anonymous, Authenticated, and Administrator, as well as providing for the creation of additional organizational-defined roles identified by Project Full Name + + + + + +##### Project + +The system Owner has oversight over all permissions that the Project Manager and Operations Staff manages. + + + +#### c + +##### Project + +In accordance with Project Access Control Policy, Project group membership is determined according to the individual's position and role within the organization. A ticket request is used to request accounts and group membership. The request is authorized by the appropriate manager. + + + +#### d + +##### Contractor + +All accounts issued for application administrators and SSH are documented in CivicActions' ticketing system. Account request tickets contain details that explain the attributes for the account including authorized users of Drupal, system infrastructure, group and role membership, and access authorizations. + + + + + +##### Drupal + +Drupal has a sophisticated permissions and role-based access control built-in. Each role within Drupal can only access the documents and controls for which their privilege allows. + + + + +##### Ilias + +Ilias' permissions and role-based access controls are built-in. Each role within Ilias can only access the pages and controls for which their privilege allows. + + + + +##### Project + +Project user privileges vary depending on the type of user role assigned. Only users with the role of Administrator have the ability to create and modify user roles for other users. + + + +#### e + +##### Contractor + +All accounts issued for the admin management of Application or SSH access must be approved by the System Owner or Project Manager who must create an account request. The CivicActions Operations staff applies appropriate account permissions and settings based on the job role and function documented within the request ticket using processes defined by the CivicActions' Security Office. + + + + +##### Project + +The System Owner approves, and CivicActions Operations set up the initial Administrator account for Project. Subsequent client access and related approvals are managed by CivicActions Operations in collaboration with the System Owner. + + + +#### f + +##### Contractor + +CivicActions Operations staff is responsible for the following account management activities for both internal administrative users and customer accounts: + +- Establishing account justification +- Activating accounts +- Modifying accounts +- Expiring accounts +- Disabling accounts +- Removing accounts + + + +#### g + +##### Contractor + +All CivicActions systems log the usage of information accounts. + + + + +##### Drupal + +Drupal monitors the usage of information accounts in the Watchdog log. + + + + +##### Ilias + +Ilias monitors the usage of information accounts in a log on the server. + + +#### h + +##### Contractor + +In accordance with the CivicActions Access Control (AC-01) Policy when an account is no longer required, the Project Manager notifies the Operations Team to immediately disable all access. Users upon reassignment, change in roles, termination, or leaving employment are initially removed from all roles and groups, effectively denying them all access to privileged accounts. + + + +#### i + +##### Contractor + +System accounts require access authorizations prior to accounts being created. The Project Manager must initiate an access request for an account to be created. CivicActions Operations staff reviews the request to ensure accuracy, including intended system usage and other attributes of the user access being requested. + + + + + +##### Project + +Project governs their own administrative access. Users with +the Administrator roles are empowered to designate and approve +Administrators. + + + +#### j + +##### Contractor + +All privileged accounts are reviewed by CivicActions Operations staff every 180 days. + + + + + +##### Project + +Administrators are empowered to and responsible for reviewing their own accounts and determining whether the accounts should still be authorized. + + + +#### k + +##### Contractor + +In accordance with standard security best practices and CivicActions policy, shared and reissued accounts for internal accounts of any kind are not created nor used for any purpose in any system. + + + +### AC-3: Access Enforcement + +```text +Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + +``` +**Status:** complete + + +##### Drupal + +Access control in Drupal is enforced by authentication via a unique username/password for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. +The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. Drupal Administrators are the only user roles that can create new user accounts. + + + + + +##### Ilias + +Access control in Ilias is enforced by authentication via Shibboleth single sing on (SSO) for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. +The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. Project Administrators, HR Managers, and Org Managers are the only roles that can create new user accounts. + + + + + +##### Project + +The Project Full Name ensures that assigned authorizations for controlling access to the system is enforced in accordance with the user definitions noted in Section 1.1.1 of the Project SSP. The technical support staff ensures that access to security functions and protected information is restricted to authorized personnel. Access will be controlled with access control list used on each instance. Members of one group cannot access resources defined for other groups unless explicitly permitted. + + + +### AC-3 (14): Individual Access + +```text +Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. + +``` +**Status:** incomplete +### AC-7: Unsuccessful Logon Attempts + +```text + - a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and + - b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period], lock the account or node until released by an administrator, delay next logon prompt per [Assignment: organization-defined delay algorithm], notify system administrator, take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded. + +``` +**Status:** complete + + +##### Project + +The Project system locks out users after three unsuccessful login attempts. The information system automatically locks the account permanently, unless an administrator unlocks the account before then, when the maximum number of unsuccessful attempts (3) is exceeded. + + + +#### a + +##### Drupal + +Drupal can be configured to lock an account after a specified number of invalid login attempts within a specified time period. The default for Drupal is 5 failed login attempts within six hours. + + +#### b + +##### Drupal + +Lockdown following unsuccessful attempts is configurable by Drupal administrators to conform to defined requirements. When a user exceeds the limit of invalid login attempts, their account is automatically locked for a specified time and requires administrator action to unlock the account before the lockout period expires. + + +### AC-8: System Use Notification + +```text + - a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: + - 1. Users are accessing a U.S. Government system; + - 2. System usage may be monitored, recorded, and subject to audit; + - 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and + - 4. Use of the system indicates consent to monitoring and recording; + - b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and + - c. For publicly accessible systems: + - 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system; + - 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and + - 3. Include a description of the authorized uses of the system. + +``` +**Status:** partial + + +##### Ilias + +System Use Notification is inherited from the Project. + + + + +##### Project + +A warning banner ensures that all persons attempting to gain access to the system know that the system and its information are “Authorized User Only” and that attempts to illegally log on to the system could lead to criminal prosecution. The warning message displayed notifies unauthorized users that they have accessed a U.S. Government computer system and continued, unauthorized use can be punishable by fines or imprisonment. Each device logged into will display a system use notification message before the log in window is displayed. The system use notification banner will remain on the screen until the user takes an explicit action to log on to the device. The following is the notification banner displayed on all system instances: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +- The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +- At any time, the USG may inspect and seize data stored on this IS. +- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +- This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. +- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + +### AC-14: Permitted Actions Without Identification or Authentication + +```text + - a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and + - b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. + +``` +**Status:** complete + + +##### Ilias + +The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. + + + + +##### Project + +The Project Full Name allows the general public user to read the web pages, do searches on the resource database and to review online forum information without identification and authentication for the public web site. Program and Privilege users cannot access the Project system without identification or authentication. + + + +#### a + +##### Drupal + +The anonymous user role has the least access to the site of all roles. Drupal sites can be configured to allow actions identified by Project Full Name + + + +### AC-17: Remote Access + +```text + - a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and + - b. Authorize each type of remote access to the system prior to allowing such connections. + +``` +**Status:** complete + + +##### Contractor + +The CivicActions Access Control (AC) policy defines policy for remote usage restrictions. The Project Manager or System Owner may additionally provision users according to their Access Control policies. + + + + + +##### Project + +The Project Full Name permits remote access for privileged functions to support operational needs. The technical staff documents, monitors, and controls all methods of remote access to the information system including remote access for privileged functions. Privileged user access is only permitted through the use of Secure Shell (SSH) where the user will authenticate to the device through this secure channel. Virtual Private Networking (VPN) is not enabled in any form within the Project accreditation boundary. + + + +### AC-18: Wireless Access + +```text + - a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and + - b. Authorize each type of wireless access to the system prior to allowing such connections. + +``` +**Status:** complete + + +##### Contractor + +This control is not applicable. The system does not provide wireless access points. + + + +### AC-19: Access Control for Mobile Devices + +```text + - a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and + - b. Authorize the connection of mobile devices to organizational systems. + +``` +**Status:** complete + + +##### Contractor + +This control is not applicable. The system does not maintain a facility in which mobile device access limitations are required. + + + +### AC-20: Use of External Systems + +```text + - a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions], Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: + - 1. Access the system from external systems; and + - 2. Process, store, or transmit organization-controlled information using external systems; or + - b. Prohibit the use of [Assignment: organizationally-defined types of external systems]. + +``` +**Status:** complete + + +##### Contractor + +This control is not applicable. The system does not connect with external information systems. + + + +### AC-21: Information Sharing + +```text + - a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and + - b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. + +``` +**Status:** incomplete +### AC-22: Publicly Accessible Content + +```text + - a. Designate individuals authorized to make information publicly accessible; + - b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; + - c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and + - d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. + +``` +**Status:** complete +#### a + +##### Project + +The Client Full Name grants certain Project support staff members the authority to post publicly accessible content. These individuals must complete Project system security training before being granted access to the Project and before they can post publicly accessible content within the Project Full Name. Furthermore, each authorized individual must follow the procedures delineated within the “Using Drupal” Instruction to ensure they are following a verifiable procedure throughout the entire process. This covers the Project Discussion Lists administration areas, Project Quarterly Reporting and training tools, and Drupal Content Management systems. Public content is only edited via the Drupal Content Management System. All other content is only viewable by Project system users and protected by hardened access controls. + + + +#### b + +##### Project + +It is the Project responsibility to train authorized Project individuals ensuring publicly accessible information does not contain nonpublic information. + + + +#### c + +##### Project + +Authorized Project individuals review the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included. + +Project Users have been authorized for creation of publicly accessible content with publishing authority from an Administrator role. The publishing authority ensures the information being published does not contain nonpublic information. + + + +#### d + +##### Project + +Authorized Project individuals review the content on the publicly accessible information system for nonpublic information at least every 365 days and removes such information. diff --git a/results/docs/controls/AT.md b/results/docs/controls/AT.md new file mode 100644 index 0000000..5ac8ef6 --- /dev/null +++ b/results/docs/controls/AT.md @@ -0,0 +1,185 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## AT: Awareness and Training + +### AT-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] awareness and training policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and + - c. Review and update the current awareness and training: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Awareness and Training (AT) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + + + + +##### Project + +Security awareness and training policy and procedures are formally documented in None, which provides the roles and responsibilities as it pertains to security awareness and training. The Department will ensure all users, including managers and senior executives, are exposed to basic information system security awareness materials before authorizing access to the system and at least annually thereafter. Client documents and monitors all individual information system security training activities including basic security awareness training. OMB reviews and updates the policy as necessary. + + + +### AT-2: Literacy Training and Awareness + +```text + - a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): + - 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and + - 2. When required by system changes or following [Assignment: organization-defined events]; + - b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; + - c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - d. Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques. + +``` +**Status:** complete + + +##### Project + +Client personnel and contractor employees involved with the management, operation, programming, maintenance, or use of Project system receive training in acceptable computer security practices prior to system access. All Client employees and contractors are required to complete annual IT security awareness training. This security awareness training covers issues and policies associated with information security, including end user security roles and responsibilities and rules of behavior. Some topics addressed in the training are: + +- Password protection +- System rules of behavior +- Protection of hardware, software, and data +- Proper handling of copyrighted materials +- Reporting of security breaches and violations +- Proper procedures for software installation, uploading, and use on + workstations. + + + +#### a + +##### Contractor + +Both regular and ad hoc training to all CivicActions personnel, including those who support the system infrastructure and applications, is provided. All employees and contractors must complete Security Awareness training upon being hired and at least annually thereafter. CivicActions Operations staff will not create accounts for individuals until they have successfully completed the trainings. Additional training will be provided as required by system changes. Training takes the following forms: + +Annual Knowledge Survey (i.e., Security Awareness Training): All employees are required to review trainings covering Security Awareness. After the training, a survey-style security awareness test is taken by employees. All CivicActions personnel are required to complete and pass the survey, and new employees are required to pass before being granted access to the Information System. In order to successfully pass the test, a score of 80% is required. This survey tests CivicActions personnel’s knowledge of critical security subjects, policies and procedures. Results from this survey are compiled by the Office of Human Resources and used to refine future training efforts. + +Ad Hoc Security Awareness: The CivicActions' Security Office oversees the approximately bi-monthly distribution of security awareness tips and articles to all CivicActions employees. This can include general tips as well as articles tailored to the specific requirements of CivicActions users. + + + +#### b + +##### Contractor + +In the event of a major system change, the Project Manager is responsible for delivering additional training to impacted personnel. Specific training types, mediums, and delivery methods are dependent upon the nature of the system change. + + + +#### c + +##### Contractor + +CivicActions provides annual security awareness training to its personnel. + + + +### AT-2 (2): Insider Threat + +```text +Provide literacy training on recognizing and reporting potential indicators of insider threat. + +``` +**Status:** incomplete +### AT-3: Role-based Training + +```text + - a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: + - 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and + - 2. When required by system changes; + - b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - c. Incorporate lessons learned from internal or external security or privacy incidents into role-based training. + +``` +**Status:** complete + + +##### Project + +Completion of role-based training is an annual requirement for personnel in roles with significant information security responsibilities that require specialized role-based training. Role-based cybersecurity training is developed and implemented to meet identified training needs and competencies associated with the various target audiences/functional roles (federal and contractor employees) that comprise the Client workforce, as is identified in and required by the FISMA and OMB A-130, Appendix III. The appropriate content of security training is determined based on the assigned roles and responsibilities of individuals and the specific security requirements of the Department, PO and the information systems to which personnel have authorized access. Annual training requirements may be met by completing one or more course(s) within the Department’s learning management systems, participating in instructor-led training provided by the OCIO, or completing an external role-based course or courses offered within their specific functional area of expertise. + + + +#### a + +##### Contractor + +CivicActions personnel with security responsibilities are required to complete role-based security training before being provided with access to the information system. The CivicActions' Security Office is responsible for creating the content of the training. The role-based training is provided and tracked by the CivicActions Security Office. + + + +#### b + +##### Contractor + +The Project Manager in collaboration with CivicActions Security Office determines whether a change to the information system requires any modifications and updates to the security awareness training program and if so, works with the CivicActions' Security Office to implement the change. + + + +#### c + +##### Contractor + +CivicActions Security Office provides users with security responsibilities role-based security training on an annual basis. The training is provided and tracked by the CivicActions Security Office. + + + +### AT-3 (5): Processing Personally Identifiable Information + +```text +Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. + +``` +**Status:** incomplete +### AT-4: Training Records + +```text + - a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and + - b. Retain individual training records for [Assignment: organization-defined time period]. + +``` +**Status:** complete +#### a + +##### Contractor + +The CivicActions' Security Office tracks all security awareness training within the organization and ensures that all employees have successfully completed training when required. The training records are stored and tracked in a spreadsheet maintained by the CivicActions Security Office. + + + + + +##### Project + +Client documents and monitors all individual information system security training activities including basic security awareness training. New users are required to take security training within 30 days of hire. This information is kept in the appropriate personnel files to verify users have met the training requirements. Training requirement notifications are sent to individuals as deadline for re-training approaches. + + + +#### b + +##### Contractor + +Training records are tracked and maintained by the CivicActions Security Office. Records are maintained permanently. + + + + + +##### Project + +Client maintains training certifications for the specified period. diff --git a/results/docs/controls/AU.md b/results/docs/controls/AU.md new file mode 100644 index 0000000..8f0e55d --- /dev/null +++ b/results/docs/controls/AU.md @@ -0,0 +1,536 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## AU: Audit and Accountability + +### AU-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] audit and accountability policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and + - c. Review and update the current audit and accountability: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Audit and Accountability (AU) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + + + + +##### Project + +The Project maintains a record of system activity by application process and by user activity. Audit and accountability policy and procedures are documented within the Project SSP. Security software features are used to automatically generate and store security audit log records for use in monitoring security-related events on all multi-user systems. The Client reviews and updates this policy as necessary and it was last updated in April 2008. Additional information is contained within the None. + + + +### AU-2: Event Logging + +```text + - a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; + - b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + - c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; + - d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + - e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. + +``` +**Status:** None +#### a + +##### AWS + +In this architecture, the following audit methods log all security-relevant user/API activities and Amazon S3 data access activities, and support the capability to audit organizationally defined events: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + + + + + +##### Contractor + +CivicActions' Security Policy provides information about auditing and logging of CivicActions internal users and end-user activity on the servers and within the system application. + + + + + +##### Drupal + +Drupal's Watchdog log are configured to track all relevant auditable events as defined by Client + +- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These + requests include pages, theme files, and static media files. + +- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by + general server issues, including capacity problems, .htaccess problems, and missing files. + +- Drupal page request log: Records all Drupal page loads on your website. +- Drupal Watchdog log: Records Drupal-related actions on your website. The Watchdog log is recorded on + your database if you have enabled the syslog module. + +- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to + complete. + +- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues + reported here are usually caused by a website’s code, configuration, or content. + + + + + +##### Ilias + +Transaction logs are generated by the Apache web server, Ilias CMS, MySQL database and PHP page processing. Specifically, the following server, application, database and network device audit log events are captured: +- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These requests include pages, theme files, and static media files. +- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by general server issues, including capacity problems, .htaccess problems, and missing files. +- Ilias page request log: Records all Ilias page loads on your website. +- Ilias log: Records Ilias-related actions on your website. The log is recorded on your server. +- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to complete. +- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues reported here are usually caused by a website’s code, configuration, or content. + + + +#### b + +##### Contractor + +Auditable events may change due to changes in the threat environment. CivicActions teams collaborate internally and also communicate with customers and partner organizations to identify and select auditable events. The teams that participate in this process are described in control SA-3(b). + + + + + +##### Ilias + +All security-related issues and events, including requests for server log analysis, are recorded in CivicActions' JIRA tracking system. + + +#### c + +##### AWS + +In this architecture, the following audit methods provide data on activities occurring within the infrastructure: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + + + + + +##### Ilias + +CivicActions has extensive experience and specialization as a host of websites that are built using the Ilias web learning platform. Should the need for additional logging become evident, we have the ability to do so by modifying the website's source code to insert additional Ilias logging hooks. + + + +#### d + +##### AWS + +In this architecture, the following audit methods log all security-relevant events and errors related to IAM user and API activities, Amazon S3 data access, network access, and Amazon RDS database errors, and support the capability to audit organizationally defined events: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + + + + + +##### Drupal + +Information captured in the transaction logs includes, but is not limited to, the following auditable events: + +- Failed login attempts +- Successful login attempts +- User account deletions +- User account blocking/unblocking +- Changes in user role assignments +- Unauthorized attempts to alter protected user fields +- New user account creation +- Password reset instructions mailed +- User logins via a one-time login link +- User logouts +- Content creation (datasets, resources and other content types) +- Content modification +- Content deletion +- Content publishing +- Content unpublishing +- File uploads +- Web page not found +- Website configuration changes +- System administration activities +- Slow query logs. +- PHP error logs: Captures any errors logged during execution of the PHP programming language. + + + + + +##### Ilias + +Information captured in the transaction logs includes, but is not limited to, the following auditable +events: +- Failed login attempts +- Successful login attempts +- New user account creation +- Password reset instructions mailed +- User logins via a one-time login link +- Content creation +- Content publishing +- Web page not found +- Website configuration changes +- System administration activities +- Slow query logs. +- PHP error logs: Captures any errors logged during execution of the PHP programming + language. + + + +### AU-3: Content of Audit Records + +```text +Ensure that audit records contain information that establishes the following: + - a. What type of event occurred; + - b. When the event occurred; + - c. Where the event occurred; + - d. Source of the event; + - e. Outcome of the event; and + - f. Identity of any individuals, subjects, or objects/entities associated with the event. + +``` +**Status:** None + + +##### AWS + +In this architecture, the following audit methods generate records with the level of detail specified for the control: + +- **AWS CloudTrail logging**: Provides information on activities + related to infrastructure changes. + +- **Amazon S3 bucket logging**: Provides data on activities related to the + access or manipulation of data stored in Amazon S3. + +- **Elastic Load Balancing (ELB) logging**: Provides information about + requests or connections. + +- **Amazon RDS MySQL error logging**: Captures errors encountered by the + database engine. In addition, the MySQL general query log can be enabled + by the customer organization to capture when clients connect or disconnect + and SQL statements received from clients. + + +AWS logging information: + +- AWS native logging: https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/ +- AWS CloudTrail logs: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html +- Amazon S3 bucket logs: http://docs.aws.amazon.com/amazons3/latest/dev/ServerLogs.html +- ELB logs: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html + http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html + +- Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html + + + + + +##### Drupal + +The logs collected for Drupal sites include the following types of information: + +- IP number of the request originator +- Timestamp +- Request URL +- HTTP status code returned +- Username +- Drupal Watchdog message (if applicable) +- Unique numerical ID of the content being modified (for content creation, modification and deletion + events) + +When auditing a Drupal incident, the CivicActions developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. + + + + + +##### Ilias + +The logs collected for Ilias sites include the following types of information: +- IP number of the request originator +- Timestamp +- Username +- Ilias log message (if applicable) +- Unique numerical ID of the content being modified (for content creation, modification and deletion events) +When auditing an Ilias incident, CivicActions' developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. + + + +### AU-4: Audit Log Storage Capacity + +```text +Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + +``` +**Status:** complete + + +##### AWS + +In this architecture, logs track dynamic capacity growth to accommodate organizationally defined storage capacity requirements. Amazon S3 buckets are established to store audit logs from the following audit methods: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + + + + + +##### Contractor + +CivicActions ensures adequate storage capability requirements listed in AU-11 for all events from the application, database, and hosting environment. + + + +### AU-5: Response to Audit Logging Process Failures + +```text + - a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and + - b. Take the following additional actions: [Assignment: organization-defined additional actions]. + +``` +**Status:** complete + + +##### Contractor + +When notified (e.g., via CloudWatch) of an auditing failure, CivicActions Operations staff will review the causes and take corrective action. + + + +#### a + +##### AWS + +In this architecture, AWS CloudTrail is enabled, and provides the basis for audit processing within the infrastructure. + +AWS built-in features include customer alerting of AWS CloudTrail and other service failures through the following: + +- AWS Service Health Dashboard (http://status.aws.amazon.com) +- RSS feeds to which the customer organization can subscribe +- email +- alerts sent directly to the AWS account *root user* for critical events +- AWS internal Incident Response and corporate communications processes + + + +### AU-6: Audit Record Review, Analysis, and Reporting + +```text + - a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; + - b. Report findings to [Assignment: organization-defined personnel or roles]; and + - c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. + +``` +**Status:** Planned +#### a + +##### Contractor + +CivicActions security audit data is collected by the AWS CloudWatch monitoring and observability service to support real time and after-the-fact investigation at the application level for the following: + +- Indications of inappropriate or unusual activity +- Assurance that logging is functioning properly +- Adherence to logging standards identified in this procedure + + + +#### b + +##### Contractor + +Any significant findings observed during the inspection are reported to CivicActions' Security Office. If these are considered to constitute a security incident, then the Incident Response process is invoked as described in the implementation of the Incident Response Plan (IR-8). + + + +### AU-8: Time Stamps + +```text + - a. Use internal system clocks to generate time stamps for audit records; and + - b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + +``` +**Status:** complete + + +##### Project + +The Project system clocks are synchronized system-wide and provide time stamps with audit records. + + + +#### a + +##### AWS + +AWS includes the Amazon Time Sync Service. Running over Network Time Protocol (NTP), this service synchronizes the time on AWS instances using redundant satellite-connected and atomic clocks in all public AWS regions. The Amazon Time Sync Service provides accurate time stamp data to the following audit methods: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + + + +#### b + +##### AWS + +The Amazon Time Sync Service provides accurate time stamp data to the following audit methods: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + +Time stamps are recorded as specified in the ISO 8601 standard. ISO 8601 represents local time (with the location unspecified), as UTC, or as an offset from UTC. + + + +### AU-9: Protection of Audit Information + +```text + - a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and + - b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + +``` +**Status:** Planned + + +##### AWS + +Access to audit data and tools is determined by access control policies for IAM groups and roles. Only users assigned to IAM groups and roles with access to audit data and tools can access them. Additionally, AWS uses server-side encryption on Amazon S3 bucket logs, and maintains them as read-only files. + + + + + +##### Contractor + +CivicActions ensures that audit logs are created, stored and maintained. Developers who have been assigned as members of the CivicActions Security Office are the only CivicActions personnel with logical permission to access and review audit logs. + + + +### AU-11: Audit Record Retention + +```text +Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + +``` +**Status:** complete + + +##### AWS + +AWS CloudTrail logs are stored in an Amazon S3 bucket, which dynamically allocates storage capacity to support continuous collection and storage of AWS CloudTrail log data. The storage capacity supports indefinite retention, but with 7 year retention specified, and migration to Amazon Glacier after 90 days in AWS regions where Glacier is available. + + + + + +##### Contractor + +CivicActions audits events from the application, database, and hosting environment, and retains these records for at least 180 days. + + + +### AU-12: Audit Record Generation + +```text + - a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; + - b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and + - c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. + +``` +**Status:** complete +#### a + +##### AWS + +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled, but initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) do not have auditing enabled within the OS, as these are for example purposes only. + +AWS built-in features of logging mechanisms provide the audit record generation capability for the auditable events defined in AU-2a. by logging all security-relevant IAM user and API activities which address AWS infrastructure components (AWS Products and services), ELB + + + + + +##### Contractor + +CivicActions ensures audit records are generated for its web and event logs as required in AU-2 and AU-3 for servers, application, database, and network components. + + + +#### b + +##### AWS + +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled AWS CloudTrail is enabled to log all available API events automatically within the AWS infrastructure and Amazon S3 bucket logging is enabled to log bucket activity. + +AWS built-in features of Identity and Access Management (IAM) allows policy to be applied to privileged users for administrator/audit access, allowing them to modify Amazon CloudWatch alarms, AWS Config rules, and Amazon S3 bucket logging to select the CloudTrail and Amazon S3 events that are to cause notification, alerting and automated reaction. + + + + + +##### Contractor + +The selected auditable events described in AU-2 are coordinated by CivicActions internal admins and client security/operations officers for each component of the production system. + + + +#### c + +##### AWS + +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled. However, the initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) DO NOT have any auditing enabled within the OS, as these are in place for example purposes only. + +AWS built-in features of native logging generates audit records with the content defined in AU-3. + +AWS logging information: + +- AWS native logging: https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/ +- AWS CloudTrail logs: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html +- Amazon S3 bucket logs: http://docs.aws.amazon.com/amazons3/latest/dev/ServerLogs.html +- ELB logs: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html + + http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html + +- Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html + + + + + +##### Contractor + +CivicActions maintained applications generate audit records for their web and event logs as described in AU-2 and AU-3. diff --git a/results/docs/controls/CA.md b/results/docs/controls/CA.md new file mode 100644 index 0000000..6d9e9cb --- /dev/null +++ b/results/docs/controls/CA.md @@ -0,0 +1,312 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## CA: Assessment Authorization and Monitoring + +### CA-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] assessment, authorization, and monitoring policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and + - c. Review and update the current assessment, authorization, and monitoring: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a certification, accreditation, and security assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Security Assessment and Authorization Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + + + + +##### Project + +Project follows the None. The Project System Security Policy (SSP) provides guidance on all aspects of security for the protection of Project information technology resources. + +Project will periodically review and update the SSP when there is a significant change to the regulatory, operational, or technical environment. + + + +### CA-2: Control Assessments + +```text + - a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; + - b. Develop a control assessment plan that describes the scope of the assessment including: + - 1. Controls and control enhancements under assessment; + - 2. Assessment procedures to be used to determine control effectiveness; and + - 3. Assessment environment, assessment team, and assessment roles and responsibilities; + - c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; + - d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; + - e. Produce a control assessment report that document the results of the assessment; and + - f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. + +``` +**Status:** Planned +#### a + +##### Contractor + +CivicActions will develop a security assessment plan (SAP) that describes the security controls and control enhancements under assessment, assessment procedures used to determine effectiveness, the assessment environment, the assessment team, and the assessment roles and responsibilities. + + + + + +##### Project + +The Project Full Name follows the None. The Project Full Name will conduct annual security assessments to comply with FISMA and NIST regulations. Project will draw on NIST Special Publications 800-53A security controls to complete the assessment. All controls and sub-set security controls will be evaluated and a risk assessment will be conducted. The scope of the assessment includes: + +1. Security controls and control enhancements under assessment +2. Assessment procedures to be used to determine security control effectiveness +3. Assessment environment, assessment team, and assessment roles and responsibilities + + + +#### b + +##### Contractor + +CivicActions will assess the security controls in their system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. + +All controls assigned and documented in this System Security Plan (SSP) will be tested at least annually or when there is a major change to the system. + + + +#### c + +##### Contractor + +CivicActions will produce a security assessment report that documents the results of the assessment. The Security Assessment Report must contain the results of the assessment, and may also contain recommendations and suggestions for plans of actions and milestones (POA&Ms). + + + + + +##### Project + +The Project Authorizing Official or Designated Representative will create a Security Assessment Report (SAR). A full assessment shall be conducted by an independent third party assessor at least every three years. + + + +#### d + +##### Contractor + +CivicActions will provide the results of the security control assessment to the System Owner, Project Manager, CivicActions Security, and the Authorization Official (AO)). The security control assessment package includes the following: + +- Security Control Matrix +- Privacy Impact Assessment +- E-Authentication +- Contingency Plan +- Configuration Management Plan +- Rules of Behavior +- Incident Response Plan + + + +### CA-3: Information Exchange + +```text + - a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, nondisclosure agreements, [Assignment: organization-defined type of agreement]]; + - b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and + - c. Review and update the agreements [Assignment: organization-defined frequency]. + +``` +**Status:** none + + +##### Contractor + +This control is not applicable. CivicActions systems do not have system interconnections. The only communication conducted to CivicActions' systems is through the Internet. + + + +### CA-5: Plan of Action and Milestones + +```text + - a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and + - b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. + +``` +**Status:** complete + + +##### Contractor + +CivicActions documents all deficiencies and vulnerabilities identified during the security certification and/or continuous monitoring phase (via security assessment, vulnerability scanning, risk assessment, etc.) within the Plan of Action and Milestones (POA&M). + +The POA&M document provides a platform for CivicActions to monitor and track the deficiency and its mitigation strategy. POA&M items will include: + +- The description of the deficiency, +- Dedicated point of contact for this deficiency. +- Cost of the mitigation strategy +- Associated risk and NIST control +- Recommended mitigation strategy + +POA&Ms are tracked throughout the lifecycle of the system until its mitigation. All POA&Ms are reviewed on a monthly basis by CivicActions Information System Security Officer to ensure all mitigation strategies are continuing as documented. + + + + + +##### Project + +The Project follows the None procedures in managing POA&Ms. + + + +### CA-6: Authorization + +```text + - a. Assign a senior official as the authorizing official for the system; + - b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; + - c. Ensure that the authorizing official for the system, before commencing operations: + - 1. Accepts the use of common controls inherited by the system; and + - 2. Authorizes the system to operate; + - d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; + - e. Update the authorizations [Assignment: organization-defined frequency]. + +``` +**Status:** partial + + +##### Project + +The Project follows the None. The Project system received its first three-year security accreditation on March 3, 2009, and most recently received an ATO on February 5, 2016. + +ATO re-assessment will be performed every three years or when there is a major change to the application, in which a senior organizational official will sign and approve the security accreditation. + + + +### CA-7: Continuous Monitoring + +```text +Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: + - a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; + - b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; + - c. Ongoing control assessments in accordance with the continuous monitoring strategy; + - d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; + - e. Correlation and analysis of information generated by control assessments and monitoring; + - f. Response actions to address results of the analysis of control assessment and monitoring information; and + - g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] + [Assignment: organization-defined frequency]. + +``` +**Status:** None +#### a + +##### Contractor + +CivicActions implements a continuous monitoring strategy that incorporates configuration management, system scanning and log analysis processes: + +- Configuration management includes the assessment of security impact analyses of proposed and implemented changes. +- System scanning is managed by running the OpenSCAP vulnerability scanner using the DISA STIG profile. +- Log analysis is managed by feeding logs to a Graylog dashboard for analysis. + + + + + +##### Drupal + +CivicActions follows recommendations and best practices developed by the Drupal community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3. + + + + + +##### Ilias + +CivicActions follows recommendations and best practices developed by the Ilias community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3. + + +#### b + +##### Contractor + +Configuration management and log analysis is carried out in real time. OpenSCAP security scans are performed and reviewed monthly. See also: RA-5 and SI-4. + +Quarterly review of the control assessments supporting the monitoring is conducted by CivicActions Operations in collaboration with the CivicActions Security Office. + + + +#### c + +##### Drupal + +CivicActions works closely with the Drupal security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. + + + + + +##### Ilias + +CivicActions works closely with the Ilias security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. + + +#### d + +##### Contractor + +CivicActions conducts or oversees continuous system security monitoring. + + + +#### e + +##### Contractor + +CivicActions Security reviews the results of the security scans and security assessments with associated JIRA and/or GitLab Issue tickets created to correlate and analyze security-related information generated from the monitoring tools becoming POA&M items for tracking. + + + +#### f + +##### Contractor + +POA&M items are tracked by CivicActions Security through JIRA tickets with a security categorization assigned. The information included in the POA&M item include the severity, the due date, the weakness source identifier, and the plugin ID that identified the vulnerability. + + + +#### g + +##### Contractor + +The security status of the system is reported up to the System Owner and Project Manager via the CivicActions Security Office to be reviewed alongside other security issues relating to the system. + + + +### CA-7 (4): Risk Monitoring + +```text +Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: + - (a) Effectiveness monitoring; + - (b) Compliance monitoring; and + - (c) Change monitoring. + +``` +**Status:** incomplete +### CA-9: Internal System Connections + +```text + - a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; + - b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; + - c. Terminate internal system connections after [Assignment: organization-defined conditions]; and + - d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. + +``` +**Status:** none + + +##### Contractor + +Not applicable. diff --git a/results/docs/controls/CM.md b/results/docs/controls/CM.md new file mode 100644 index 0000000..5061537 --- /dev/null +++ b/results/docs/controls/CM.md @@ -0,0 +1,304 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## CM: Configuration Management + +### CM-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] configuration management policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and + - c. Review and update the current configuration management: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Configuration Management (CM) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . +Configuration changes are overseen by the Change Control Board (CCB) consisting of the System Owner, Project Manager, CivicActions Operations staff and the engineering team. + + + + + +##### Project + +The configuration management policy and procedures are formally documented in the Project Configuration Management Plan (CMP), which provides the roles and responsibilities as it pertains to physical and environmental protection. It defines responsibilities for the implementation and oversight of the guidance contained herein. Client reviews and updates the policy as necessary. + + + +### CM-2: Baseline Configuration + +```text + - a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and + - b. Review and update the baseline configuration of the system: + - 1. [Assignment: organization-defined frequency]; + - 2. When required due to [Assignment: Assignment organization-defined circumstances]; and + - 3. When system components are installed or upgraded. + +``` +**Status:** complete + + +##### AWS + +Hardware Baselines + +All hardware is maintained by the AWS cloud. The system inherits hardware configuration aspects of this control from the FedRAMP Provisional ATO granted to AWS, dated 1 May 2013, for the following: baseline configuration. + + + + + +##### Contractor + +A current baseline configuration is always available - stored as a tag in the Git repository - such that the site can be regenerated or rolled back should unauthorized or failing changes be applied. + + + + + +##### Ilias + +The baseline configuration is maintained in Git and described in the Configuration Management Plan, which describes the change workflow and software configuration. In the context of Security Configuration Management, the baseline configuration is a collection of formally approved configuration state(s) of one or more configuration items ("features") that compose the system. The baseline configuration is used to restore and serves as the basis against which the next change or set of changes to the system is made. +The features for the system are maintained in the website's source code, which is managed in Git, a source code version control system. Once the source code is updated, Git maintains the new version of staged code once committed in the Git repository as the new baseline. All code prior to it being staged is documented, tested and approved by CivicActions Development, which is described in control SA-3. The production environment is configured to take database snapshots daily. + + + + + +##### Project + +A CM process has been established and documented in the Project CMP. All updates are made in accordance with the procedures outlined in the CMP. The CM process establishes a baseline of hardware, software, firmware and documentation, as well as changes thereto, throughout the development and life cycle of the information system. CM ensures the control of the information system through its life cycle. It assures that additions, deletions, or changes made to the Project system do not unintentionally or unknowingly diminish security. If the change is major, the security of the system must be re-analyzed. + + + +### CM-4: Impact Analyses + +```text +Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. + +``` +**Status:** complete + + +##### Contractor + +Security impact analysis is conducted and documented within the Change Request (CR) process described in CM-3(b). All proposed configuration- controlled changes to the application are tested first in a sandboxed development environment before being pushed to a staging environment to be tested by another developer and by the Engineering team prior to final approval from CCB to move changes to the production environment. + + + + + +##### Project + +An Information Security Program is in place to ensure all security-centric impacts to the Project are properly analyzed and conducted by personnel with information security responsibilities (i.e., Project SSO, IT Security Officer, etc.). These individuals have the appropriate skills and technical expertise to analyze the changes to the Project and their associated security ramifications. In support of continuous monitoring and to ensure the Project system lifecycle is fully sustained, a risk assessment process, be it formal or informal, is performed when changes are occur. This ensures that Client Full Name understands the security impacts and can determine if additional security controls are required. + + + +### CM-5: Access Restrictions for Change + +```text +Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + +``` +**Status:** incomplete +### CM-6: Configuration Settings + +```text + - a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; + - b. Implement the configuration settings; + - c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and + - d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. + +``` +**Status:** partial +#### a + +##### Project + +The Project is configured in compliance with the applicable baseline security standards. The Department and its technical support staff configure the security settings of all IT products to the most restrictive mode consistent with information system operational requirements. Project utilizes the NIST Special Publication 800-70 for guidance on configuration settings (checklists) for information technology products. When security setting checklist are not available from NIST for a particular device, good security engineering practices along with manufacture guidelines is used to develop the security settings. The CM Manager conducts configuration audits to ensure baseline compliance and documentation of hardware/software configurations throughout the system lifecycle. + + + +#### b + +##### Contractor + +CivicActions developers follow security best practices according to the guidelines set by the CivicActions Security Office. + + + + + +##### Project + +Configuration settings are implemented, monitored, and controlled in accordance with the organizational Configuration Management Plan for the security configuration management processes and tools. + + + +#### c + +##### Project + +Currently, deviations do not exist for established configuration settings. In the event this changes, the following notes the process that will take place. +The CivicActions CCB, identifies, approves, and documents exceptions to mandatory configuration settings for individual components within its cloud offering only when operationally necessary. All variances identified during the monthly and annual system testing scans that must be accepted for operational purposes are tracked. + + + +#### d + +##### Contractor + +All changes to the configuration settings are logged in the Git source code version control system, which records the identity of the developer who committed each change. Version control is enforced, with previous tagged code releases kept for rollback purposes. + + + +### CM-7: Least Functionality + +```text + - a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and + - b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. + +``` +**Status:** complete +#### a + +##### AWS + +In this architecture, only essential capabilities for a multi-tiered web service are configured. AWS Identity and Access Management (IAM) baseline Groups and Roles are configured to support restricted access to AWS resources by privileged users and non-person entities (Amazon EC2 systems operating with a role) authorized and assigned by the organization. + + + + + +##### Project + +Services are limited to provide only essential capabilities. + + + +#### b + +##### AWS + +In this architecture, ports, protocols, and services are restricted to those that are required for a multi-tiered web service, via AWS security group rules. + + + + + +##### Project + +The Project maintains strict default deny policy with access controls at the firewall, and on individual systems. Inbound access across the system boundary is only allowed on ports 22 (ssh), 80 (http) and 443 (https), with an additional port, 25 (smtp) open on the mail server. + + + +### CM-8: System Component Inventory + +```text + - a. Develop and document an inventory of system components that: + - 1. Accurately reflects the system; + - 2. Includes all components within the system; + - 3. Does not include duplicate accounting of components or components assigned to any other system; + - 4. Is at the level of granularity deemed necessary for tracking and reporting; and + - 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and + - b. Review and update the system component inventory [Assignment: organization-defined frequency]. + +``` +**Status:** None + + +##### Ilias + +The software inventory for the application is maintained in the codebase stored CivicActions' Git source code version control system. It consists of the following components: +- The Ilias open-source web learning management system +- Ilias add-on modules, themes, and libraries available from the Ilias.de website which extend Ilias core +- Custom code written by CivicActions' developers +The inventory is reviewed monthly by CivicActions Product Engineering teams in accordance with the Configuration Management Plan. +Website content is backed up daily using CPM snapshots. This allows CivicActions to build an inventory of the system on demand. + + + +#### a + +##### AWS + +AWS built-in features dynamically build and maintain an inventory of system components (infrastructure inventory) + +1. AWS built-in features provide an accurate, real time inventory of all infrastructure system and network components within the customer account and provides a single view for granularity for tracking and reporting. +2. AWS built-in features provide an accurate, real time inventory of all infrastructure system and network components within the AWS account, and AWS CloudFormation creates a unique set of stack names, and associated resource names incorporate the stack name, for tracking components deployed by CloudFormation templates that align with an authorization boundary. +3. AWS built-in features provide a level of granularity for tracking and reporting on all infrastructure system and network components and configuration settings for those components. +4. AWS built-in features provide all available information about all infrastructure system and network components to achieve effective component accountability. + + + +#### b + +##### AWS + +AWS built-in features provides a dynamically updated inventory of all infrastructure system and network components within the customer account. The AWS management console and AWS API calls support the capability for the organization to review the inventory. + + + +### CM-10: Software Usage Restrictions + +```text + - a. Use software and associated documentation in accordance with contract agreements and copyright laws; + - b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and + - c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. + +``` +**Status:** None + + +##### Contractor + +Drupal is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. + + + + + +##### Ilias + +Ilias is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. + + +### CM-11: User-installed Software + +```text + - a. Establish [Assignment: organization-defined policies] governing the installation of software by users; + - b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and + - c. Monitor policy compliance [Assignment: organization-defined frequency]. + +``` +**Status:** complete +#### a + +##### Contractor + +All software installed in the system environment must be first approved via the CCB resulting in a Change Request (CR) being initiated and executed. Software installation on the computing nodes within the authorization boundary is restricted to administrators. All CivicActions internal administrators are informed of this during their initial training and as part of the rules of behavior document. + + + +#### b + +##### Contractor + +CivicActions enforces software installation policies through required acknowledgment and sign-off on acceptable use policy by CivicActions personnel. CivicActions Development is responsible for enforcing compliance with the acceptable use policy. + + + +#### c + +##### Contractor + +CivicActions monitors policy compliance continuously via the code release planning and quality control systems built into the System Development Life Cycle described in control SA-3. diff --git a/results/docs/controls/CP.md b/results/docs/controls/CP.md new file mode 100644 index 0000000..6904dce --- /dev/null +++ b/results/docs/controls/CP.md @@ -0,0 +1,251 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## CP: Contingency Planning + +### CP-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] contingency planning policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and + - c. Review and update the current contingency planning: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in Contingency Planning (CP) Policy and Procedure that can be found in the CivicActions Compliance Docs GitHub repository at . + + + + + +##### Project + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +The Project and has developed a contingency planning policy consistent with NIST 800-34. Contingency planning procedures are formally documented within the Project Contingency Plan, which provides the roles and responsibilities as it pertains to contingency planning. The Project reviews and updates the policy as necessary and the policy was last updated in July 2012. + + + +### CP-2: Contingency Plan + +```text + - a. Develop a contingency plan for the system that: + - 1. Identifies essential mission and business functions and associated contingency requirements; + - 2. Provides recovery objectives, restoration priorities, and metrics; + - 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; + - 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; + - 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; + - 6. Addresses the sharing of contingency information; and + - 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; + - b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; + - c. Coordinate contingency planning activities with incident handling activities; + - d. Review the contingency plan for the system [Assignment: organization-defined frequency]; + - e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; + - f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; + - g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and + - h. Protect the contingency plan from unauthorized disclosure and modification. + +``` +**Status:** complete +#### a + +##### Contractor + +CivicActions has developed a contingency plan for that addresses: +1. Essential missions, business functions, and associated contingency requirements +2. Recovery objectives, restoration priorities, and metrics +3. Roles and responsibilities are identified in the CP and include the ISCP Director, Incident Commander (IC), CivicActions Coordinator, and CivicActions Information System Security Officer (ISSO). +4. Maintaining essential missions and business functions despite an information system disruption, compromise, or failure +5. Full information system restoration without deterioration of the security safeguards originally planned and implemented +6. The ISCP is reviewed and approved by ISCP Director, Incident Commander (IC), CivicActions ISSO and the System Owner annually. + + + +#### b + +##### Contractor + +The CivicActions Information System Contingency Plan (ISCP) has been distributed to all CivicActions team members. The ISCP can be found in the CivicActions Handbook at . + + + + + +##### Project + +The Project Information System Contingency Plan (ISCP) has been distributed to all members who have roles in Contingency Planning and Incident Response Team. Direction by the System Owner will update who is required to receive a copy of the contingency plan. The ISCP can be found in the Project GitHub wiki at . + + + +#### c + +##### Contractor + +The Information System Contingency Plan (ISCP) is closely integrated with the Incident Response Plan (IRP). Coordination is the responsibility of the ISCP Director and CivicActions Operations staff. + + + +#### d + +##### Contractor + +The ISCP Director and CivicActions' Security Office are responsible to review the ISCP annually and when a change to the system occurs. + + + +#### e + +##### Contractor + +CivicActions Operations staff and ISCP Director are required to update the ISCP to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. + + + +#### f + +##### Contractor + +The ISCP requires that changes to the plan be communicated to those on the Incident Response/Contingency Plan Contact List. + + + +#### g + +##### Contractor + +The ISCP is available on CivicActions GitHub repository. This repository provides the configuration management capabilities for the ISCP to be protected from unauthorized disclosure and modification. + + + +### CP-3: Contingency Training + +```text + - a. Provide contingency training to system users consistent with assigned roles and responsibilities: + - 1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; + - 2. When required by system changes; and + - 3. [Assignment: organization-defined frequency] thereafter; and + - b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +The ISCP stipulates that all CivicActions system assigned roles in the Contingency Plan Team are trained in their duties within three months of first being assigned a role in the CP, and then annually thereafter or when changes are required. CivicActions uses the Contingency Plan as described in controls CP-1 and CP-2 as a basis for personnel contingency training. + + + +### CP-4: Contingency Plan Testing + +```text + - a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. + - b. Review the contingency plan test results; and + - c. Initiate corrective actions, if needed. + +``` +**Status:** complete + + +##### Contractor + +Real-world tests of the contingency plan will be held at least annually, with supplemental tests (checklist/table-top) as needed for specific scenarios. The ISCP Coordinator is responsible to facilitate annual testing exercises. The testing process for the ISCP includes a review of the ISCP, exercise, and identification of corrective actions and other improvements. + + + +### CP-9: System Backup + +```text + - a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] + [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; + - b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; + - c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and + - d. Protect the confidentiality, integrity, and availability of backup information. + +``` +**Status:** complete +#### a + +##### AWS + +In this architecture, user data is limited to that which is stored in the Amazon RDS database. Amazon RDS is fully backed up by a daily snapshot as well as through transaction logging conducted by AWS as part of this managed service. Full database recovery from snapshot or point-in-time can be initiated from the Amazon RDS console/API. + + + + + +##### Contractor + +CivicActions conducts system user-level information backup in accordance with requirements (at a minimum, incremental backups must be conducted at least weekly and full backups must be conducted at least monthly). + + + +#### b + +##### AWS + +AWS built-in features automatically backs up system-level information limited to infrastructure CONFIGURATION information within the AWS account. While individual running Amazon EC2 instances and attached EBS volumes are NOT backed up, they can be reconstituted from Amazon Machine Images (AMIs) provided by AWS (which are backed up by AWS) and user data scripts included in CloudFormation templates. Once deployed, the CloudFormation template contents are backed up by AWS R488within the CloudFormation service. These AWS backups of AWS services are transparent to the customer as part of AWS backend processes. + + + + + +##### Contractor + +System-level information for the application is replicated and backed up in the same way as user-level information as defined in CP-9(a). + + + +#### c + +##### AWS + +AWS built-in features back up online administrator and developer documentation, limited to that which is published at https://aws.amazon.com/documentation. + + + + + +##### Contractor + +System documentation is backed up from the GitHub repository on a daily basis with a minimum two-week retention period and off-site storage. + + + +#### d + +##### AWS + +AWS built-in features protect the confidentiality, integrity, and availability of information that AWS services back up. This information includes the service configuration information within an account, AWS online administrator and developer documentation, and AWS CloudFormation stacks for templates once deployed into an account. R612 + + + + + +##### Contractor + +CivicActions employees must authenticate prior to being granted access to the GitHub repository. Roles and responsibilities within GitHub determine the proper level of access for the documentation being accessed. The folder structure of GitHub protects though permissions and ownership prohibiting users from accessing unauthorized documentation. + + + +### CP-10: System Recovery and Reconstitution + +```text +Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. + +``` +**Status:** complete + + +##### Contractor + +The Contingency Plan documents the mechanisms with supporting procedures that allow all system components to be recovered and reconstituted to the system’s original state after a disruption or failure. This original state means that all system parameters (either default or organization- established) are reset, patches are reinstalled, system and security configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled, information from the most recent backups is available and the system is fully tested. diff --git a/results/docs/controls/IA.md b/results/docs/controls/IA.md new file mode 100644 index 0000000..a1c4b7c --- /dev/null +++ b/results/docs/controls/IA.md @@ -0,0 +1,742 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## IA: Identification and Authentication + +### IA-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] identification and authentication policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and + - c. Review and update the current identification and authentication: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained by the CivicActions Identification and Authentication (IA) Policy. This document can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +The Project system owners/managers manage user identifiers by: (i) uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving authorization to issue a user identifier from an appropriate official; (iv) ensuring that the user identifier is issued to the intended party; (v) disabling user identifier after a reasonable period of inactivity as documented in its security procedures; and (vi) archiving user identifiers. Project reviews and updates this policy as necessary. + + + +### IA-2: Identification and Authentication (organizational Users) + +```text +Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. + +``` +**Status:** partial + + +##### AWS + +AWS built-in features of Identity and Access Management (IAM) provides the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users operating within the AWS account and infrastructure, providing privileges based on the credentials, group memberships, and access policies assigned to them. The customer organization, at its discretion, provides individual user accounts and privileges to both organizational non-organizational users in addition to organizational users. + + + +### IA-2 (1): Multi-factor Authentication to Privileged Accounts + +```text +Implement multi-factor authentication for access to privileged accounts. + +``` +**Status:** complete + + +##### Contractor + +CivicActions system administrators employ a personal public- key pair for basic access and must originate from a whitelisted IP address. The whitelist is maintained by an Ansible inventory file, the current complete list (includes dev sites) of users with whitelisted IPs is in artifact: None + +To access root (sudo) privileges an additional password is required. The passwords are maintained in encrypted form in the Ansible inventory file. The mechanism to enable select users to use a password to obtain root access can be viewed in artifact: None + + + + + +##### Drupal + +Drupal administrators and other roles with unrestricted access to live content and/or user accounts are required to use two-factor authentication. See artifact None + + + + + +##### Project + +The Project employs multi-factor authentication for privileged users. + + + +### IA-2 (2): Multi-factor Authentication to Non-privileged Accounts + +```text +Implement multi-factor authentication for access to non-privileged accounts. + +``` +**Status:** incomplete +### IA-2 (8): Access to Accounts — Replay Resistant + +```text +Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts, non-privileged accounts]. + +``` +**Status:** incomplete +### IA-2 (12): Acceptance of PIV Credentials + +```text +Accept and electronically verify Personal Identity Verification-compliant credentials. + +``` +**Status:** none + + +##### Project + +The Project system allows users to access the system using Common Access Cards (CAC). + + + +### IA-4: Identifier Management + +```text +Manage system identifiers by: + - a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier; + - b. Selecting an identifier that identifies an individual, group, role, service, or device; + - c. Assigning the identifier to the intended individual, group, role, service, or device; and + - d. Preventing reuse of identifiers for [Assignment: organization-defined time period]. + +``` +**Status:** None +#### a + +##### Contractor + +Access to the system is authorized by the System Owner or Project Manager for each role as described in AC-2. + + + + + +##### Drupal + +Upon account creation, the Drupal software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted. + + + + + +##### Ilias + +Upon account creation, the Ilias software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted. + + +#### b + +##### Contractor + +User accounts are assigned a unique identifier in the form of a unique username, password and email address based on the system for allocating user accounts described in AC-2. + +In accordance with CivicActions Identification and Authentication (IA) Policy outlined at , CivicActions internal users are uniquely identified by the creation of an organizational account with a username based on each user's first and last names. + + + + + +##### Drupal + +When Drupal user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements. + + + + + +##### Ilias + +When Ilias user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements. + + +#### c + +##### Contractor + +User accounts are assigned a unique identifier in the form of a unique username, password and email address based on the system for allocating user accounts described in AC-2. + + + + + +##### Drupal + +Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account. + + + + + +##### Ilias + +Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account. + + +#### d + +##### Contractor + +Account usernames may not be re-used for at least two years. + + + + +##### Drupal + +Drupal user's unique identifier (the numeric user ID, or UID) is never reused. + + + + +##### Ilias + +Ilias user's unique identifier (the numeric user ID, or UID) is never reused. + + +#### e + +##### Contractor + +All user accounts are required to change their passwords every 90 days. The website will automatically block the accounts of users who fail to change their password within that time period, after which the account may only be unblocked by a website Administrator or CivicActions Operations staff. + + + +### IA-5: Authenticator Management + +```text +Manage system authenticators by: + - a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; + - b. Establishing initial authenticator content for any authenticators issued by the organization; + - c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; + - d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; + - e. Changing default authenticators prior to first use; + - f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; + - g. Protecting authenticator content from unauthorized disclosure and modification; + - h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and + - i. Changing authenticators for group or role accounts when membership to those accounts changes. + +``` +**Status:** partial +#### a + +##### Drupal + +Refer to control AC-2 in this SSP for further details on account provisioning. +CivicActions will create and maintain an initial Drupal Administrator (highest level of Drupal Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create. + + + + + +##### Ilias + +Refer to control AC-2 in this SSP for further details on account provisioning. +CivicActions will create and maintain an initial Ilias Administrator (highest level of Ilias Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create. + + + + + +##### Project + +Authentication for Project internal personnel are created during the personnel assignment process where requests are made to the Project admin group for proper access levels. The Project admin group verifies the identity of the user. The website performs further verification by sending an email to the user's mailbox containing a single-use activation link which must be used to log in to the account for the first time and to create a password. + + + +#### b + +##### Drupal + +Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy. + + + + + +##### Ilias + +Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy. + + + + +##### Project + +Project admins in collaboration with CivicActions Operations are responsible for provisioning and de-provisioning end user accounts in compliance with the authentication requirements described herein. + + + +#### c + +##### Drupal + +The system partially inherits this control from Drupal standard password strength mechanisms. + + + + +##### Ilias + +The system partially inherits this control from Ilias standard password strength mechanisms. + + + + +##### Project + +When entering a user account password upon initial login, all users must comply with the following password policies, which are enforced by the website's software configuration: + +- Password must be at least 14 characters in length. +- Password must contain at least one digit. +- Password must contain at least one special character (not whitespace or an alphanumeric). +- Password must contain at least one uppercase character. +- Password must contain at least one lowercase character. + + + +#### d + +##### Drupal + +The system partially inherits this control from Drupal standard password management. All password creation/change/reset operations are recorded in the website's "Drupal Watchdog" logs. + + + + + +##### Ilias + +The system partially inherits this control from Ilias standard password management. +All password creation/change/reset operations are recorded in the website's Ilias logs. + + + + + +##### Project + +Project is responsible for provisioning and de-provisioning end user accounts, which must comply with the strict password policies that are enforced by the website's software configuration, as described in IA-5(d). + +In accordance with Project site configuration, the following administrative procedures exist for initial authenticator distribution, for lost/compromised/damaged authenticators, and for revoking authenticators. + +- Initial authenticator distribution: Users receive a one-time login link + by email upon creating of their user account. They use that link to log + in and then must enter a password themselves which complies with the + password complexity requirements described in IA-4(b). + +- Lost/compromised/damaged authenticators: Users who have forgotten their + password may request a new password by submitting their username or + email address. The website responds by emailing a one-time login link + to the user's email address. After using the link to log in, the user + is required to enter a new password. + +- Revoking authenticators: Users who have not changed their password in + the last 90 days are automatically blocked. Administrators may block + any user account if they believe there is a reason to do so. + + + +#### e + +##### Drupal + +Drupal requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database. + + + + + +##### Ilias + +Ilias requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database. + + +#### f + +##### Project + +Project authenticators follow these password lifetime restrictions: + +- Maximum password age = 90 +- Minimum password age = 1 +- Password reuse restriction = 10 + + + +#### g + +##### Project + +Project enforces password lifetime restrictions. The password lifetime settings for internal accounts is as follows: + +- Minimum restriction of zero (1) days and +- Maximum restriction of ninety (90) days before a password change is required. + + + +#### h + +##### Drupal + +For all Drupal users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone. + + + + + +##### Ilias + +For all Ilias users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone. + + +#### i + +##### Contractor + +CivicActions users are required to take appropriate measures in the handling of passwords including: + +- Not transmitting user names and passwords together in an unencrypted format +- Not permitting the sending of passwords in an unencrypted format via email +- Not listing passwords in tickets +- Not writing down or storing passwords in a readable form in any physical or logical + location where they may be discoverable by unauthorized persons. + + + + + +##### Drupal + +Drupal users are required to take appropriate measures in the handling of passwords including: + +- Not transmitting user names and passwords together in an unencrypted format +- Not permitting the sending of passwords in an unencrypted format via email +- Not listing passwords in tickets +- Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. + + + + + +##### Ilias + +Ilias users are required to take appropriate measures in the handling of passwords including: +- Not transmitting user names and passwords together in an unencrypted format +- Not permitting the sending of passwords in an unencrypted format via email +- Not listing passwords in tickets +- Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. + + + +#### j + +##### Drupal + +This control is not applicable due to the fact that group accounts are not created within the Drupal application per IA Policy. + + + + +##### Ilias + +This control is not applicable due to the fact that group accounts are not created within the Ilias application per IA Policy. + + +### IA-5 (1): Password-based Authentication + +```text +For password-based authentication: + - (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; + - (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); + - (c) Transmit passwords only over cryptographically-protected channels; + - (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; + - (e) Require immediate selection of a new password upon account recovery; + - (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; + - (g) Employ automated tools to assist the user in selecting strong password authenticators; and + - (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. + +``` +**Status:** partial + + +##### Project + +Project is responsible for provisioning and de-provisioning end user accounts, which must comply with the strict password policies that are enforced by the website's software configuration, as described in IA-5. + + + +#### a + +##### AWS + +AWS built-in features of Identity and Access Management (IAM) provides minimum password complexity enforcement, but the characteristics to enforce must be manually configured by the customer. Refer to + + + + + +##### Drupal + +Drupal supports the requirement for password-based authentication complexity. New users of Drupal are required to specify their password authentication as soon as they log in to the website for the first. The website requires all submitted passwords to comply with validation rules, as described above in IA-5(c). +Changing password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by CivicActions Change Control Board before being implemented. + + + + + +##### Ilias + +Ilias supports the requirement for password-based authentication complexity. New users of Ilias are required to specify their password authentication as soon as they log in to the website for the first. The website requires all submitted passwords to comply with validation rules, as described above in IA-5(c). +Changing password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by {'name': 'CivicActions, Inc', 'name_short': 'CivicActions', 'address': {'street': '3527 Mt Diablo Blvd, Unit 269', 'city': 'Lafayette', 'state': 'CA', 'zip': 94549, 'country': None}, 'phone': '510-408-7510', 'website': 'www.civicactions.com', 'compliance_docs_url': 'https://github.com/CivicActions/compliance-docs', 'email_support': 'support@civicactions.com', 'security_policy_url': 'https://github.com/CivicActions/security-policy'}' Change Control Board before being implemented. + + + +#### b + +##### Drupal + +When required to change passwords, Drupal users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration. + + + + + +##### Ilias + +When required to change passwords, Ilias users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration. + + +#### c + +##### AWS + +AWS built-in features of AWS Identity and Access Management (IAM) and the AWS Console store passwords on AWS systems in a cryptographically-protected format and only support TLS connectivity to the console web site to protect passwords in transit via encryption. + + + + + +##### Drupal + +All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + + + + + +##### Ilias + +All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + + +#### d + +##### Drupal + +The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g). + + + + +##### Ilias + +The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g). + + +#### e + +##### Drupal + +Password reuse is limited through software configuration. + + + + +##### Ilias + +Password reuse is limited through software configuration. + + +#### f + +##### AWS + +AWS built-in features of AWS Identity and Access Management (IAM) provides the capability to require new password to be entered upon login. The customer organization, at its discretion, configures IAM to enforce that requirement. + + + + + +##### Drupal + +When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. + + + + + +##### Ilias + +When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. + + +### IA-6: Authentication Feedback + +```text +Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. + +``` +**Status:** None + + +##### AWS + +In this architecture, All Amazon EC2 instances (bastion host, web/proxy servers, application servers) employ SSH for interactive login, and when a key passphrase is prompted for, the SSH prompting mechanism obscures the feedback by default. + +AWS built-in features obscure keystroke feedback for password input during AWS console login with AWS Identity and Access Management (IAM) user credentials, and when the CloudFormation console prompts for an initial database password during Quick Start template deployment. + + + + + +##### Drupal + +Feedback of authentication information is obscured during the authentication process into the Drupal application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. + + + + + +##### Ilias + +Feedback of authentication information is obscured during the authentication process into the Ilias application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. + + +### IA-7: Cryptographic Module Authentication + +```text +Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. + +``` +**Status:** None + + +##### AWS + +AWS built-in features of AWS Identity and Access Management (IAM) authentication employs cryptographic modules that meet requirements as specified and assessed in the AWS FedRAMP authorization package. + + + + + +##### Drupal + +All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + + + + + +##### Ilias + +All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + + +#### j + +##### Contractor + +CivicActions systems employ authentication methods consistent with NIST FIPS 140-2 requirements. General public access to system web pages does not require cryptographic authentication. Privileged users accessing systems use the public-key cryptographic functionality of Secure Shell (SSH) to encrypt the exchange of information (including the password) between the remote user and the server. Where Transport Layer Security (TLS, aka SSL) is used, cryptographic modules will be configured in accordance with FIPS 140-2. + + + +### IA-8: Identification and Authentication (non-organizational Users) + +```text +Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. + +``` +**Status:** partial + + +##### AWS + +AWS built-in features of AWS Identity and Access Management (IAM) provide the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users, providing privileges based on the credentials, group memberships, and access policies assigned to them. + +The customer organization at its discretion provides user accounts and privileges to both organizational non-organizational users in addition to organizational users. + + + +### IA-8 (1): Acceptance of PIV Credentials from Other Agencies + +```text +Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. + +``` +**Status:** none + + +##### Project + +Project allows the use of customer agency supplied Common Access Cards (CAC). + + + +### IA-8 (2): Acceptance of External Authenticators + +```text + - (a) Accept only external authenticators that are NIST-compliant; and + - (b) Document and maintain a list of accepted external authenticators. + +``` +**Status:** none + + +##### Project + +Project does not utilize FICAM approved credentials. + + + +### IA-8 (4): Use of Defined Profiles + +```text +Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. + +``` +**Status:** none + + +##### Project + +CivicActions does not utilize FICAM approved products or profiles. + + + +### IA-11: Re-authentication + +```text +Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. + +``` +**Status:** incomplete diff --git a/results/docs/controls/IR.md b/results/docs/controls/IR.md new file mode 100644 index 0000000..eeb6b0e --- /dev/null +++ b/results/docs/controls/IR.md @@ -0,0 +1,341 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## IR: Incident Response + +### IR-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] incident response policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and + - c. Review and update the current incident response: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + + + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel an incident response planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in Incident Response (IR) Policy and Procedure that can be found in the CivicActions Compliance Docs GitHub repository at . + + + + + +##### Project + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +The Project maintains an Incident Response Plan (IRP), consistent with NIST 800-61, which addresses purpose, scope, roles, and responsibilities. The incident response procedures address any activity or occurrence that compromises the integrity of a system, denies access to or use of IT resources, and compromises the sensitivity of the information stored in, processed by or transmitted by a system. + +Additionally, the IRP includes procedures to respond to waste, fraud, misuse, or abuse of any departmental IT system, damage or loss of software or data contained in any system, Use of unlicensed (pirated) software products, discovery of hardware or software vulnerabilities + +The Project Incident Response Plan can be found in the CivicActions GitHub repository at + + + +### IR-2: Incident Response Training + +```text + - a. Provide incident response training to system users consistent with assigned roles and responsibilities: + - 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access; + - 2. When required by system changes; and + - 3. [Assignment: organization-defined frequency] thereafter; and + - b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response training. + + + + + +##### Contractor + +All CivicActions employees are required to participate in incident response training, as required by Incident Response Plan changes, and annually. The CivicActions Incident Response Plan () is the basis for the training and the incident response workflow created by the Security Office. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. + + + + + +##### Project + +CivicActions Operations and users of the Project system with incident response responsibilities are required to participate in incident response training once the role is assumed within 10 days, as required by Project changes, and annually. The Incident Response Plan () is the basis for the training and the incident response workflow created by the Security team. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. + + + +### IR-4: Incident Handling + +```text + - a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; + - b. Coordinate incident handling activities with contingency planning activities; + - c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and + - d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident handling. + + + + + +##### Project + +The Client Computer Security Officer (CSO) handles all incidents for the Project Full Name. + +The Client Full Name utilizes proven incident handling methodologies for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Client Full Name maintains a list of lessons learned from ongoing incident handling activities and uses those lessons to update the incident response procedures accordingly. + +Preparation activities includes all CivicActions and Project internal users are trained if their role includes incident response. Detection monitoring tools providing notification to incident response personnel for analysis and action. Containment, eradication and recovery activities include AWS and LAMP-stack inherited fixes and Project system administrators adjusting IP port blocking security groups and SELinux policies. + + + +#### a + +##### Contractor + +CivicActions has implemented an Incident Response Plan () that explains the process for incident handling and discusses preparation, detection and analysis, containment, eradication, and recovery. +Preparation activities include all CivicActions team members who are trained in incident response. Detection and monitoring tools providing notification to incident response personnel for analysis and action. + + + +#### b + +##### Contractor + +CivicActions' Operations staff and Security Office team members are members of the CivicActions Contingency and Incident Response Plan teams which coordinates activities accordingly through the life of the incident event. + + + +#### c + +##### Contractor + +The CivicActions Operations staff and Security Office conduct a post-incident analysis to assist in documenting lessons learned and suggesting changes to improve the incident response process. Tickets created in response to the incident event are reviewed upon completion by the Operations staff and Security Office. Changes to the Incident Response Plan () require a team review session for approval. + + + +### IR-5: Incident Monitoring + +```text +Track and document incidents. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident monitoring. + + + + + +##### Contractor + +CivicActions utilizes the JIRA ticketing tool for tracking and reporting of incident events from reporting to resolution and post- incident analysis. Initial reporting can come from continuous monitoring tools as well as client and public submissions made to support@civicactions.com. Jira processes the tickets for the public submissions and the CivicActions Support Team creates associated GitHub Issues. Internal incidents reported are processed within the GitHub Issue queue. Details of the handling procedures are included in the CivicActions Incident Response Plan () Response Process. + + + + + +##### Project + +The Project utilizes network and host-based intrusion detection systems, monitoring the system and application logs for anomalous events. Incidents are tracked using the same ticketing system that is used to track all system-related changes and events. + + + +### IR-6: Incident Reporting + +```text + - a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and + - b. Report incident information to [Assignment: organization-defined authorities]. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident reporting. + + + + + +##### Project + +If an incident involves suspicious activity, CivicActions Operations will contact the Project System Owner who may then contact the Project CSO. + +The CivicActions Computer Security Officer (CSO) handles all incidents for the Project. The CSO is prepared to report all incidents to the Client Full Name. + + + +#### a + +##### Contractor + +CivicActions personnel, as soon as an incident event is detected and/or communicated, are required to report the incident event to the CivicActions Security Office. Methods of detection and/or communication may include one or more of: + +- Through continuous monitoring tools (StatusCake, OSSEC, others). +- As a result of application notifications where CivicActions Security + receives notifications (AIDE, OpsGenie, others). + +- Event logging described in AC-2 +- Host-based alerts from the cloud infrastructure or platform. + + + +#### b + +##### Contractor + +CivicActions personnel, as soon as the incident event is detected and/or communicated, are required to report the incident event to the CivicActions Security Office. + + + +### IR-7: Incident Response Assistance + +```text +Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response assistance. + + + + + +##### Contractor + +CivicActions Help Desk team provides first response assistance to any users of the system. Response time for external reporting of incidents through e-mail is one business day. Internal users are able to request support thought the same process or initiate the incident response workflow. Tickets created in the Jira (customer ticketing system) and GitLab (internal ticketing system) documents all details related to the incident to assist the Incident Response Teams in handling the incident. + + + +### IR-8: Incident Response Plan + +```text + - a. Develop an incident response plan that: + - 1. Provides the organization with a roadmap for implementing its incident response capability; + - 2. Describes the structure and organization of the incident response capability; + - 3. Provides a high-level approach for how the incident response capability fits into the overall organization; + - 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; + - 5. Defines reportable incidents; + - 6. Provides metrics for measuring the incident response capability within the organization; + - 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; + - 8. Addresses the sharing of incident information; + - 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] + [Assignment: organization-defined frequency]; and + - 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. + - b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; + - c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; + - d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and + - e. Protect the incident response plan from unauthorized disclosure and modification. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response plan. + + + + + +##### Project + +The Project Incident Response Plan () includes a comprehensive incident response program, which details the implementation of procedures and tools required for incident handling. The incident response program details the roles and responsibilities of Project/ CivicActions IR Team. The IR Team includes members from CivicActions Security and Operations teams. Incident response plays a pivotal role in monitoring, detecting and handling security incidents of the entire information system. The IRP details categorization of incidents in accordance with NIST 800-61 and accordingly documents and reports incidents. The IRP is reviewed annually and updated as needed by ISSO, with the assistance of the Incident Response Team. + + + +#### a + +##### Contractor + +Incident response plays a pivotal role in monitoring, detecting and handling security incidents of the entire information system. CivicActions has developed an Incident Response Plan () that: + +1. Provides CivicActions with procedures and tools required for incident handling; +2. Describes the structure and organization of the incident response capability; +3. Provides a high-level approach for how the incident response capability fits into + CivicActions and the systems it maintains; + +4. Meets the mission, size, structure, and functions of CivicActions; +5. Defines reportable incidents; +6. Provides metrics for measuring the incident response capability and details categorization + of incidents in accordance with NIST 800-61; + +7. Defines the roles and responsibilities of CivicActions IR Team; +8. Is reviewed annually and updated as needed by the CivicActions Security Office, + with the assistance of the Incident Response Team. + + + +#### b + +##### Contractor + +The CivicActions Incident Response Plan is distributed to all CivicActions team members as part of the CivicActions Handbook (). + The Incident Response Team includes members from the Security Office, + Operations staff, and Drupal Engineering teams. + + + +#### c + +##### Contractor + +The CivicActions Security Office and the Incident Response team is responsible for reviewing the Incident Response Plan annually. The entire Incident Response Team will review the plan and update it as necessary. Ultimately, the Security Office has the final say and will approve all updates to the plan. + + + +#### d + +##### Contractor + +The CivicActions Security Office is responsible for managing the IR Plan, including annual reviews and updates. The IR Plan is updated to reflect any changes to processes, systems or applications. In addition, any concerns or difficulties encountered during IR Plan implementation, execution, or testing are addressed in an update to the IR Plan. + + + +#### e + +##### Contractor + +Modifications to the IR Plan are conducted by the IR team the (CivicActions Security Office, Operations staff and Engineering teams) and communicated to the CivicActions team. + + + +#### f + +##### Contractor + +The IR Plan is available in the CivicActions Handbook and is maintained in the CivicActions GitHub repository. GitHub provides the configuration management capabilities for the IR Plan to be protected from unauthorized disclosure and modification. diff --git a/results/docs/controls/MA.md b/results/docs/controls/MA.md new file mode 100644 index 0000000..a23de43 --- /dev/null +++ b/results/docs/controls/MA.md @@ -0,0 +1,186 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## MA: Maintenance + +### MA-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] maintenance policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and + - c. Review and update the current maintenance: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Maintenance (MA) Policy and Procedure document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +System maintenance policy and procedures are formally documented in the Project SSP, which provides the roles and responsibilities as it pertains to software and systems maintenance and updates. The Project Full Name ensures that maintenance controls are developed, disseminated, reviewed, and updated as necessary. + +Physical and environmental protection is fully inherited from the AWS FedRAMP certified us-east cloud. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +### MA-2: Controlled Maintenance + +```text + - a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; + - b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; + - c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; + - d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information]; + - e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and + - f. Include the following information in organizational maintenance records: [Assignment: organization-defined information]. + +``` +**Status:** complete + + +##### AWS + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + + + +##### Project + +The Project schedules, performs, and documents regular maintenance on the software components of all systems, including but not limited to: + +- Hourly automated snapshot backups +- Daily disaster recovery remote backups +- Daily Intrusion Detection (OSSEC) / Data Integrity Assurance (AIDE) +- As needed help desk support +- Twice-monthly OS updates/patches + + + +### MA-4: Nonlocal Maintenance + +```text + - a. Approve and monitor nonlocal maintenance and diagnostic activities; + - b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; + - c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; + - d. Maintain records for nonlocal maintenance and diagnostic activities; and + - e. Terminate session and network connections when nonlocal maintenance is completed. + +``` +**Status:** complete + + +##### AWS + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +#### a + +##### Contractor + +System maintenance is done from remote sites as there is no direct access to the server instances in the AWS cloud; this is the government-approved method of doing business. Approval, QA, and monitoring are conducted by the team performing the specific maintenance. + + + +#### b + +##### Contractor + +Remote diagnostics tools, such as OSSEC, AIDE, fail2ban, and OpenSCAP are used to verify the integrity of files, perform log analysis, monitor login attempts and check for rootkits and other vulnerabilities. + + + +#### c + +##### Contractor + +All nonlocal maintenance requires the same authentication requirements to perform the maintenance activities to access the system as defined in controls AC-3 and IA-2. SSH is used to secure all communications between the remote user and the components located in the AWS cloud. + + + +#### d + +##### Contractor + +CivicActions records for nonlocal maintenance is managed through JIRA tickets and the Git issue queue as well as normal system logs. CivicActions administrator activity to the system is also logged through the implementation of the AU-2 (Audit Events) and AU-3 (Content of Audit Records). + + + +#### e + +##### Contractor + +Any session for internal maintenance activities is terminated when the user completes their session, disconnects from the system, or logs out. In addition, sessions are terminated after 15 minutes of inactivity. + + + +### MA-5: Maintenance Personnel + +```text + - a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; + - b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and + - c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. + +``` +**Status:** complete + + +##### AWS + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + + + +##### Contractor + +Maintenance of the system and applications can only be performed by personnel designated as having internal administrator privileges and responsibilities. Access rights for the internal administrators are assigned and granted access to perform their specific job responsibilities. All physical maintenance requirements are inherited from AWS. + + + + + +##### Project + +Client maintains a list of authorized contract (CivicActions) personnel who perform maintenance and repair activities on the Project Project system components, and only these authorized personnel may perform the maintenance. All maintenance personnel have the required personnel security elements in place. diff --git a/results/docs/controls/MP.md b/results/docs/controls/MP.md new file mode 100644 index 0000000..332b79b --- /dev/null +++ b/results/docs/controls/MP.md @@ -0,0 +1,103 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## MP: Media Protection + +### MP-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] media protection policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and + - c. Review and update the current media protection: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** None + + +##### AWS + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in CivicActions Media Protection (MP) Policy and Procedure document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. Media protection policy and procedures are fully inherited from AWS Cloud. + + + +### MP-2: Media Access + +```text +Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. + +``` +**Status:** complete + + +##### AWS + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### MP-6: Media Sanitization + +```text + - a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and + - b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. + +``` +**Status:** complete + + +##### AWS + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### MP-7: Media Use + +```text + - a. [Selection: Restrict, Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and + - b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. + +``` +**Status:** complete + + +##### AWS + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. diff --git a/results/docs/controls/PE.md b/results/docs/controls/PE.md new file mode 100644 index 0000000..51d1637 --- /dev/null +++ b/results/docs/controls/PE.md @@ -0,0 +1,216 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## PE: Physical and Environmental Protection + +### PE-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] physical and environmental protection policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and + - c. Review and update the current physical and environmental protection: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-2: Physical Access Authorizations + +```text + - a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; + - b. Issue authorization credentials for facility access; + - c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and + - d. Remove individuals from the facility access list when access is no longer required. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-3: Physical Access Control + +```text + - a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: + - 1. Verifying individual access authorizations before granting access to the facility; and + - 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices], guards]; + - b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; + - c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; + - d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; + - e. Secure keys, combinations, and other physical access devices; + - f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and + - g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-6: Monitoring Physical Access + +```text + - a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; + - b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and + - c. Coordinate results of reviews and investigations with the organizational incident response capability. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-8: Visitor Access Records + +```text + - a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; + - b. Review visitor access records [Assignment: organization-defined frequency]; and + - c. Report anomalies in visitor access records to [Assignment: organization-defined personnel]. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-12: Emergency Lighting + +```text +Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-13: Fire Protection + +```text +Employ and maintain fire detection and suppression systems that are supported by an independent energy source. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-14: Environmental Controls + +```text + - a. Maintain [Selection (one or more): temperature, humidity, pressure, radiation, [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and + - b. Monitor environmental control levels [Assignment: organization-defined frequency]. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-15: Water Damage Protection + +```text +Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + + +### PE-16: Delivery and Removal + +```text + - a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and + - b. Maintain records of the system components. + +``` +**Status:** complete + + +##### AWS + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. diff --git a/results/docs/controls/PL.md b/results/docs/controls/PL.md new file mode 100644 index 0000000..a481a10 --- /dev/null +++ b/results/docs/controls/PL.md @@ -0,0 +1,244 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## PL: Planning + +### PL-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] planning policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the planning policy and the associated planning controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and + - c. Review and update the current planning: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + + + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a system planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Planning (PL) Policy and Procedure document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +The Project developed its security policy planning and procedures based on None, guidance from NIST, the Office of Management and Budget and industry best practices. Security policies and procedures are formally documented within the Project SSP, which provides the roles and responsibilities as it pertains to security planning. It provides guidance on all aspects of security for the protection of Project information technology resources. It defines responsibilities for the implementation and oversight of the guidance contained herein. The plan was last updated in December, 2015. + + + +### PL-2: System Security and Privacy Plans + +```text + - a. Develop security and privacy plans for the system that: + - 1. Are consistent with the organization’s enterprise architecture; + - 2. Explicitly define the constituent system components; + - 3. Describe the operational context of the system in terms of mission and business processes; + - 4. Identify the individuals that fulfill system roles and responsibilities; + - 5. Identify the information types processed, stored, and transmitted by the system; + - 6. Provide the security categorization of the system, including supporting rationale; + - 7. Describe any specific threats to the system that are of concern to the organization; + - 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; + - 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; + - 10. Provide an overview of the security and privacy requirements for the system; + - 11. Identify any relevant control baselines or overlays, if applicable; + - 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; + - 13. Include risk determinations for security and privacy architecture and design decisions; + - 14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and + - 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. + - b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; + - c. Review the plans [Assignment: organization-defined frequency]; + - d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and + - e. Protect the plans from unauthorized disclosure and modification. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS system security plan. + + + + + +##### Project + +The System Security Plan (SSP) was developed and implemented for Project system in accordance with None, NIST SP 800-18 and NIST SP 800-37. The SSP includes a description of the management, operational, and technical controls in place or planned for the application. The SSP is included as a key document in an application’s C&A package and is reviewed and approved by designated officials. The SSP identifies the system owner and responsible parties for managing system access and the overall security of the system. The Chief Information Security Officer reviews and approves the SSP. The SSP will be reviewed at least annually and updated to account for any changes to the Project system and to address any changes in security controls. + + + +#### a + +##### Contractor + +CivicActions has developed this system security plan (SSP) for the information system as part of compliance with NIST 800-53 and FIPS 199. The SSP defines the security categorization, system boundary, and security requirements and controls meeting the requirements of the NIST Risk Management Framework (RMF). Specifically the SSP: + +1. Is consistent with the organization’s enterprise architecture +2. Explicitly defines the authorization boundary for the system +3. Describes the operational context of the information system in terms of missions and business + processes + +4. Provides the security categorization of the information system including supporting rationale +5. Describes the operational environment for the information system and relationships with or + connections to other information systems + +6. Provides an overview of the security requirements for the system +7. Identifies any relevant overlays, if applicable +8. Describes the security controls in place or planned for meeting those requirements including a + rationale for the tailoring decisions + +9. Is reviewed and approved by the authorizing official or designated representative prior to plan + implementation + + + +#### b + +##### Contractor + +The SSP is reviewed and approved by the authorizing official prior to plan implementation. A copy of the SSP is provided to authorized CivicActions and assessing personnel including the System Owner, Authorizing Official, Information System Security Officer, System/Network Administrator, and the CivicActions Operations staff. The SSP is maintained by the CivicActions Security Office. + + + +#### c + +##### Contractor + +The SSP is reviewed at least annually by the System Owner and the CivicActions Operations staff in collaboration with the CivicActions Security Office. + + + +#### d + +##### Contractor + +The CivicActions Operations staff in collaboration with the CivicActions Security Office updates the system description and control descriptions within the SSP as needed to verify the SSP is an accurate description of the system. + + + +#### e + +##### Contractor + +The SSP is currently available to authorized users on GitLab. Per the Acceptable Use Policy, all entities granted access to CivicActions information assets are required to complete a non-disclosure agreement (NDA) to uphold information confidentiality. GitLab provides the configuration management capabilities for the SSP to be protected from unauthorized disclosure and modification. + + + +### PL-4: Rules of Behavior + +```text + - a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; + - b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; + - c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and + - d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency], when the rules are revised or updated]. + +``` +**Status:** complete +#### a + +##### Contractor + +CivicActions has created and made readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage. These rules, defined as the Acceptable Use Policy, are included in the CivicActions Security Policy accessible here: which has also been uploaded to CSAM as ''Appendix J1 - System Rules of Behavior - Privileged User'' (CivicActions Security Policy 20190226.docx).' + + + + + +##### Project + +Project has created and made readily available to individuals requiring access to the information system the rules that describes their responsibilities and expected behavior with regard to information and information system usage. These rules are captured in ‘Appendix J2 - System Rules of Behavior - General User’ (ProjectSystemRoB2019-template.docx). + +Project has reviewed and accepted as a superset alternative the CivicActions Acceptable Use Policy. + + + +#### b + +##### Contractor + +CivicActions HR receives a signed acknowledgment from all employees, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. The text of the electronically signed (via DocuSign) acknowledgment document has been uploaded to CSAM as artifact: ''CivicActions Security Policy Acknowledgement.docx'' + + + + + +##### Project + +The Project System Owner receives a signed acknowledgment from such individuals that are not CivicActions employees, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. + + + +#### c + +##### Contractor + +CivicActions reviews the CivicActions Security Policy at least annually and updates as required. + + + + + +##### Project + +Project reviews the Rules of Behavior at least annually and updates it as required. + + + +#### d + +##### Contractor + +CivicActions requires individuals who have signed a previous version of the CivicActions Security Policy to read and re-sign when any part of it, including the Acceptable Use Policy/Rules of Behavior, is revised/updated. + + + + + +##### Project + +Project requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the Rules of Behavior are revised/updated. + + + +### PL-4 (1): Social Media and External Site/application Usage Restrictions + +```text +Include in the rules of behavior, restrictions on: + - (a) Use of social media, social networking sites, and external sites/applications; + - (b) Posting organizational information on public websites; and + - (c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. + +``` +**Status:** incomplete +### PL-10: Baseline Selection + +```text +Select a control baseline for the system. + +``` +**Status:** incomplete +### PL-11: Baseline Tailoring + +```text +Tailor the selected control baseline by applying specified tailoring actions. + +``` +**Status:** incomplete diff --git a/results/docs/controls/PS.md b/results/docs/controls/PS.md new file mode 100644 index 0000000..753d192 --- /dev/null +++ b/results/docs/controls/PS.md @@ -0,0 +1,382 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## PS: Personnel Security + +### PS-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] personnel security policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and + - c. Review and update the current personnel security: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + + + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in CivicActions Personnel Security (PS) Policy document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +The Project documents the security policy and procedures in addressing position categorization, personnel screening, personnel termination, personnel transfer, and access agreements within the Project SSP. Project adopts the Client personnel security standards and determines position risks levels based on public trust responsibilities. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +### PS-2: Position Risk Designation + +```text + - a. Assign a risk designation to all organizational positions; + - b. Establish screening criteria for individuals filling those positions; and + - c. Review and update position risk designations [Assignment: organization-defined frequency]. + +``` +**Status:** complete + + +##### Project + +Project position sensitivity levels are assigned by the Client Full Name. Each position designation is documented on the Standard Position Description (SPD) and assigned a risk level (or sensitivity level) commensurate with the sensitivity of the information, the risk to that information and the system maintaining that information. The levels of risk still need to be designated by Client for employee and contractor positions but since Project system does not have any sensitive data, a low risk scenario can be assumed. + +- Employee risk levels and background investigations are: Low Risk= NACI, Moderate Risk= LBI, + High Risk= BI. + +- Contractor risk levels and background investigations are: Low Risk= NACI, Moderate Risk= NACC, + High Risk= BI. + + +In order to ensure every employee is assigned to a position, which has been reviewed for sensitivity by the NCC, the SPD is a required data attribute of an employee’s HR record. Position risks designations are reviewed and revised when NCC or OPM publish changes to sensitivity levels. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog + + + +#### a + +##### Contractor + +Risk designations are assigned to all CivicActions positions. The CivicActions Office of Human Resources works in coordination with the CivicActions Security Office to assign risk designations. + + + +#### b + +##### Contractor + +The CivicActions Office of Human Resources works in coordination with the CivicActions Security Office to establish screening criteria for all CivicActions positions. + + + +#### c + +##### Contractor + +At least every three (3) years, the CivicActions Office of Human Resources reviews and revises position risk designations. If the Office of Human Resources determines that significant changes must be made to the position risk descriptions the Office of Human Resources works in coordination with the CivicActions Security Office to implement changes as required. + + + +### PS-3: Personnel Screening + +```text + - a. Screen individuals prior to authorizing access to the system; and + - b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. + +``` +**Status:** complete + + +##### Project + +Minimum background investigations are conducted, since all data is non-sensitive, for individuals requiring access to Project information and information systems. The type of background investigation conducted for an individual is determined by the individual’s position risk categorization noted in control PS-2. Client conducts periodic reinvestigations in accordance with OPM and NIST guidelines. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +#### a + +##### Contractor + +Prospective CivicActions employees undergo background checks commensurate with the individual’s job duties, the classification of the information they will access, and the risks associated with the role. At the discretion of the CivicActions Security Office, these checks may also be conducted on contractors and/or third party users in cases where they will have access to application data that is not meant to be consumed by the public. In these instances, the Security Office will instruct the Office of Human Resources to conduct a background check before granting access to the information system. + + + +#### b + +##### Contractor + +Re screening is conducted as required by the individual’s job duties, the classification of the information they will access, and the risks associated with the role. A basic background check is performed for all CivicActions employees. + + + +### PS-4: Personnel Termination + +```text +Upon termination of individual employment: + - a. Disable system access within [Assignment: organization-defined time period]; + - b. Terminate or revoke any authenticators and credentials associated with the individual; + - c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; + - d. Retrieve all security-related organizational system-related property; and + - e. Retain access to organizational information and systems formerly controlled by terminated individual. + +``` +**Status:** complete + + +##### Project + +Client Full Name HR policy states that managers or designated officials are responsible for recovering and properly securing employee badges and returning it to the local physical security office. The Client executes termination procedures that remove personnel access privileges, computer accounts. When an employee is terminated, the employee’s manager or designated official completes a form requesting termination of access for the user. Local management and the security manager coordinate disabling or removing Project privileged access with the system administrator. The employee’s manager or designated official is responsible for recovering and properly securing his/her ID badge and returning it to the local physical security office. The employee’s manager or designated official ensures that any information on the system that the employee was responsible for will be available to the appropriate personnel. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +#### a + +##### Contractor + +Information system access is terminated immediately upon the voluntary or involuntary departure of an employee. In the case of involuntary departure, in addition to immediate termination of system access, at no point is a departing employee allowed access to any part of the CivicActions infrastructure. +In the case of voluntary departure, employees are permitted access to the information system for the duration of their off-boarding period. The departing employee’s manager is responsible for informing the Information Technology department when the employee off-boarding period concludes. At this time system and facility, access is terminated. + + + +#### b + +##### Contractor + +The terminated user’s accounts are disabled and all access associated with the individual is revoked. + + + +#### c + +##### Contractor + +The employee's manager or the Office of Human Resources conducts exit interviews with all employees who leave CivicActions voluntarily. There is a general discussion about the process of turning in any/all company-issued devices, laptops, etc. + + + +#### d + +##### Contractor + +CivicActions employees provide their own equipment that must be hardened to security requirements depending upon their roles and duties. CivicActions supplies two-factor authentication tokens that become the property of the employee. +Some employees may receive company-issued hardware for working on particular projects. These items are collected before the employee exits CivicActions. In the case of an involuntary termination, the Office of Human Resources works to collect company-issued devices and provides paperwork highlighting confidential protections for customers. + + + +#### e + +##### Contractor + +Access to CivicActions information and information systems is always shared so that the termination of an individual will not prevent CivicActions from having access to needed resources. + + + +#### f + +##### Contractor + +When a person is terminated, a standard off-boarding process is used to notify management and CivicActions' Operations staff, and to track the process of disabling access to the information system/information system components. The CivicActions Operations staff and Security Office are given at least four hours notice to schedule the deactivation of access upon termination. Deactivation is a manual process that is tracked via a Trello card in order to meet the four hour turnaround time before termination. + + + +### PS-5: Personnel Transfer + +```text + - a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; + - b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; + - c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and + - d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. + +``` +**Status:** complete + + +##### Project + +When an employee is reassigned or transferred, the employee’s manager or designated official is required to request transfer of access (as appropriate) for the user. + +In accordance with the Client Full Name HR policy, the employee’s manager or designated official is responsible for recovering and properly securing his/her ID badge and returning it to the local physical security office. The manager provides prompt notification to the Project system/security administrator when an employee changes assignments and/or location. This includes taking prompt and appropriate action to change employee access profile and/or remove employee from the system; and ensure that users’ system access is cancelled when the need no longer exists. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +#### a + +##### Contractor + +When an employee, third party personnel and/or contractor is transferred to a new project or position within CivicActions, they may maintain access to the previous system they were working on in order to facilitate the process of maintenance and knowledge transfer. However, as part of the practices of account management (AC-2) and least privilege (AC-6), regular audits of privileged users are conducted and access privileges may be removed when no longer needed. Additionally, adherence to specific client SLAs may enhance the frequency of such audits or the timeliness of privilege removal during personnel transfer. + + + +#### b + +##### Contractor + +When an employee, third party personnel and/or contractor is transferred to a new position within CivicActions and there is a requirement for access change, such access changes are normally completed within five business days. + + + +#### c + +##### Contractor + +Access authorizations are modified as needed to coincide with changes in duties or operational needs upon personnel transfer or reassignment. + + + +#### d + +##### Contractor + +CivicActions Operations staff is informed of transfers that require access authorization modifications within five business days by the Project Manager, System Owner or Office of Human Resources. + + + +### PS-6: Access Agreements + +```text + - a. Develop and document access agreements for organizational systems; + - b. Review and update the access agreements [Assignment: organization-defined frequency]; and + - c. Verify that individuals requiring access to organizational information and systems: + - 1. Sign appropriate access agreements prior to being granted access; and + - 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]. + +``` +**Status:** complete +#### a + +##### Project + +All users of the Project system must read and accept access agreements upon every login. + + + +#### b + +##### Project + +The Access Agreements are reviewed at least annually or when a significant change occurs. + + + +#### c + +##### Project + +All individuals requiring access to the Project system are required to sign the Access Agreements before login is granted. When the Access Agreements are updated, the individual will be required to sign the new copy before regaining access. + + + +### PS-7: External Personnel Security + +```text + - a. Establish personnel security requirements, including security roles and responsibilities for external providers; + - b. Require external providers to comply with personnel security policies and procedures established by the organization; + - c. Document personnel security requirements; + - d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and + - e. Monitor provider compliance with personnel security requirements. + +``` +**Status:** complete +#### a + +##### Project + +Personnel security requirements including security roles and responsibilities that apply to primary contracting organizations flow down to their subcontractors. + + + +#### b + +##### Project + +Personnel security policies and procedures that apply to primary contracting organizations flow down to their subcontractors. + + + +#### c + +##### Project + +All personnel security requirements are documented in PS-1 and other related Personnel Security controls. + + + +#### d + +##### Project + +For personnel transfers and terminations of third-party personnel, the procedures defined in employee termination (PS-4) and employee transfer (PS-5) flow down to subcontractors. + + + +#### e + +##### Project + +Compliance measures for assessing third-party personnel and/or contractors are determined on a case-by-case basis. Third-party personnel are monitored to ensure compliance with personnel security requirements. + + + +### PS-8: Personnel Sanctions + +```text + - a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and + - b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. + +``` +**Status:** complete + + +##### Project + +The disciplinary sanctions for personnel failing to comply with establish IT security policies and procedures are included in Client Full Name HR policy. If an employee violates the Client information security policies and procedures, the employee may be subject to disciplinary action at the discretion of management. Actions may range from verbal or written warning, removal of system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation. Disciplinary sanctions are reported to the OCIO. + + + +#### a + +##### Contractor + +The CivicActions Security Office and/or the Office of Human Resources is responsible for determining and enforcing sanctions for failing to comply with established information security policies and procedures. Coaching may be considered prior to sanctions. Sanctions may include but are not limited to written warnings, reduction in system access, demotion, or termination. + + + +#### b + +##### Contractor + +When employee sanctions processes are initiated, the Office of Human Resources notifies the respective Project Manager(s) and CivicActions' Security Office within five business days. + + + +### PS-9: Position Descriptions + +```text +Incorporate security and privacy roles and responsibilities into organizational position descriptions. + +``` +**Status:** incomplete diff --git a/results/docs/controls/RA.md b/results/docs/controls/RA.md new file mode 100644 index 0000000..f0d8e3d --- /dev/null +++ b/results/docs/controls/RA.md @@ -0,0 +1,255 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## RA: Risk Assessment + +### RA-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] risk assessment policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and + - c. Review and update the current risk assessment: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + + + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Risk Assessment (RA) Policy and Procedure that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +The Client follows the risk assessment policy and procedures formally documented within None. Furthermore, a Risk Assessment Plan was originally initiated to determine the extent of the potential threat and the risk associated with Project throughout its System Development Life Cycle (SDLC). The Project Risk Assessment defines the methodology approach to determine the likelihood risks, and identify potential mitigation options to reduce risks to the Project system. + +The Project Risk Assessment will be conducted in accordance with the Department’s risk assessment policy and procedures. By doing so, the responsible parties associated with the Project will be able to determine the risk, likelihood and impact that could result from exploiting vulnerabilities within the system. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +### RA-2: Security Categorization + +```text + - a. Categorize the system and information it processes, stores, and transmits; + - b. Document the security categorization results, including supporting rationale, in the security plan for the system; and + - c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. + +``` +**Status:** complete +#### a + +##### Project + +In accordance with FIPS 199 requirement and guidelines provided in NIST SP800-60 Rev.1, the organization categorized the system as a Low system: Confidentiality (Low), Integrity (Low), Availability (Low). + + + +#### b + +##### Project + +The security categorization was determined by evaluating the type of information that is stored, processed, and/or transmitted by the application and the potential impact levels associated with the confidentiality, integrity, and availability of that information. The application’s security categorization has been documented in this SSP. + + + +#### c + +##### Project + +The security categorizations have been reviewed by the designated application POCs, were approved during the C&A effort. The formal security categorization document is available upon request. The system inventory for the Project Project is revalidated semiannually. + + + +### RA-3: Risk Assessment + +```text + - a. Conduct a risk assessment, including: + - 1. Identifying threats to and vulnerabilities in the system; + - 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and + - 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; + - b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; + - c. Document risk assessment results in [Selection: security and privacy plans, risk assessment report, [Assignment: organization-defined document]]; + - d. Review risk assessment results [Assignment: organization-defined frequency]; + - e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and + - f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. + +``` +**Status:** Planned +#### a + +##### Project + +CivicActions/Project will perform risk assessments for the Project system based on SP 800-30 Rev. 1 Guide for Conducting Risk Assessments at least annually and as part of the change management activities for the Project system that warrant a new or updated risk assessment. + + + +#### b + +##### Project + +The results of risk assessments will be compiled into a risk assessment report to be reviewed by CivicActions Security and relevant personnel, and also added to the GitLab system for the Project system. + + + +#### c + +##### Project + +CivicActions/Project reviews risk assessment +results at least annually. + + + +#### d + +##### Project + +The Risk Assessment report will be disseminated to the appropriate +personnel through the Project Manager and CivicActions +Security. + + + +#### e + +##### Project + +Risk assessments are conducted annually or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system, as defined in NIST Special Publication 800-37 Revision 1. +A significant change includes: + +- Changing authentication or access control implementations; +- Changing storage implementations; +- Changing a COTS product to another product; +- Changing the backup mechanisms and process; and, +- Adding new interconnections to an outside service provide. + + + +### RA-3 (1): Supply Chain Risk Assessment + +```text + - (a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and + - (b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. + +``` +**Status:** incomplete +### RA-5: Vulnerability Monitoring and Scanning + +```text + - a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; + - b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: + - 1. Enumerating platforms, software flaws, and improper configurations; + - 2. Formatting checklists and test procedures; and + - 3. Measuring vulnerability impact; + - c. Analyze vulnerability scan reports and results from vulnerability monitoring; + - d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; + - e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and + - f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. + +``` +**Status:** partial + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: vulnerability scanning. + + + + + +##### Project + +The Project uses vulnerability scanning software to document and determine risks to the system. These scans are run monthly and the results of these scans are being used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. + + + +#### a + +##### Contractor + +CivicActions Operations uses vulnerability scanning software to document and determine risks to the system. Operating system and application vulnerability scans include: + +- The CivicActions system environment employs the OpenSCAP scanner with the Red Hat STIG baseline to check for vulnerabilities. +- The CivicActions application environment is tested by the penetration tester OWASP ZAP, an open-source web application security scanner to report on needed updates based on known flaws. + +CivicActions Operations has automated the process to perform the scans on a monthly basis. The resulting reports list vulnerabilities and rank them by severity. These reports are stored in Amazon S3 buckets and are used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. + + + +#### b + +##### Contractor + +CivicActions employs the automated vulnerability scanning tools OpenSCAP and OWASP ZAP which are interoperable with standard web browsers, the Open Source Ansible infrastructure provisioning system and other Open Source tools. + + + +#### c + +##### Contractor + +The CivicActions Security Office reviews all vulnerabilities identified from automated scans and security assessments. "False positive" findings are documented and may be tailored out. Vulnerabilities found and deemed legitimate are assigned an impact rating and response time thought creation of an issue or ticket. The CivicActions Operations staff reviews current scans and compare with older scans to identify trends and to verify previous vulnerabilities have been mitigated. + + + +#### d + +##### Contractor + +Identified and reported vulnerabilities are assigned an impact rating and response time by CivicActions' Security and must be remediated according to the following time requirements: + +- Critical - Within 15 days of discovery (usually within 1 week)) +- High - Within 30 days of discovery (usually within 1 week)) +- Moderate - Within 90 days of discovery (usually within 2 weeks) +- Low - Within 180 days of discovery + + + +#### e + +##### Contractor + +Results of the vulnerability scans and security assessments are shared with all appropriate CivicActions personnel supporting continuous monitoring requirements. CivicActions Security assigns each vulnerability an impact rating and response time through JIRA or the Git issue tool for tracking to the established remediation deadlines listed in RA-5(d). + + + +### RA-5 (2): Update Vulnerabilities to Be Scanned + +```text +Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency], prior to a new scan, when new vulnerabilities are identified and reported]. + +``` +**Status:** incomplete +### RA-5 (11): Public Disclosure Program + +```text +Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. + +``` +**Status:** incomplete +### RA-7: Risk Response + +```text +Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. + +``` +**Status:** incomplete diff --git a/results/docs/controls/SA.md b/results/docs/controls/SA.md new file mode 100644 index 0000000..7414be0 --- /dev/null +++ b/results/docs/controls/SA.md @@ -0,0 +1,491 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## SA: System and Services Acquisition + +### SA-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] system and services acquisition policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and + - c. Review and update the current system and services acquisition: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained by the CivicActions System and Services Acquisition (SA) Policy document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +The Project complies with the None. The Project will identify new threats/vulnerabilities and technologies that may require updating of solicitation documents. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +### SA-2: Allocation of Resources + +```text + - a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; + - b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and + - c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. + +``` +**Status:** complete + + +##### Project + +The Project System Owner is responsible for leading the annual budgeting process and for tracking organizational spending. The System Owner coordinates with the CivicActions Project Manager and CivicActions Security on at least monthly basis to track security priorities and spending patterns and determine financial requirements. The System Owner also coordinates the approval process for interim increases to the security budget, if required. This data is used to support the development of the annual budget. + +Security costs are included in Exhibit 53 in the Department's on-line electronic Capital Planning and Investment Control system (eCPIC) in order to provide adequate business case information for budget purposes. Security costs are represented across the life cycle in the business case (Exhibit 300) for major investments and (Exhibit 53) for non-major projects - Project is a non-major project. Security costs are summarized and listed as a line item on the Exhibit 53 in the budget submitted to Treasury. + +Costs for providing security at the infrastructure level are contained in the business cases for infrastructure supporting computing platforms, desktop processing, the network environment, and web capability. Since the Exhibit 53 includes projections for multiple fiscal years, its intention is to identify and anticipate security resources required. + + + +#### a + +##### Contractor + +CivicActions' Security Office, in collaboration with the System Owner, act and/or meet on a pre-determined basis to determine information system security requirements and to develop implementation budgets and plans. + + + +#### b + +##### Contractor + +The CivicActions Security Office, in collaboration with the System Owner, determines, designates, documents, and allocates the resources required to protect the system as part of its capital planning and investment control processes. + + + +#### c + +##### Contractor + +The annual budget developed by the System Owner includes explicit budgetary line items for FISMA security requirements. Additional security-related expenditures that fall outside of explicit compliance requirements are addressed in sub-lines under the CivicActions Information Technology budget. + + + +### SA-3: System Development Life Cycle + +```text + - a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; + - b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; + - c. Identify individuals having information security and privacy roles and responsibilities; and + - d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. + +``` +**Status:** complete + + +##### Project + +The Project draws from the None, NIST SP 800-64, and Agile software development methodology to ensure security requirements are incorporated during each phase of the life cycle. This helps to ensure the development of secure systems and effective risk management. + + + +#### a + +##### Contractor + +The system and application(s) are managed by CivicActions using the Agile software development methodology, which provides a continuous System Development Life Cycle (SDLC) methodology. CivicActions Agile management continues to improve the software through ongoing planned code releases. The process is overseen by the Change Control Board (CCB) as described in CM-1. Each point release introduces code and configuration changes to the website through the following SDLC methodology: + +- Code release planning: A code release ticket is created in the Change Request project of the + CivicActions ticketing system which describes the overall goals of the code release. + The code release ticket is linked to other tickets in the ticketing system which describe issues to + be addressed by the planned code release. Those issues may include bug fixes and feature enhancements + as well as upgrades to newer versions of the software packages that have been used to build the + website. + +- Sprints: The tickets covered by the planned code release are then implemented through a series of + planned sprints, each of which typically lasts two weeks. Each sprint begins with a sprint planning + session at which the CCB selects a list of tickets to be implemented. CivicActions + Development holds daily coordination meetings throughout the sprint to share information and resolve + any problems that may be blocking progress toward completion. At the end of the sprint, a + retrospective is performed in which progress is reviewed to determine which issues have been + resolved and which need further work. + +- Development/unit testing: Work on each ticket is performed within a separate code branch within the + CivicActions Git repository, and tested using the GitLab Runner continuous integration + platform. Developers also write unit tests to prove their code behaves as expected and address security + considerations such as information leakage, bounds checking, and input validation. Once work on a + ticket is completed, the developer creates a merge request, and the changes are submitted to at least + one other developer for review to ensure they meet functional requirements and address security + considerations before the pull request is merged into the Git repository's development branch for the + planned code release. + +- Integration testing: Once all work tickets have been completed, the code and configuration necessary + to implement the changes are merged into the website's staging server, where it undergoes additional + testing to ensure there are no conflicts between the work that has been done on individual tickets. + +- User acceptance testing (UAT): The code release undergoes manual testing against a checklist of + expected site behaviors and options each of the website's defined user roles to further verify that + the functional changes work as expected and to identify any changes in user experience that need to + be documented in release notes to be shared with the customer. + +- Approval for deployment: After all the planned code release has passed all of the above tests, the + code release is scheduled for deployment to production and presented to CivicActions' + Change + Control Board (CCB) for review and approval. + +- Deployment to production: A full backup of the website is performed immediately prior to the + deployment. + +- Security scan: After the deployment to production, the website undergoes a security scan using a web + vulnerability scanner. + + Security issues to be addressed in the planned code release may come from a variety of sources: + +- Customer support requests received by the CivicActions Help Desk +- Security concerns, incidents, and site performance issues reported by users +- Security incident reports, including server log analysis and root cause analysis of those incidents + performed by the CivicActions Security Office and Operations staff + +- Security notifications received by the CivicActions Security Office from external + security teams and other software vendors + +- Vulnerabilities detected during security scans of the website performed by the + CivicActions Security Office + +- Issues reported by the CivicActions Security Office, Operations staff and Development +- Security issues reported through continuous monitoring + + + +#### b + +##### Contractor + +The CivicActions organization defines and documents information security roles and responsibilities throughout the SDLC. The following teams participate in this process: + +- Customer Support: Files tickets when incidents are reported and shares incident reports with customers +- The CivicActions Security Office: Receives security notifications from the Drupal security + team and other software vendors; performs security scans; uses CivicActions JIRA ticketing + system to request mitigation of all reported vulnerabilities + +- CivicActions Development: Performs server log analysis when security incidents are + reported; assists in root cause analysis + +- Change Control Board: Meets weekly to review and approve upcoming planned code changes to the website, + include security-related code releases. + +- AWS Cloud: Monitors server and application events; proactively respond to security incidents, and + reports incidents to CivicActions + +- Users: Communicates customer security requirements and expectations, and alerts the + CivicActions customer support team whenever it detects a security or site performance + issue + + +Security responsibilities performed by these teams include the following: + +- Perform configuration management during information system design, development, implementation, and + operation; + +- Implement only organization-approved changes; +- Document approved changes; +- Manage and control changes to the system; +- Fully test all changes, taking into account security considerations as well as other functional + requirements; + +- Track security flaws and flaw resolution; and +- Employ code analysis tools to examine software for common flaws and document the results of the + analysis. + + + +#### c + +##### Contractor + +Each of the CivicActions teams described in SA-3(b) has a team leader who is responsible for defining the roles and responsibilities of individual personnel members within that team. CivicActions uses role-based management for access and authentication implementation and enforcement. + + + +#### d + +##### Contractor + +The CivicActions organization integrates the organizational information security risk management process into system development life cycle activities by requiring that the processes defined in SA-3(a) and (b) above are adhered to by all information system developers and associated security personnel. + + + +### SA-4: Acquisition Process + +```text +Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language, [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: + - a. Security and privacy functional requirements; + - b. Strength of mechanism requirements; + - c. Security and privacy assurance requirements; + - d. Controls needed to satisfy the security and privacy requirements. + - e. Security and privacy documentation requirements; + - f. Requirements for protecting security and privacy documentation; + - g. Description of the system development environment and environment in which the system is intended to operate; + - h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and + - i. Acceptance criteria. + +``` +**Status:** partial + + +##### Contractor + +The CivicActions System and Services Acquisition Policy affects all personnel with purchasing authorization and applies to all purchases or deployments including infrastructure, software or hardware. The CivicActions System and Services Acquisition Policy contains the process for determining acceptance criteria for all system software and application services. + +The Acquisition Security Policy includes an assessment that evaluates the product based on the vendor’s security practices, policies, and past performance. It also details the potential maintenance and end-of-life ramifications with regards to security. + +The CivicActions Security Office is responsible for determining the security documentation that must be included in the information system or services acquisition contracts. + +Configuration and design of the development and production environments are hosted in the CivicActions Git repository. All documentation is strictly controlled regarding transportation and storage in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. + + + + + +##### Project + +The Project follows the guidelines and procedures within the overarching None. The requirements in the information system acquisition contract permit updating security controls as new threat/vulnerabilities are identified and new technologies are implemented. + +The Project System and Services Acquisition Policy contains the process for determining acceptance criteria for all Project system software and services. + +The Project organization reviews and approves all acquisition contracts in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. + + + +### SA-4 (10): Use of Approved PIV Products + +```text +Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. + +``` +**Status:** None + + +##### Project + +CivicActions/Project and AWS describes this control as “not applicable”, as PIV credentials are not applicable to the Project system. Access and Authentication requirements for the Project system for internal CivicActions and customer are implemented under access management and enforcement (AC-2 and AC-3) and identification and authentication for all users (IA-2 and IA-8). + +It is the responsibility of CivicActions for implementation of PIV capability for authentication as required. + + + +### SA-5: System Documentation + +```text + - a. Obtain or develop administrator documentation for the system, system component, or system service that describes: + - 1. Secure configuration, installation, and operation of the system, component, or service; + - 2. Effective use and maintenance of security and privacy functions and mechanisms; and + - 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions; + - b. Obtain or develop user documentation for the system, system component, or system service that describes: + - 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; + - 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and + - 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; + - c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and + - d. Distribute documentation to [Assignment: organization-defined personnel or roles]. + +``` +**Status:** complete + + +##### Project + +Client maintains adequate documentation for the Project system. The Project system documentation is protected as required and made available to authorized personnel. Procedures for protecting system documentation include management in the private CivicActions Git repository and the publicly available documentation trees for Free and Open Source Software (FOSS). The documentation maintained for the Project system includes: + +- System Security Plan (SSP) – this document +- Configuration documentation +- Incident Response and Contingency Plans +- Rules of Behavior (Acceptable Use Policy) +- FOSS Reference Manuals (Drupal, GNU/Linux, Apache, MySQL, PHP, Postfix, + etc.) + + + +#### a + +##### AWS + +In this architecture, documentation of the infrastructure configuration in the form of AWS CloudFormation templates in JSON or YAML format, architecture diagrams, deployment user guide and security controls implementation details is included. + +AWS built-in features include online documentation for management of the infrastructure at + + + + + +##### Contractor + +Some application features are built on a custom basis and are not part of standard FOSS packages. Administrator documentation for those custom features is maintained in the CivicActions Git repository documentation system. + + + + + +##### Ilias + +Public documentation related to Ilias is maintained by the Ilias Association and is located at . This documentation contains administrator documentation for the information system that describes: +- secure configuration, installation, and operation of the system, component, or service; +- effective use and maintenance of security functions/mechanisms; and +- known vulnerabilities regarding configuration and use of administrative functions; + + + +#### b + +##### AWS + +AWS built-in features include online documentation of AWS services at + +1. AWS built-in features include online documentation for AWS account users at + such as user Guides, API reference guides, CLI + reference guides and developer reference guides to provide information on how to + effectively use security functions. + +2. AWS built-in features include online documentation for AWS account users within the + infrastructure at such as user Guides, API + reference guides, CLI reference guides and developer reference guides to provide + information on how to access AWS services and components in a more secure manner. + +3. AWS built-in features include online documentation for AWS account users at + that provides information + related to security responsibilities of customers using AWS services. + + + + + +##### Contractor + +The publicly-available FOSS package documentation described in control SA-5(a) also includes user documentation for non-administrators as described in control AC-3. This includes documentation on how to create and manage user accounts as well as how to create, update and delete content. + +CivicActions follows the user documentation standard practice to provide context-sensitive help as well as access to a Help Desk in publicly facing applications. + +The CivicActions Customer Support team, described in control SA-3(b), handles questions about how to use the system. Questions are submitted by sending an email to support@civicactions.com, which triggers the creation of a ticket in the CivicActions customer support ticketing system. + + + + + +##### Ilias + +The public documentation at Ilias.de contains user documentation for the information system that describes: +- user-accessible security functions/mechanisms and how to effectively use those + security functions/mechanisms; +- methods for user interaction, which enables individuals to use the system, + component, or service in a more secure manner; and +- user responsibilities in maintaining the security of the system, component, or service; + + + +#### c + +##### Contractor + +If the information needed to answer a question is not already included in the website's public-facing documentation, a ticket is created to determine whether the question is sufficiently general in nature to warrant adding the answer to the website's documentation. + + + + + +##### Ilias + +As a popular and well-used and maintained free and open source (FOSS) project, in the event that sought after documentation is not available on Ilias.de, it can usually be found in one of the many forums, mailing lists or Stack Exchange sites covering Ilias and its many contributed modules. + + +#### d + +##### AWS + +AWS built-in features include online documentation that is protected by AWS from unauthorized modification or deletion within AWS system. + + + + + +##### Contractor + +All administrator documentation is housed in a protected Git repository. User documentation is publicly available. + + + + + +##### Ilias + +The Ilias.de documentation is multi-sourced on GitHub and private repositories. + + +#### e + +##### AWS + +AWS built-in features include online documentation located at that is publicly available. + + + + + +##### Contractor + +As needed and approved by the CivicActions Security Office, documentation is available to appropriate personnel by granting access to the private Git repository. + + + + + +##### Ilias + +As the Ilias.de documentation is publicly available, there is no need to provide distribution mechanisms. + + +### SA-8: Security and Privacy Engineering Principles + +```text +Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles]. + +``` +**Status:** incomplete +### SA-8 (33): Minimization + +```text +Implement the privacy principle of minimization using [Assignment: organization-defined processes]. + +``` +**Status:** incomplete +### SA-9: External System Services + +```text + - a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; + - b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and + - c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions does not have any dedicated interconnections between information system components within the authorization boundary and external third-party vendor information systems for the purposes of storing, processing or transmitting federal agency data. + + + + + +##### Project + +Project does not have any dedicated interconnections between information system components within the authorization boundary and external third-party vendor information systems for the purposes of storing, processing, or transmitting federal agency data. + +Project is hosted on the AWS Cloud platform, which was approved under the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013. diff --git a/results/docs/controls/SC.md b/results/docs/controls/SC.md new file mode 100644 index 0000000..4c42167 --- /dev/null +++ b/results/docs/controls/SC.md @@ -0,0 +1,263 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## SC: System and Communications Protection + +### SC-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] system and communications protection policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and + - c. Review and update the current system and communications protection: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a system and communication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions System and Communications Protection (SC) Policy CivicActions document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +System and communications protection policy and procedures are formally documented in the None and the Project SSP. The Department reviews and updates the policy as necessary and has been continually updated since April 2008. +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +### SC-5: Denial-of-service Protection + +```text + - a. [Selection: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and + - b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. + +``` +**Status:** partial + + +##### Drupal + +Drupal has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by CivicActions Operations. + + + + +##### Ilias + +Ilias has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by CivicActions Operations. + + + + +##### Project + +The Project system is configured to reduce vulnerabilities in its operating system and applications to protect against Denial of Service (DoS) attacks. +The Project support staff ensures the system is protected against or limits the effect of DoS attacks as specified in the None. + + + +### SC-7: Boundary Protection + +```text + - a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; + - b. Implement subnetworks for publicly accessible system components that are [Selection: physically, logically] separated from internal organizational networks; and + - c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. + +``` +**Status:** complete + + +##### Drupal + +Drupal, when deployed on SELinux in full enforcing mode, minimizes the number of services and computing nodes that are exposed to the Internet. Drupal employs both the AWS platform safeguards and the Drupal Watchdog module in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. + + + + + +##### Ilias + +Ilias, when deployed on SELinux in full enforcing mode, minimizes the number of services and computing nodes that are exposed to the Internet. Ilias employs both the AWS platform safeguards and the Ilias logging in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. + + + + +##### Project + +The Project system has monitored and controlled communications at the external boundary of the information system and at key internal boundaries within the system, where appropriate. The Project allocates publicly accessible information system components (e.g., public web servers) specific IP address and port combinations. Public access into the organization’s internal networks is prevented except as appropriately mediated. + + + +#### a + +##### AWS + +In this architecture, network communications to, from, and between VPCs, subnets and Amazon S3 buckets are controlled as follows: AWS Route Tables specify which subnets in each VPC are accessible through gateways and which are isolated/private. AWS Security Groups provide stateful inbound/outbound port/protocol restrictions, Amazon Simple Storage Service (Amazon S3) buckets support access control restrictions based on network source/destination. + + + +#### b + +##### AWS + +In this architecture, subnetworks for publicly accessible system components are logically separated from internal private subnetworks via AWS security groups, refined routing tables, and NACLs. + + + +#### c + +##### AWS + +In this architecture, connection to external networks is possible only through Internet Gateways (IGWs) or NAT gateways (in regions where supported by AWS VPC) and are restricted based on ports/protocols via AWS Security groups, and default subnet rules provided by NACLs. + + + +### SC-12: Cryptographic Key Establishment and Management + +```text +Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. + +``` +**Status:** none + + +##### AWS + +In this architecture, initial private/public SSH keys stored in Identity and Access Management (IAM) are supplied to Amazon EC2 instances upon launch, and the public key portion is managed within the AWS Amazon EC2 service. In addition, server-side encryption is used for Amazon S3 storage and Amazon RDS databases, using key management provided by AWS for the storage buckets and Amazon RDS databases. + + + + + +##### Project + +Use of cryptographic key management for the Project system is in use for at the time of implementation for authentication. CivicActions utilizes customer agency supplied PIV credentials for access to customer instances of the Project. Access enforcement and authentication requirements for Project are described in AC-2 & IA-2. AWS platform does not utilize or manage cryptographic keys within the ACE boundary. + + + +### SC-13: Cryptographic Protection + +```text + - a. Determine the [Assignment: organization-defined cryptographic uses]; and + - b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. + +``` +**Status:** none + + +##### AWS + +In this architecture, encryption mechanisms are employed for data at rest and in transit. For data at rest, AES-256 Server Side encryption is employed for data stored in Amazon S3, and Amazon RDS databases. For data in transit, to protect against exposure of any cleartext data transmitted deliberately (upload/download) or incidentally during interactive systems management operations, Amazon S3 object access can only be conducted over encrypted sessions via TLS; the bastion host, Amazon EC2 instances and associated security groups are configured for encrypted SSH sessions only. For web user access, the Elastic Load Balancing (ELB) employs a TLS endpoint. + +AWS built-in features employ TLS for AWS Management Console sessions, AWS API calls, and AWS Command Line Interface connections. + + + + + +##### Contractor + +The information system implements: + +- Cryptographic modules through Secure Shell (SSH) to allow administrators to securely logon to the + various system components + +- HTTPS/SSL (TLS) for connection to web-based services +- TLS for connection to email services +- AES-256 (FIPS 140-2 validated) for data at rest (with Elastic Block Store (EBS) volumes) + + + +### SC-15: Collaborative Computing Devices and Applications + +```text + - a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and + - b. Provide an explicit indication of use to users physically present at the devices. + +``` +**Status:** none + + +##### Project + +This control is not applicable, as the Project system does +employ any collaborative computing devices. + + + +### SC-20: Secure Name/address Resolution Service (authoritative Source) + +```text + - a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and + - b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. + +``` +**Status:** None + + +##### Contractor + +The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (authoritative source) + + + +### SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver) + +```text +Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. + +``` +**Status:** None + + +##### Contractor + +The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (recursive or caching resolver) + + + +### SC-22: Architecture and Provisioning for Name/address Resolution Service + +```text +Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. + +``` +**Status:** none + + +##### Contractor + + + + +### SC-39: Process Isolation + +```text +Maintain a separate execution domain for each executing system process. + +``` +**Status:** none + + +##### AWS + +In this architecture, the AMIs that make up the operating systems deployed on Amazon EC2 instances maintain separate execution domains/address spaces for executing processes within the customer operating environment. + +AWS built-in features of the hypervisors that support the infrastructure maintain separate execution domains/address spaces for executing processes. + + + + + +##### Contractor + +Process isolation is maintained on the Linux platform. Linux is the only operating system that is part of the boundary. diff --git a/results/docs/controls/SI.md b/results/docs/controls/SI.md new file mode 100644 index 0000000..e4c55ce --- /dev/null +++ b/results/docs/controls/SI.md @@ -0,0 +1,337 @@ +# Reusable OpenControl Components (SSP-Toolkit). + +## SI: System and Information Integrity + +### SI-1: Policy and Procedures + +```text + - a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: + - 1. [Selection (one or more): organization-level, mission/business process-level, system-level] system and information integrity policy that: + - (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + - (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and + - 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; + - b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and + - c. Review and update the current system and information integrity: + - 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and + - 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. + +``` +**Status:** complete + + +##### Contractor + +CivicActions has developed, documented and disseminated to personnel a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions System and Information Integrity (SI) Policy document that can be found in the CivicActions GitHub repository at . + + + + + +##### Project + +System and information integrity policy and procedures for the Project system are formally documented in the Project SSP, which provides the roles and responsibilities as it pertains to physical and environmental protection systems. The Project system support staff monitors the network on a daily basis and employs up-to-date patches to protect the integrity of the system. + +Additional information is contained within the None. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + + +### SI-2: Flaw Remediation + +```text + - a. Identify, report, and correct system flaws; + - b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; + - c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and + - d. Incorporate flaw remediation into the organizational configuration management process. + +``` +**Status:** None + + +##### Ilias + +Ilias contains built-in security status monitoring of the core application and contributed modules. + + +#### a + +##### Contractor + +Identification of information system security flaws are detected as early as possible by the following methods: + +- Vulnerability scans, as described in RA-5. +- Log analysis from monitoring described in SI-4. +- Service flaw notifications (CVEs, etc.) are received by the + CivicActions Security Office and passed on to + CivicActions Operations staff when relevant. + +Any security issues found are ticketed through JIRA and/or the Git issue queue. CivicActions Operations staff prioritizes high findings. Changes made to correct the information system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB as implemented in CM-3. + + + +#### b + +##### Contractor + +CivicActions testing of the system as a result of security flaw remediation is done through a development environment through the use of internal software and automated testing that ensures the system is working as intended. When a change is made by a developer, testing though a peer review is conducted as part of the Change Request process to ensure the correct analysis is completed. Then the changed code is tested in an automatic test environment as described in the Configuration Management Plan (CMP). Tracking of the testing is documented in JIRA and/or the Git issue queue. + + + +#### c + +##### Contractor + +CivicActions security-software updates are tested prior to implementation on production. The CivicActions Security framework for installation requires updates to be made within 30 days for high vulnerabilities, 90 days for moderate vulnerabilities, and 240 for low vulnerabilities. An issue ticket is created to track any updates made to the system. + + + +#### d + +##### Contractor + +Flaw remediation is part of the CivicActions configuration management process. Any security issues found are ticketed through JIRA or the Git issue queue. The CivicActions Security Office prioritizes the high findings within the application. Changes made to correct the system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB Chair as implemented in CM-3. + + + +### SI-3: Malicious Code Protection + +```text + - a. Implement [Selection (one or more): signature based, non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; + - b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; + - c. Configure malicious code protection mechanisms to: + - 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint, network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and + - 2. [Selection (one or more): block malicious code, quarantine malicious code, take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and + - d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. + +``` +**Status:** partial +#### a + +##### Contractor + +Virus scans are performed by ClamAV, a server-hosted tool protecting the application from Trojans, Viruses and other malicious cyber-threats. Real-time scans are conducted whenever files are uploaded from any external source and malicious code is blocked or quarantined when detected. All file-based traffic traversing the server is sanitized before being delivered. All input form text is validated and sanitized. + + + +#### b + +##### Contractor + +Anti-virus definitions and malicious code protection mechanisms are configured and updated automatically on a nightly basis. + + + +#### c + +##### Contractor + +CivicActions Operations staff receives information system security alerts, advisories, and notifications in response to malicious code detection. These messages are sent to group email distribution lists to ensure all members of the team receive the proper information in a timely manner. + + + +#### d + +##### Contractor + +False positives during malicious code detection and eradication are dealt with on a case by case basis. Potential impacts on the availability of the information system are detailed in a false positive report depending on if the report is for the OS, database or web application. + + + +### SI-4: System Monitoring + +```text + - a. Monitor the system to detect: + - 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and + - 2. Unauthorized local, network, and remote connections; + - b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; + - c. Invoke internal monitoring capabilities or deploy monitoring devices: + - 1. Strategically within the system to collect organization-determined essential information; and + - 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; + - d. Analyze detected events and anomalies; + - e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; + - f. Obtain legal opinion regarding system monitoring activities; and + - g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] + [Selection (one or more): as needed, [Assignment: organization-defined frequency]]. + +``` +**Status:** complete +#### a + +##### Contractor + +CivicActions systems use a collection of monitoring systems, including: + +- ClamAV - provides signature-based malware detection/quarantine +- OSSEC host-based intrusion detection system (HIDS) +- AIDE Advanced Intrusion Detection Environment (IDS)) +- fail2ban, an intrusion prevention system (IPS) framework +- SELinux - a Mandatory Access Control (MAC) IPS +- auditd - a secure system audit daemon +- CloudWatch - AWS monitoring and measurement system +- StatusCake - website monitoring tool +- OpsGenie - a slack/email/text/phone incident escalation tool + + + +#### b + +##### Contractor + +Logs from the systems described in SI-4(a) are sent to the CivicActions SIEM tool for analysis. These logs can identify unauthorized use of the information system. + + + +#### c + +##### Contractor + +Monitoring and log collection occur throughout the system. + + +#### d + +##### Contractor + +The Configuration Management process, remote log gathering, and SELinux MAC protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. + + + +#### e + +##### Contractor + +In the event of a performance score lower than CivicActions standards, a notification is sent to the CivicActions Security Office. CivicActions subscribes to security mailing lists in the event the monitoring activity is required based on law enforcement information, intelligence information, or other credible sources of information. + + + +#### f + +##### Contractor + +Internal legal counsel is utilized as required when system notifications indicate such action based on user and/or malicious activity. Legal counsel is engaged for any actions that may necessitate increased user monitoring or evidence/forensic actions. + + + +#### g + +##### Contractor + +System alerts generated by CivicActions internal monitors (StatusCake, OSSEC, ClamAV, others) are sent to the Incident Response team via OpsGenie. + + + +### SI-5: Security Alerts, Advisories, and Directives + +```text + - a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; + - b. Generate internal security alerts, advisories, and directives as deemed necessary; + - c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles], [Assignment: organization-defined elements within the organization], [Assignment: organization-defined external organizations]]; and + - d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. + +``` +**Status:** complete + + +##### Ilias + +CivicActions Security and Operations receive Ilias Security Advisories on a regular basis. + + + + +##### Project + +Project representatives and system administrators receive alerts from US-CERT on a regular basis. Support personnel take appropriate action in response to relevant areas of concern. + + + +#### a + +##### Contractor + +The CivicActions Security Office and Operations staff receive the following security alerts, advisories, and directives on an ongoing basis: + +- Mailing lists relevant to web application security +- US-CERT +- Technical Cyber Security Alerts +- Drupal Security Advisories + + + +#### b + +##### Contractor + +CivicActions utilizes StatusCake for front line monitoring for real time system status and events of the application. StatusCake can feed to the OpsGenie incident escalation system. + + + +#### c + +##### Contractor + +The CivicActions Security Office disseminates security alerts, advisories, and directives to all CivicActions internal personnel and client personnel as directed. + + + +#### d + +##### Contractor + +The CivicActions Security Office is responsible for ensuring the dissemination and implementation of relevant security alerts and advisories. + + + +### SI-12: Information Management and Retention + +```text +Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. + +``` +**Status:** complete + + +##### Contractor + +The CivicActions organization retains all information, system-related information, incident-related information, and system output in accordance with customers’ requirements retention periods and other NIST guidance and standards, Federal policies, procedures, federal laws, and executive orders. Audit records are retained for 365 days. + + + + + +##### Project + +Project representatives and systems administrators receive annual training from Client regarding information assurance and information handling requirements. These personnel are required to operate the system and handle system data and output in accordance with legal requirements. Personnel training and system guidelines ensure that data and programs are handled appropriately. + + + +### SI-12 (1): Limit Personally Identifiable Information Elements + +```text +Limit personally identifiable information being processed in the information life cycle to the following elements of PII: [Assignment: organization-defined elements of personally identifiable information]. + +``` +**Status:** incomplete +### SI-12 (2): Minimize Personally Identifiable Information in Testing, Training, and Research + +```text +Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [Assignment: organization-defined techniques]. + +``` +**Status:** incomplete +### SI-12 (3): Information Disposal + +```text +Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques]. + +``` +**Status:** incomplete +### SI-18: Personally Identifiable Information Quality Operations + +```text + - a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and + - b. Correct or delete inaccurate or outdated personally identifiable information. + +``` +**Status:** incomplete diff --git a/templates/components/AWS/AC-ACCESS_CONTROL.yaml b/templates/components/AWS/AC-ACCESS_CONTROL.yaml index 454eb7f..9355a5d 100644 --- a/templates/components/AWS/AC-ACCESS_CONTROL.yaml +++ b/templates/components/AWS/AC-ACCESS_CONTROL.yaml @@ -15,7 +15,7 @@ satisfies: In this architecture, the baseline AWS Identity and Access Management (IAM) groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform - management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, + management (e.g. Billing, S3 storage, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) - key: g text: > diff --git a/tools/createfiles/createfiles.py b/tools/createfiles/createfiles.py index ba869ba..7499ce8 100755 --- a/tools/createfiles/createfiles.py +++ b/tools/createfiles/createfiles.py @@ -36,7 +36,7 @@ required=False, help="Output directory (default: current directory)", ) -def main(input_template: str, output_dir: str): +def create_files(input_template: str, output_dir: str): template_args = load_template_args() output_to = Path(output_dir) templates = Path(input_template) @@ -73,4 +73,4 @@ def main(input_template: str, output_dir: str): if __name__ == "__main__": - main() + create_files() diff --git a/tools/makefamilies/makefamilies.py b/tools/makefamilies/makefamilies.py index 3335c54..f3810c4 100644 --- a/tools/makefamilies/makefamilies.py +++ b/tools/makefamilies/makefamilies.py @@ -11,7 +11,7 @@ from tools.makefamilies.family import Control, Family, Part project = Project() -controls_dir = Path("docs/controls") +controls_dir = Path("results/docs/controls") def get_control_parts(parts: list, control, parent: str) -> Control: @@ -139,7 +139,7 @@ def create_family(return_data: bool = False) -> dict: return families_data -def main(): +def make_families(): if not controls_dir.exists(): print(f"Creating output directory {controls_dir.resolve(strict=False)}") controls_dir.mkdir(parents=True, exist_ok=False) @@ -148,4 +148,4 @@ def main(): if __name__ == "__main__": - main() + make_families() diff --git a/tools/watcher.py b/tools/watcher.py index bae7a8e..61ce439 100644 --- a/tools/watcher.py +++ b/tools/watcher.py @@ -1,12 +1,13 @@ import asyncio -from tools.watchers.templates import watch_templates +from tools.watchers.component_watcher import watch_components +from tools.watchers.template_watcher import watch_templates async def main(): await asyncio.gather( watch_templates("./templates", loop=loop), - # Add other async tasks here + watch_components("./results/components", loop=loop), ) diff --git a/tools/watchers/component_watcher.py b/tools/watchers/component_watcher.py new file mode 100644 index 0000000..39e380c --- /dev/null +++ b/tools/watchers/component_watcher.py @@ -0,0 +1,55 @@ +import asyncio + +from watchdog.events import FileCreatedEvent, FileModifiedEvent, FileSystemEventHandler +from watchdog.observers import Observer + + +class WatchComponentsHandler(FileSystemEventHandler): + def __init__(self, loop: asyncio.AbstractEventLoop): + self.processed_files: set[str] = set() + self.queue: asyncio.Queue = asyncio.Queue() + self.loop = loop + + def on_modified(self, event: FileModifiedEvent) -> None: + asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) + + def on_created(self, event: FileCreatedEvent) -> None: + asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) + + async def process_events(self): + while True: + event = await self.queue.get() + if isinstance(event, (FileModifiedEvent, FileCreatedEvent)): + file_path = event.src_path + if file_path not in self.processed_files: + self.processed_files.add(file_path) + await self.make_families() + + await asyncio.sleep(1) + self.processed_files.remove(file_path) + + @staticmethod + async def make_families(): + process = await asyncio.create_subprocess_shell( + "python tools/makefamilies/makefamilies.py", + stdout=asyncio.subprocess.PIPE, + stderr=asyncio.subprocess.PIPE, + ) + stdout, stderr = await process.communicate() + if stdout: + print(f"MakeFamilies:\n{stdout.decode()}") + if stderr: + print(f"makefamilies.py error:\n{stderr.decode()}") + + +async def watch_components(path: str, loop: asyncio.AbstractEventLoop): + handler = WatchComponentsHandler(loop=loop) + observer = Observer() + observer.schedule(handler, path, recursive=True) + observer.start() + + try: + await handler.process_events() + finally: + observer.stop() + observer.join() diff --git a/tools/watchers/templates.py b/tools/watchers/template_watcher.py similarity index 82% rename from tools/watchers/templates.py rename to tools/watchers/template_watcher.py index 6cbebd7..5c0faf8 100644 --- a/tools/watchers/templates.py +++ b/tools/watchers/template_watcher.py @@ -13,41 +13,36 @@ class WatchTemplatesHandler(FileSystemEventHandler): def __init__(self, loop: asyncio.AbstractEventLoop): - self.event_type = None self.queue: asyncio.Queue = asyncio.Queue() self.loop = loop def on_modified(self, event: FileModifiedEvent) -> None: - self.event_type = event asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) def on_created(self, event: FileCreatedEvent) -> None: - self.event_type = event asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) def on_deleted(self, event: DirDeletedEvent | FileDeletedEvent) -> None: - self.event_type = event asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) async def process_events(self): while True: - if isinstance(self.event_type, (DirDeletedEvent, FileDeletedEvent)): - event = await self.queue.get() + event = await self.queue.get() + if isinstance(event, (DirDeletedEvent, FileDeletedEvent)): await self.delete_file(file_path=event.src_path) - elif isinstance(self.event_type, (FileCreatedEvent, FileModifiedEvent)): - event = await self.queue.get() + elif isinstance(event, (FileCreatedEvent, FileModifiedEvent)): await self.create_files(file_path=event.src_path) @staticmethod async def create_files(file_path: str): if not Path(file_path).is_dir(): filepath = file_path.rstrip("~") - proc = await asyncio.create_subprocess_shell( + process = await asyncio.create_subprocess_shell( f"python tools/createfiles/createfiles.py -t {filepath} -o results", stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, ) - stdout, stderr = await proc.communicate() + stdout, stderr = await process.communicate() if stdout: print(f"Script output:\n{stdout.decode()}") if stderr: From a70259ff0377c4267ba97bafbc671dc087e1c56e Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Fri, 31 Jan 2025 12:32:44 -0500 Subject: [PATCH 6/7] Debouncing event. --- docker-compose.yml | 4 +- results/components/AWS/AC-ACCESS_CONTROL.yaml | 51 +++++++++++++++++++ results/docs/controls/AC.md | 38 ++++++++++++++ tools/watchers/component_watcher.py | 15 +++--- tools/watchers/template_watcher.py | 27 +++++----- 5 files changed, 112 insertions(+), 23 deletions(-) create mode 100644 results/components/AWS/AC-ACCESS_CONTROL.yaml diff --git a/docker-compose.yml b/docker-compose.yml index 3fd2275..478ceeb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,8 +2,8 @@ services: file_watcher: user: 1000:1000 environment: - - UID=${UID} - - GID=${GID} + - UID=1000 + - GID=1000 build: . volumes: - .:/app diff --git a/results/components/AWS/AC-ACCESS_CONTROL.yaml b/results/components/AWS/AC-ACCESS_CONTROL.yaml new file mode 100644 index 0000000..9355a5d --- /dev/null +++ b/results/components/AWS/AC-ACCESS_CONTROL.yaml @@ -0,0 +1,51 @@ +family: ACCESS CONTROL +documentation_complete: false +satisfies: +- control_key: AC-2 + control_name: ACCOUNT MANAGEMENT + standard_key: NIST SP 800-53 Revision 4 + covered_by: [] + security_control_type: Shared + narrative: + - text: > + The system partially inherits this control from the FedRAMP Provisional ATO granted + to the AWS Cloud dated 1 May 2013 for the following: AWS account management. + - key: a + text: > + In this architecture, the baseline AWS Identity and Access Management (IAM) + groups and roles are associated with access policies to align user + accounts with personnel functions related to infrastructure/platform + management (e.g. Billing, S3 storage, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, + etc.) + - key: g + text: > + In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled, which + provide the audit trail capability for the organization to monitor the use of AWS + Identity and Access Management (IAM) accounts. An Amazon S3 bucket centrally contains + the CloudTrail audit logs. Amazon CloudWatch Alarm is configured to send an + alert when any of the following happen: + - an API call is made to create, update, or delete a Network ACL/Security Group + - AWS account *root user* activity is detected + - multiple API actions or login attempts fail + - IAM Configuration changes are detected + - new IAM access key was created + - changes to the CloudTrail log configuration are detected + implementation_status: partial +- control_key: AC-3 + control_name: ACCESS ENFORCEMENT + standard_key: NIST SP 800-53 Revision 4 + covered_by: [] + security_control_type: Shared + narrative: + - text: > + In this architecture, AWS Identify and Access Management (IAM) and Amazon + Amazon S3 enforce access to the AWS infrastructure and data in Amazon S3 buckets. The + baseline IAM groups and roles are associated with access policies to + align user accounts with personnel functions related to infrastructure/platform + management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. + auditing, etc.) Login/API access is restricted to those users for whom the + organization has authorized and created, or federated, IAM user accounts, + and assigned the appropriate IAM group and/or role memberships. Amazon S3 + buckets have specific access control policies assigned to restrict access + to those IAM users who are assigned the appropriate IAM roles/groups. + implementation_status: partial diff --git a/results/docs/controls/AC.md b/results/docs/controls/AC.md index 7fb0f87..2d73489 100644 --- a/results/docs/controls/AC.md +++ b/results/docs/controls/AC.md @@ -60,8 +60,24 @@ Access control policy and procedures are documented in the Project Full Name SSP ``` **Status:** None + + +##### AWS + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS account management. + + + #### a +##### AWS + +In this architecture, the baseline AWS Identity and Access Management (IAM) groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, S3 storage, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) + + + + + ##### Drupal Drupal provides the following information system account types to support organizational mission/business functions: @@ -205,6 +221,20 @@ CivicActions Operations staff is responsible for the following account managemen #### g +##### AWS + +In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled, which provide the audit trail capability for the organization to monitor the use of AWS Identity and Access Management (IAM) accounts. An Amazon S3 bucket centrally contains the CloudTrail audit logs. Amazon CloudWatch Alarm is configured to send an alert when any of the following happen: + - an API call is made to create, update, or delete a Network ACL/Security Group + - AWS account *root user* activity is detected + - multiple API actions or login attempts fail + - IAM Configuration changes are detected + - new IAM access key was created + - changes to the CloudTrail log configuration are detected + + + + + ##### Contractor All CivicActions systems log the usage of information accounts. @@ -283,6 +313,14 @@ Enforce approved authorizations for logical access to information and system res **Status:** complete +##### AWS + +In this architecture, AWS Identify and Access Management (IAM) and Amazon Amazon S3 enforce access to the AWS infrastructure and data in Amazon S3 buckets. The baseline IAM groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) Login/API access is restricted to those users for whom the organization has authorized and created, or federated, IAM user accounts, and assigned the appropriate IAM group and/or role memberships. Amazon S3 buckets have specific access control policies assigned to restrict access to those IAM users who are assigned the appropriate IAM roles/groups. + + + + + ##### Drupal Access control in Drupal is enforced by authentication via a unique username/password for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. diff --git a/tools/watchers/component_watcher.py b/tools/watchers/component_watcher.py index 39e380c..2cd3987 100644 --- a/tools/watchers/component_watcher.py +++ b/tools/watchers/component_watcher.py @@ -6,7 +6,7 @@ class WatchComponentsHandler(FileSystemEventHandler): def __init__(self, loop: asyncio.AbstractEventLoop): - self.processed_files: set[str] = set() + self.debounce_task = None self.queue: asyncio.Queue = asyncio.Queue() self.loop = loop @@ -20,13 +20,14 @@ async def process_events(self): while True: event = await self.queue.get() if isinstance(event, (FileModifiedEvent, FileCreatedEvent)): - file_path = event.src_path - if file_path not in self.processed_files: - self.processed_files.add(file_path) - await self.make_families() + if self.debounce_task and not self.debounce_task.done(): + self.debounce_task.cancel() - await asyncio.sleep(1) - self.processed_files.remove(file_path) + self.debounce_task = asyncio.create_task(self._debounce()) + + async def _debounce(self): + await asyncio.sleep(0.5) + await self.make_families() @staticmethod async def make_families(): diff --git a/tools/watchers/template_watcher.py b/tools/watchers/template_watcher.py index 5c0faf8..0c9fec1 100644 --- a/tools/watchers/template_watcher.py +++ b/tools/watchers/template_watcher.py @@ -1,18 +1,14 @@ import asyncio from pathlib import Path -from watchdog.events import ( - DirDeletedEvent, - FileCreatedEvent, - FileDeletedEvent, - FileModifiedEvent, - FileSystemEventHandler, -) +from watchdog.events import FileCreatedEvent, FileModifiedEvent, FileSystemEventHandler from watchdog.observers import Observer class WatchTemplatesHandler(FileSystemEventHandler): def __init__(self, loop: asyncio.AbstractEventLoop): + self.debounce_task = None + self.file_path: str = "" self.queue: asyncio.Queue = asyncio.Queue() self.loop = loop @@ -22,16 +18,19 @@ def on_modified(self, event: FileModifiedEvent) -> None: def on_created(self, event: FileCreatedEvent) -> None: asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) - def on_deleted(self, event: DirDeletedEvent | FileDeletedEvent) -> None: - asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) - async def process_events(self): while True: event = await self.queue.get() - if isinstance(event, (DirDeletedEvent, FileDeletedEvent)): - await self.delete_file(file_path=event.src_path) - elif isinstance(event, (FileCreatedEvent, FileModifiedEvent)): - await self.create_files(file_path=event.src_path) + if isinstance(event, (FileModifiedEvent, FileCreatedEvent)): + self.file_path = event.src_path + if self.debounce_task and not self.debounce_task.done(): + self.debounce_task.cancel() + + self.debounce_task = asyncio.create_task(self._debounce()) + + async def _debounce(self): + await asyncio.sleep(0.5) + await self.create_files(file_path=self.file_path) @staticmethod async def create_files(file_path: str): From 9e9d3e67f349d3aeda462f35d4ba0f12a0bf9887 Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Fri, 31 Jan 2025 14:11:12 -0500 Subject: [PATCH 7/7] Adding SOP --- file_hashes.json | 62 ++++ poetry.lock | 94 +----- pyproject.toml | 2 +- requirements.txt | 70 +++- results/docs/sop/sop-ac-access-control.md | 243 ++++++++++++++ .../docs/sop/sop-at-awareness-and-training.md | 87 +++++ .../sop/sop-au-audit-and-accountability.md | 312 ++++++++++++++++++ ...assessment-authorization-and-monitoring.md | 139 ++++++++ .../sop/sop-cm-configuration-management.md | 131 ++++++++ .../docs/sop/sop-cp-contingency-planning.md | 106 ++++++ ...op-ia-identification-and-authentication.md | 308 +++++++++++++++++ results/docs/sop/sop-ir-incident-response.md | 159 +++++++++ results/docs/sop/sop-ma-maintenance.md | 103 ++++++ results/docs/sop/sop-mp-media-protection.md | 74 +++++ ...e-physical-and-environmental-protection.md | 128 +++++++ results/docs/sop/sop-pl-planning.md | 104 ++++++ results/docs/sop/sop-ps-personnel-security.md | 150 +++++++++ results/docs/sop/sop-ra-risk-assessment.md | 106 ++++++ .../sop-sa-system-and-services-acquisition.md | 279 ++++++++++++++++ ...sc-system-and-communications-protection.md | 128 +++++++ ...sop-si-system-and-information-integrity.md | 132 ++++++++ .../frontmatter}/front-matter.md | 0 tools/sop/sop.py | 11 +- tools/watchers/component_watcher.py | 31 +- tools/watchers/template_watcher.py | 9 +- 25 files changed, 2849 insertions(+), 119 deletions(-) create mode 100644 file_hashes.json create mode 100644 results/docs/sop/sop-ac-access-control.md create mode 100644 results/docs/sop/sop-at-awareness-and-training.md create mode 100644 results/docs/sop/sop-au-audit-and-accountability.md create mode 100644 results/docs/sop/sop-ca-assessment-authorization-and-monitoring.md create mode 100644 results/docs/sop/sop-cm-configuration-management.md create mode 100644 results/docs/sop/sop-cp-contingency-planning.md create mode 100644 results/docs/sop/sop-ia-identification-and-authentication.md create mode 100644 results/docs/sop/sop-ir-incident-response.md create mode 100644 results/docs/sop/sop-ma-maintenance.md create mode 100644 results/docs/sop/sop-mp-media-protection.md create mode 100644 results/docs/sop/sop-pe-physical-and-environmental-protection.md create mode 100644 results/docs/sop/sop-pl-planning.md create mode 100644 results/docs/sop/sop-ps-personnel-security.md create mode 100644 results/docs/sop/sop-ra-risk-assessment.md create mode 100644 results/docs/sop/sop-sa-system-and-services-acquisition.md create mode 100644 results/docs/sop/sop-sc-system-and-communications-protection.md create mode 100644 results/docs/sop/sop-si-system-and-information-integrity.md rename {frontmatter => results/frontmatter}/front-matter.md (100%) diff --git a/file_hashes.json b/file_hashes.json new file mode 100644 index 0000000..6eccf1d --- /dev/null +++ b/file_hashes.json @@ -0,0 +1,62 @@ +{ + "results/components/Ilias/AC-ACCESS_CONTROL.yaml": "eb748508d342f18cd21d5e445dbe9e45114ac2515ad636930cca90b7adceaca1", + "results/components/Ilias/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml": "d20458ce08debedc72ff652d1a535de8f97c90746c4c8206156e866a26a939b3", + "results/components/Ilias/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml": "e641b1d866965599072286edf9b71da620253f5f82c48c1fefd9fa62aa98e6d5", + "results/components/Ilias/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml": "12de7a82fc3db6d09fe3de5ccb89f6a1f20412a50103a11252b85b58b83f00d3", + "results/components/Ilias/CM-CONFIGURATION_MANAGEMENT.yaml": "0f505bf2bc62ed2e32045d16f04ccac8047f118997f159f2f8369960a60d16f1", + "results/components/Ilias/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml": "12e90d0a8c03a74af1e7b3829f86dbf725099957c63379da4ed3d6cf3571c528", + "results/components/Ilias/AU-AUDIT_AND_ACCOUNTABILITY.yaml": "c39fe64def72de7574efcaeb73410a974efceedfe4db629843f59c5737f5ee0c", + "results/components/Ilias/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml": "2b56730761627706fd056ec3ccca0df10822fdfabd69a737ef36a933186246de", + "results/components/SSH/AC-ACCESS_CONTROL.yaml": "a2abec71d44ab7c288f9d8e266443e93b25f9fa9f8c81641a51e8e3c95e85a48", + "results/components/Drupal/AC-ACCESS_CONTROL.yaml": "5a11744d9d01658f70ca12f28c65291d89acefdaa9de3c4e7a0189b3b3798ad3", + "results/components/Drupal/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml": "3f926d8953fbe1f9baa29847a878e23642cb7275247c5d495d24e2ae19a87714", + "results/components/Drupal/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml": "35e5deac4a1ad9e18aa59c23c851d7fa7700bac6a1edfcbfb17253db217ac955", + "results/components/Drupal/AU-AUDIT_AND_ACCOUNTABILITY.yaml": "b457aef053559720d39975d2b0c31eea0b135a998c07daf3bf54c0122f023429", + "results/components/Drupal/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml": "d1c307662d0634bcb30a188247b367bac40288443201ab4d52253d75fc92a293", + "results/components/Contractor/AC-ACCESS_CONTROL.yaml": "c6aeb080c95bb631e44e86d3b7ff2fbc36e68d19f174af33a2861b21a3cb8799", + "results/components/Contractor/MA-MAINTENANCE.yaml": "4ade84b3f40a9ae41c8c0513fb6c302382f75309b102bd370cf7535a84c82ef9", + "results/components/Contractor/IR-INCIDENT_RESPONSE.yaml": "dea38dd5a63bc323ce26ac3b1a687767d103c14ac4a4e96e1a829e71a54b70ae", + "results/components/Contractor/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml": "5695af3c5dbea7c9b14f59b2f089179070b439d633af76d8879d33f206a8d6dc", + "results/components/Contractor/PL-PLANNING.yaml": "6dffc9e49ba5fbe5043d055fcceb923386aac5bc702515adda05adfd5367c2b1", + "results/components/Contractor/CP-CONTINGENCY_PLANNING.yaml": "700ecbcc67bab76df92676a1d82af649123eb560ba32f1d86c167280b09bf71d", + "results/components/Contractor/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml": "ef261da6d58de7c3ec9908f347567b6be13a66108c56da10c7e06c1efd5b2161", + "results/components/Contractor/RA-RISK_ASSESSMENT.yaml": "4b0d231ee7690bf3f960970c96daec42e9bf486451c3f76f53cd968765fbc7c0", + "results/components/Contractor/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml": "2556e2004dfb576901c68afa1b5c81207bcdd353dd96783acc04126f5561e2b4", + "results/components/Contractor/AT-AWARENESS_AND_TRAINING.yaml": "cb44b63d57337f80d00e868bd1624cd9c512d44af67debf6f532b677a1758bc6", + "results/components/Contractor/CM-CONFIGURATION_MANAGEMENT.yaml": "49c0d32cec6b88c37f9f51315f1a19c55bba99e7bda3cc0ff287b9b231f49bcc", + "results/components/Contractor/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml": "9b2d4d107fd6dcfa125e79673f268d1717bc95090e9a33276fc7ac15cbd57393", + "results/components/Contractor/PS-PERSONNEL_SECURITY.yaml": "a85e543ad80632af224c4e8713708dbaa05138f2fdea62e4190d0daddd4c2568", + "results/components/Contractor/AU-AUDIT_AND_ACCOUNTABILITY.yaml": "b6ce8babcfe24b98d71802679a452608ac9380e2d5aa84eaf70bc9efdfcfa901", + "results/components/Contractor/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml": "097da940c8e5e64f5624773e965c6ec103560f50c1bf4012896565f5ce9dc9db", + "results/components/Contractor/MP-MEDIA_PROTECTION.yaml": "2c84daaae84529c836b69f5518459daa01097e36585b66f5d637a9fd0fab8a38", + "results/components/AWS/AC-ACCESS_CONTROL.yaml": "06a4a18eee5206bc005ba8ef92a65f64b604970eeecf017aa795d36d0d31f43a", + "results/components/AWS/MA-MAINTENANCE.yaml": "f499dc014605441ce67dd022618b5cd5722cc50adab0cdda7edf78ea227d0e52", + "results/components/AWS/IR-INCIDENT_RESPONSE.yaml": "f01126d9d6f62650a0d21a9e9faa039c038ac1950d0befb16e02494164ba6212", + "results/components/AWS/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml": "9d21d5335c2f275c5d7b0e4dfff343fa906d163d54804127c8098a7e8b9cc242", + "results/components/AWS/PL-PLANNING.yaml": "978b1b1da9a5370a922e365d508f9a784671335b7bfdb860024c2d5a9364a86d", + "results/components/AWS/CP-CONTINGENCY_PLANNING.yaml": "a91c43d0093f2f36301be5d627e66f3723cd391ea143368b1a3eb1ab4ee37ee0", + "results/components/AWS/PE-PHYSICAL_AND_ENVIRONMENTAL_PROTECTION.yaml": "2dd3d5c4045330449ae6475816974de9b2ec1de450760dcb0919efbc794efe0c", + "results/components/AWS/RA-RISK_ASSESSMENT.yaml": "cd29902c52bb85a2843146ddd4ae47888326e6e7190b9ea29a737732ebb19269", + "results/components/AWS/CM-CONFIGURATION_MANAGEMENT.yaml": "c7d16b9cae5b392d00c16206b2a4608701dbfa4eca61c76b638ca8dfabf1e0ac", + "results/components/AWS/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml": "4ce0780095c39fd82c5fd24eef14c904848b01e515b27a6a566560efaaf5e298", + "results/components/AWS/PS-PERSONNEL_SECURITY.yaml": "2f5a7fc5807933e94b5396ab89d3672c55808c38e3a19c3e87c26748e7b8f6c1", + "results/components/AWS/AU-AUDIT_AND_ACCOUNTABILITY.yaml": "062516255d29e61e320158144d0855e2f4e21c3ad441a864ac459207913989e6", + "results/components/AWS/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml": "7b3a7b1bfa6da7550d674c3e0d05b3a1363e960007c232e7b70151c1bb82a23c", + "results/components/AWS/MP-MEDIA_PROTECTION.yaml": "f8915a6fee95a8525d4d84b71645ead6f5afe688c25ffc83c1586bd758fa2ca2", + "results/components/Project/AC-ACCESS_CONTROL.yaml": "d35b5de1d7e8f7da1634b01be29789803cd6430c37cfd16d68a79cca33a1138b", + "results/components/Project/MA-MAINTENANCE.yaml": "272908e5d88645afc5d5e1906b9c2ae2e0e637deae9d4d2333144281c9ac56e0", + "results/components/Project/IR-INCIDENT_RESPONSE.yaml": "851c93e672447c5383861d8bba41a0a7c5f01c49f50e993027c81c4c41936bd6", + "results/components/Project/SA-SYSTEM_AND_SERVICES_ACQUISITION.yaml": "d625282f3528abb853b4798c1ee42d0fd9b8730855b857b1003c79c5abf73dad", + "results/components/Project/PL-PLANNING.yaml": "50df730d0bf4b6166f5e2a7c4ced5016d39b7615c6dc613b524bcc9705aa02fd", + "results/components/Project/CP-CONTINGENCY_PLANNING.yaml": "94e88737c94063e79e6ed64f076f282bae3cad5414e1bf2c1b87d60158e86f56", + "results/components/Project/CA-ASSESSMENT_AUTHORIZATION_AND_MONITORING.yaml": "7d6668df389d9be22f87152c5edb3b4ffc0313ac07a97b041c031bb1296788b6", + "results/components/Project/RA-RISK_ASSESSMENT.yaml": "5623411fb4e491c9c6597f32f6159c655210980c9fc4fe23deab7d423f80a997", + "results/components/Project/SI-SYSTEM_AND_INFORMATION_INTEGRITY.yaml": "70580f2e8a76a1d570c732fe722b9875fa01bffb4a226d97cd1afa60ebe08b13", + "results/components/Project/AT-AWARENESS_AND_TRAINING.yaml": "76b04f7278bd8ee53fa5d6b9cedbee7a9995db7f62e735c123827a5ef97ac9f9", + "results/components/Project/CM-CONFIGURATION_MANAGEMENT.yaml": "d79360666136b94da3c1d1b032a0b945c9c35879de5997c7ce3243205309645b", + "results/components/Project/IA-IDENTIFICATION_AND_AUTHENTICATION.yaml": "9a0a068bfeb7579d4cb977c1a92541c9e453f64f729877ab7536f0a2feb33ca4", + "results/components/Project/PS-PERSONNEL_SECURITY.yaml": "e825d46bf0971d86061ce7404bdcd05fb5ae828192348eaaafa437e852e1e297", + "results/components/Project/AU-AUDIT_AND_ACCOUNTABILITY.yaml": "cda0181f16af89445ffee5b437e45b22ad2dd076a105669c0a84c1c5226e3ea4", + "results/components/Project/SC-SYSTEM_AND_COMMUNICATIONS_PROTECTION.yaml": "e101eae0c859c4d56b7a4753d7d98962e02ed2f00be23a9c55d43fec8bdc95cf", + "results/components/Project/MP-MEDIA_PROTECTION.yaml": "89c7778af7c08d7ebb4b0d2b0aec0641dc65c6b46126baa558b0f45e5962996e" +} diff --git a/poetry.lock b/poetry.lock index 9e1d5c2..25d894d 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.0.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.5.1 and should not be changed by hand. [[package]] name = "anyio" @@ -6,7 +6,6 @@ version = "4.8.0" description = "High level compatibility layer for multiple asynchronous event loop implementations" optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "anyio-4.8.0-py3-none-any.whl", hash = "sha256:b5011f270ab5eb0abf13385f851315585cc37ef330dd88e27ec3d34d651fd47a"}, {file = "anyio-4.8.0.tar.gz", hash = "sha256:1d9fe889df5212298c0c0723fa20479d1b94883a2df44bd3897aa91083316f7a"}, @@ -29,7 +28,6 @@ version = "3.5.3" description = "Bash tab completion for argparse" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "argcomplete-3.5.3-py3-none-any.whl", hash = "sha256:2ab2c4a215c59fd6caaff41a869480a23e8f6a5f910b266c1808037f4e375b61"}, {file = "argcomplete-3.5.3.tar.gz", hash = "sha256:c12bf50eded8aebb298c7b7da7a5ff3ee24dffd9f5281867dfe1424b58c55392"}, @@ -44,7 +42,6 @@ version = "25.1.0" description = "Classes Without Boilerplate" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "attrs-25.1.0-py3-none-any.whl", hash = "sha256:c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a"}, {file = "attrs-25.1.0.tar.gz", hash = "sha256:1c97078a80c814273a76b2a298a932eb681c87415c11dee0a6921de7f1b02c3e"}, @@ -64,7 +61,6 @@ version = "4.2.1" description = "Modern password hashing for your software and your servers" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "bcrypt-4.2.1-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:1340411a0894b7d3ef562fb233e4b6ed58add185228650942bdc885362f32c17"}, {file = "bcrypt-4.2.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b1ee315739bc8387aa36ff127afc99120ee452924e0df517a8f3e4c0187a0f5f"}, @@ -103,7 +99,6 @@ version = "25.1.0" description = "The uncompromising code formatter." optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "black-25.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32"}, {file = "black-25.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da"}, @@ -150,7 +145,6 @@ version = "1.9.0" description = "Fast, simple object-to-object and broadcast signaling" optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "blinker-1.9.0-py3-none-any.whl", hash = "sha256:ba0efaa9080b619ff2f3459d1d500c57bddea4a6b424b60a91141db6fd2f08bc"}, {file = "blinker-1.9.0.tar.gz", hash = "sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf"}, @@ -158,14 +152,13 @@ files = [ [[package]] name = "certifi" -version = "2024.12.14" +version = "2025.1.31" description = "Python package for providing Mozilla's CA Bundle." optional = false python-versions = ">=3.6" -groups = ["main"] files = [ - {file = "certifi-2024.12.14-py3-none-any.whl", hash = "sha256:1275f7a45be9464efc1173084eaa30f866fe2e47d389406136d332ed4967ec56"}, - {file = "certifi-2024.12.14.tar.gz", hash = "sha256:b650d30f370c2b724812bee08008be0c4163b163ddaec3f2546c1caf65f191db"}, + {file = "certifi-2025.1.31-py3-none-any.whl", hash = "sha256:ca78db4565a652026a4db2bcdf68f2fb589ea80d0be70e03929ed730746b84fe"}, + {file = "certifi-2025.1.31.tar.gz", hash = "sha256:3d5da6925056f6f18f119200434a4780a94263f10d1c21d032a6f6b2baa20651"}, ] [[package]] @@ -174,7 +167,6 @@ version = "1.17.1" description = "Foreign Function Interface for Python calling C code." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "cffi-1.17.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14"}, {file = "cffi-1.17.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67"}, @@ -254,7 +246,6 @@ version = "3.4.1" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "charset_normalizer-3.4.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:91b36a978b5ae0ee86c394f5a54d6ef44db1de0815eb43de826d41d21e4af3de"}, {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7461baadb4dc00fd9e0acbe254e3d7d2112e7f92ced2adc96e54ef6501c5f176"}, @@ -356,7 +347,6 @@ version = "8.1.8" description = "Composable command line interface toolkit" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "click-8.1.8-py3-none-any.whl", hash = "sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2"}, {file = "click-8.1.8.tar.gz", hash = "sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a"}, @@ -371,7 +361,6 @@ version = "0.6.0" description = "Minimal bindings to GitHub's fork of cmark" optional = false python-versions = "*" -groups = ["main"] files = [ {file = "cmarkgfm-0.6.0-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:02f14c7e77fcddf044df14cc227d7703027ee720bac719616ac505af29812b73"}, {file = "cmarkgfm-0.6.0-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:786e8a06f7eec6eb3f3789353a586c8b065570d2db9811fdcdaced736a36ce53"}, @@ -434,8 +423,6 @@ version = "0.4.6" description = "Cross-platform colored terminal text." optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" -groups = ["main"] -markers = "platform_system == \"Windows\" or sys_platform == \"win32\"" files = [ {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, @@ -447,7 +434,6 @@ version = "2.5.0" description = "Tools to manage & autogenerate python objects representing the OSCAL layers/models" optional = false python-versions = "*" -groups = ["main"] files = [ {file = "compliance-trestle-2.5.0.tar.gz", hash = "sha256:60faaaed194687060cb8309f53b315aec8dde086cadecf5faa20425fe159d5ce"}, {file = "compliance_trestle-2.5.0-py2.py3-none-any.whl", hash = "sha256:67bc7ae5e5d02520a8a9f9370ff6c1760d739d2e17434dcd2bf5399a61b4f497"}, @@ -481,7 +467,6 @@ version = "0.1.0-alpha.3" description = "Python library for reading/writing compliance as code" optional = false python-versions = "^3.10" -groups = ["main"] files = [] develop = false @@ -509,7 +494,6 @@ version = "41.0.6" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "cryptography-41.0.6-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:0f27acb55a4e77b9be8d550d762b0513ef3fc658cd3eb15110ebbcbd626db12c"}, {file = "cryptography-41.0.6-cp37-abi3-macosx_10_12_x86_64.whl", hash = "sha256:ae236bb8760c1e55b7a39b6d4d32d2279bc6c7c8500b7d5a13b6fb9fc97be35b"}, @@ -555,7 +539,6 @@ version = "0.26.5" description = "Datamodel Code Generator" optional = false python-versions = "<4.0,>=3.8" -groups = ["main"] files = [ {file = "datamodel_code_generator-0.26.5-py3-none-any.whl", hash = "sha256:e32f986b9914a2b45093947043aa0192d704650be93151f78acf5c95676601ce"}, {file = "datamodel_code_generator-0.26.5.tar.gz", hash = "sha256:c4a94a7dbf7972129882732d9bcee44c9ae090f57c82edd58d237b9d48c40dd0"}, @@ -572,7 +555,7 @@ jinja2 = ">=2.10.1,<4.0" packaging = "*" pydantic = [ {version = ">=1.10.0,<2.0.0 || >2.0.0,<2.0.1 || >2.0.1,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.12\" and python_version < \"4.0\""}, - {version = ">=1.10.0,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.11\" and python_version < \"3.12\""}, + {version = ">=1.10.0,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.11\" and python_version < \"4.0\""}, {version = ">=1.9.0,<2.4.0 || >2.4.0,<3.0", extras = ["email"], markers = "python_version >= \"3.10\" and python_version < \"3.11\""}, ] pyyaml = ">=6.0.1" @@ -590,7 +573,6 @@ version = "0.7.1" description = "XML bomb protection for Python stdlib modules" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -groups = ["main"] files = [ {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"}, {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"}, @@ -602,7 +584,6 @@ version = "2.7.0" description = "DNS toolkit" optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "dnspython-2.7.0-py3-none-any.whl", hash = "sha256:b4c34b7d10b51bcc3a5071e7b8dee77939f1e878477eeecc965e9835f63c6c86"}, {file = "dnspython-2.7.0.tar.gz", hash = "sha256:ce9c432eda0dc91cf618a5cedf1a4e142651196bbcd2c80e89ed5a907e5cfaf1"}, @@ -623,7 +604,6 @@ version = "2.2.0" description = "A robust email address syntax and deliverability validation library." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "email_validator-2.2.0-py3-none-any.whl", hash = "sha256:561977c2d73ce3611850a06fa56b414621e0c8faa9d66f2611407d87465da631"}, {file = "email_validator-2.2.0.tar.gz", hash = "sha256:cb690f344c617a714f22e66ae771445a1ceb46821152df8e165c5f9a364582b7"}, @@ -639,7 +619,6 @@ version = "2.0.0" description = "An implementation of lxml.xmlfile for the standard library" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "et_xmlfile-2.0.0-py3-none-any.whl", hash = "sha256:7a91720bc756843502c3b7504c77b8fe44217c85c537d85037f0f536151b2caa"}, {file = "et_xmlfile-2.0.0.tar.gz", hash = "sha256:dab3f4764309081ce75662649be815c4c9081e88f0837825f90fd28317d4da54"}, @@ -651,8 +630,6 @@ version = "1.2.2" description = "Backport of PEP 654 (exception groups)" optional = false python-versions = ">=3.7" -groups = ["main"] -markers = "python_version < \"3.11\"" files = [ {file = "exceptiongroup-1.2.2-py3-none-any.whl", hash = "sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b"}, {file = "exceptiongroup-1.2.2.tar.gz", hash = "sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc"}, @@ -667,7 +644,6 @@ version = "4.0.1" description = "A collection of useful non-standard Python functions which aim to be simple to use, highly readable but not efficient." optional = false python-versions = "<4,>=3.7" -groups = ["main"] files = [ {file = "fpyutils-4.0.1-py3-none-any.whl", hash = "sha256:006cfbdbd87915d8a1c5b7062b6c8d2f4f9fd12c3e707d89c27e6abd6c67c6b2"}, {file = "fpyutils-4.0.1.tar.gz", hash = "sha256:5ee8448b09863d5905ad22cf5f6c8af79d3b314617ac8fbded48eb2a414988e6"}, @@ -679,7 +655,6 @@ version = "2.1.3" description = "URL manipulation made simple." optional = false python-versions = "*" -groups = ["main"] files = [ {file = "furl-2.1.3-py2.py3-none-any.whl", hash = "sha256:9ab425062c4217f9802508e45feb4a83e54324273ac4b202f1850363309666c0"}, {file = "furl-2.1.3.tar.gz", hash = "sha256:5a6188fe2666c484a12159c18be97a1977a71d632ef5bb867ef15f54af39cc4e"}, @@ -695,7 +670,6 @@ version = "1.3.0" description = "GenSON is a powerful, user-friendly JSON Schema generator." optional = false python-versions = "*" -groups = ["main"] files = [ {file = "genson-1.3.0-py3-none-any.whl", hash = "sha256:468feccd00274cc7e4c09e84b08704270ba8d95232aa280f65b986139cec67f7"}, {file = "genson-1.3.0.tar.gz", hash = "sha256:e02db9ac2e3fd29e65b5286f7135762e2cd8a986537c075b06fc5f1517308e37"}, @@ -707,7 +681,6 @@ version = "4.0.12" description = "Git Object Database" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "gitdb-4.0.12-py3-none-any.whl", hash = "sha256:67073e15955400952c6565cc3e707c554a4eea2e428946f7a4c162fab9bd9bcf"}, {file = "gitdb-4.0.12.tar.gz", hash = "sha256:5ef71f855d191a3326fcfbc0d5da835f26b13fbcba60c32c21091c349ffdb571"}, @@ -722,7 +695,6 @@ version = "3.1.44" description = "GitPython is a Python library used to interact with Git repositories" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "GitPython-3.1.44-py3-none-any.whl", hash = "sha256:9e0e10cda9bed1ee64bc9a6de50e7e38a9c9943241cd7f585f6df3ed28011110"}, {file = "gitpython-3.1.44.tar.gz", hash = "sha256:c87e30b26253bf5418b01b0660f818967f3c503193838337fe5e573331249269"}, @@ -741,7 +713,6 @@ version = "0.14.0" description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"}, {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"}, @@ -753,7 +724,6 @@ version = "1.0.7" description = "A minimal low-level HTTP client." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "httpcore-1.0.7-py3-none-any.whl", hash = "sha256:a3fff8f43dc260d5bd363d9f9cf1830fa3a458b332856f34282de498ed420edd"}, {file = "httpcore-1.0.7.tar.gz", hash = "sha256:8551cb62a169ec7162ac7be8d4817d561f60e08eaa485234898414bb5a8a0b4c"}, @@ -775,7 +745,6 @@ version = "0.28.1" description = "The next generation HTTP client." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "httpx-0.28.1-py3-none-any.whl", hash = "sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad"}, {file = "httpx-0.28.1.tar.gz", hash = "sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc"}, @@ -800,7 +769,6 @@ version = "3.10" description = "Internationalized Domain Names in Applications (IDNA)" optional = false python-versions = ">=3.6" -groups = ["main"] files = [ {file = "idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"}, {file = "idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"}, @@ -815,7 +783,6 @@ version = "0.3.2" description = "i like command-line interfaces" optional = false python-versions = "*" -groups = ["main"] files = [ {file = "ilcli-0.3.2-py2.py3-none-any.whl", hash = "sha256:dfb7d2da49c63ef92c5a589eb5f765d073d7ea83275c3dd2aea8ae5cbe4c5be2"}, {file = "ilcli-0.3.2.tar.gz", hash = "sha256:8a56b053836f8b0e1bbbdda884288d18dc966bd8e90fdf9b340914dba625cd7f"}, @@ -830,7 +797,6 @@ version = "5.6.2" description = "Correctly generate plurals, singular nouns, ordinals, indefinite articles; convert numbers to words" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "inflect-5.6.2-py3-none-any.whl", hash = "sha256:b45d91a4a28a4e617ff1821117439b06eaa86e2a4573154af0149e9be6687238"}, {file = "inflect-5.6.2.tar.gz", hash = "sha256:aadc7ed73928f5e014129794bbac03058cca35d0a973a5fc4eb45c7fa26005f9"}, @@ -846,7 +812,6 @@ version = "2.0.0" description = "brain-dead simple config-ini parsing" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, @@ -858,7 +823,6 @@ version = "5.13.2" description = "A Python utility / library to sort Python imports." optional = false python-versions = ">=3.8.0" -groups = ["main"] files = [ {file = "isort-5.13.2-py3-none-any.whl", hash = "sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6"}, {file = "isort-5.13.2.tar.gz", hash = "sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109"}, @@ -873,7 +837,6 @@ version = "3.1.5" description = "A very fast and expressive template engine." optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "jinja2-3.1.5-py3-none-any.whl", hash = "sha256:aba0f4dc9ed8013c424088f68a5c226f7d6097ed89b246d7749c2ec4175c6adb"}, {file = "jinja2-3.1.5.tar.gz", hash = "sha256:8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb"}, @@ -891,7 +854,6 @@ version = "3.0.2" description = "Safely add untrusted strings to HTML/XML markup." optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8"}, {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158"}, @@ -962,7 +924,6 @@ version = "9.0.0" description = "Automatically generate and add an accurate table of contents to markdown files" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "md_toc-9.0.0-py3-none-any.whl", hash = "sha256:dfd57de2faf252be1d6faf9bed7eab506e1caa7c4486ab6d6d04556426d5a7a5"}, {file = "md_toc-9.0.0.tar.gz", hash = "sha256:a4e73b59f71c20b94c8c16bc6ef3bc2e80d1d40c398050101f80c3567fda7271"}, @@ -977,7 +938,6 @@ version = "1.0.0" description = "Type system extensions for programs checked with the mypy type checker." optional = false python-versions = ">=3.5" -groups = ["main"] files = [ {file = "mypy_extensions-1.0.0-py3-none-any.whl", hash = "sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d"}, {file = "mypy_extensions-1.0.0.tar.gz", hash = "sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782"}, @@ -989,7 +949,6 @@ version = "3.1.5" description = "A Python library to read/write Excel 2010 xlsx/xlsm files" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "openpyxl-3.1.5-py2.py3-none-any.whl", hash = "sha256:5282c12b107bffeef825f4617dc029afaf41d0ea60823bbb665ef3079dc79de2"}, {file = "openpyxl-3.1.5.tar.gz", hash = "sha256:cf0e3cf56142039133628b5acffe8ef0c12bc902d2aadd3e0fe5878dc08d1050"}, @@ -1004,7 +963,6 @@ version = "1.0.1" description = "Ordered Multivalue Dictionary" optional = false python-versions = "*" -groups = ["main"] files = [ {file = "orderedmultidict-1.0.1-py2.py3-none-any.whl", hash = "sha256:43c839a17ee3cdd62234c47deca1a8508a3f2ca1d0678a3bf791c87cf84adbf3"}, {file = "orderedmultidict-1.0.1.tar.gz", hash = "sha256:04070bbb5e87291cc9bfa51df413677faf2141c73c61d2a5f7b26bea3cd882ad"}, @@ -1019,7 +977,6 @@ version = "3.10.15" description = "Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "orjson-3.10.15-cp310-cp310-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:552c883d03ad185f720d0c09583ebde257e41b9521b74ff40e08b7dec4559c04"}, {file = "orjson-3.10.15-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:616e3e8d438d02e4854f70bfdc03a6bcdb697358dbaa6bcd19cbe24d24ece1f8"}, @@ -1108,7 +1065,6 @@ version = "24.2" description = "Core utilities for Python packages" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759"}, {file = "packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f"}, @@ -1120,7 +1076,6 @@ version = "3.4.0" description = "SSH2 protocol library" optional = false python-versions = ">=3.6" -groups = ["main"] files = [ {file = "paramiko-3.4.0-py3-none-any.whl", hash = "sha256:43f0b51115a896f9c00f59618023484cb3a14b98bbceab43394a39c6739b7ee7"}, {file = "paramiko-3.4.0.tar.gz", hash = "sha256:aac08f26a31dc4dffd92821527d1682d99d52f9ef6851968114a8728f3c274d3"}, @@ -1142,7 +1097,6 @@ version = "0.12.1" description = "Utility library for gitignore style pattern matching of file paths." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "pathspec-0.12.1-py3-none-any.whl", hash = "sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08"}, {file = "pathspec-0.12.1.tar.gz", hash = "sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"}, @@ -1154,7 +1108,6 @@ version = "4.3.6" description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "platformdirs-4.3.6-py3-none-any.whl", hash = "sha256:73e575e1408ab8103900836b97580d5307456908a03e92031bab39e4554cc3fb"}, {file = "platformdirs-4.3.6.tar.gz", hash = "sha256:357fb2acbc885b0419afd3ce3ed34564c13c9b95c89360cd9563f73aa5e2b907"}, @@ -1171,7 +1124,6 @@ version = "1.5.0" description = "plugin and hook calling mechanisms for python" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"}, {file = "pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1"}, @@ -1187,7 +1139,6 @@ version = "2.0.1" description = "Poetry PEP 517 Build Backend" optional = false python-versions = "<4.0,>=3.9" -groups = ["main"] files = [ {file = "poetry_core-2.0.1-py3-none-any.whl", hash = "sha256:a3c7009536522cda4eb0fb3805c9dc935b5537f8727dd01efb9c15e51a17552b"}, {file = "poetry_core-2.0.1.tar.gz", hash = "sha256:10177c2772469d9032a49f0d8707af761b1c597cea3b4fb31546e5cd436eb157"}, @@ -1199,7 +1150,6 @@ version = "2.22" description = "C parser in Python" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"}, {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"}, @@ -1211,7 +1161,6 @@ version = "1.10.21" description = "Data validation and settings management using python type hints" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "pydantic-1.10.21-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:245e486e0fec53ec2366df9cf1cba36e0bbf066af7cd9c974bbbd9ba10e1e586"}, {file = "pydantic-1.10.21-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:6c54f8d4c151c1de784c5b93dfbb872067e3414619e10e21e695f7bb84d1d1fd"}, @@ -1279,7 +1228,6 @@ version = "1.5.0" description = "Python binding to the Networking and Cryptography (NaCl) library" optional = false python-versions = ">=3.6" -groups = ["main"] files = [ {file = "PyNaCl-1.5.0-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1"}, {file = "PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92"}, @@ -1306,7 +1254,6 @@ version = "1.15" description = "Thin wrapper for pandoc." optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "pypandoc-1.15-py3-none-any.whl", hash = "sha256:4ededcc76c8770f27aaca6dff47724578428eca84212a31479403a9731fc2b16"}, {file = "pypandoc-1.15.tar.gz", hash = "sha256:ea25beebe712ae41d63f7410c08741a3cab0e420f6703f95bc9b3a749192ce13"}, @@ -1318,7 +1265,6 @@ version = "7.4.4" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "pytest-7.4.4-py3-none-any.whl", hash = "sha256:b090cdf5ed60bf4c45261be03239c2c1c22df034fbffe691abe93cd80cea01d8"}, {file = "pytest-7.4.4.tar.gz", hash = "sha256:2cf0005922c6ace4a3e2ec8b4080eb0d9753fdc93107415332f50ce9e7994280"}, @@ -1341,7 +1287,6 @@ version = "1.0.1" description = "Read key-value pairs from a .env file and set them as environment variables" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "python-dotenv-1.0.1.tar.gz", hash = "sha256:e324ee90a023d808f1959c46bcbc04446a10ced277783dc6ee09987c37ec10ca"}, {file = "python_dotenv-1.0.1-py3-none-any.whl", hash = "sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a"}, @@ -1356,7 +1301,6 @@ version = "1.1.0" description = "Parse and manage posts with YAML (or other) frontmatter" optional = false python-versions = "*" -groups = ["main"] files = [ {file = "python-frontmatter-1.1.0.tar.gz", hash = "sha256:7118d2bd56af9149625745c58c9b51fb67e8d1294a0c76796dafdc72c36e5f6d"}, {file = "python_frontmatter-1.1.0-py3-none-any.whl", hash = "sha256:335465556358d9d0e6c98bbeb69b1c969f2a4a21360587b9873bfc3b213407c1"}, @@ -1375,7 +1319,6 @@ version = "8.0.4" description = "A Python slugify application that also handles Unicode" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "python-slugify-8.0.4.tar.gz", hash = "sha256:59202371d1d05b54a9e7720c5e038f928f45daaffe41dd10822f3907b937c856"}, {file = "python_slugify-8.0.4-py2.py3-none-any.whl", hash = "sha256:276540b79961052b66b7d116620b36518847f52d5fd9e3a70164fc8c50faa6b8"}, @@ -1393,8 +1336,6 @@ version = "308" description = "Python for Window Extensions" optional = false python-versions = "*" -groups = ["main"] -markers = "platform_system == \"Windows\"" files = [ {file = "pywin32-308-cp310-cp310-win32.whl", hash = "sha256:796ff4426437896550d2981b9c2ac0ffd75238ad9ea2d3bfa67a1abd546d262e"}, {file = "pywin32-308-cp310-cp310-win_amd64.whl", hash = "sha256:4fc888c59b3c0bef905ce7eb7e2106a07712015ea1c8234b703a088d46110e8e"}, @@ -1422,7 +1363,6 @@ version = "6.0.2" description = "YAML parser and emitter for Python" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"}, {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"}, @@ -1485,7 +1425,6 @@ version = "2.32.3" description = "Python HTTP for Humans." optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"}, {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"}, @@ -1507,7 +1446,6 @@ version = "1.0.0" description = "All the annoying things to make YAML usable in a source controlled environment." optional = false python-versions = "*" -groups = ["main"] files = [ {file = "rtyaml-1.0.0-py2.py3-none-any.whl", hash = "sha256:589129e75ecb2ba0def3dcc094bb462f68faed48e42a8fa0fcf4a9d6119fd725"}, {file = "rtyaml-1.0.0.tar.gz", hash = "sha256:66aa6e2f2c8c29ccab9d1713072a4e06c52c6cdcfe27ebd50706df09638c4586"}, @@ -1522,7 +1460,6 @@ version = "0.18.10" description = "ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "ruamel.yaml-0.18.10-py3-none-any.whl", hash = "sha256:30f22513ab2301b3d2b577adc121c6471f28734d3d9728581245f1e76468b4f1"}, {file = "ruamel.yaml-0.18.10.tar.gz", hash = "sha256:20c86ab29ac2153f80a428e1254a8adf686d3383df04490514ca3b79a362db58"}, @@ -1541,8 +1478,6 @@ version = "0.2.12" description = "C version of reader, parser and emitter for ruamel.yaml derived from libyaml" optional = false python-versions = ">=3.9" -groups = ["main"] -markers = "platform_python_implementation == \"CPython\" and python_version < \"3.13\"" files = [ {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-macosx_13_0_arm64.whl", hash = "sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux2014_aarch64.whl", hash = "sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969"}, @@ -1550,7 +1485,6 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd"}, - {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win32.whl", hash = "sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da"}, {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win_amd64.whl", hash = "sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6"}, @@ -1559,7 +1493,6 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2"}, - {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win32.whl", hash = "sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4"}, {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win_amd64.whl", hash = "sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632"}, @@ -1568,7 +1501,6 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680"}, - {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win32.whl", hash = "sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5"}, {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win_amd64.whl", hash = "sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a"}, @@ -1577,7 +1509,6 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_i686.whl", hash = "sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1"}, - {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win32.whl", hash = "sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6"}, {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win_amd64.whl", hash = "sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-macosx_12_0_arm64.whl", hash = "sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987"}, @@ -1586,7 +1517,6 @@ files = [ {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed"}, - {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win32.whl", hash = "sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12"}, {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win_amd64.whl", hash = "sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b"}, {file = "ruamel.yaml.clib-0.2.12.tar.gz", hash = "sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f"}, @@ -1598,7 +1528,6 @@ version = "1.17.0" description = "Python 2 and 3 compatibility utilities" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" -groups = ["main"] files = [ {file = "six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274"}, {file = "six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81"}, @@ -1610,7 +1539,6 @@ version = "0.0.1" description = "A generic slugifier." optional = false python-versions = "*" -groups = ["main"] files = [ {file = "slugify-0.0.1.tar.gz", hash = "sha256:c5703cc11c1a6947536f3ce8bb306766b8bb5a84a53717f5a703ce0f18235e4c"}, ] @@ -1621,7 +1549,6 @@ version = "5.0.2" description = "A pure Python implementation of a sliding window memory map manager" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "smmap-5.0.2-py3-none-any.whl", hash = "sha256:b30115f0def7d7531d22a0fb6502488d879e75b260a9db4d0819cfb25403af5e"}, {file = "smmap-5.0.2.tar.gz", hash = "sha256:26ea65a03958fa0c8a1c7e8c7a58fdc77221b8910f6be2131affade476898ad5"}, @@ -1633,7 +1560,6 @@ version = "1.3.1" description = "Sniff out which async library your code is running under" optional = false python-versions = ">=3.7" -groups = ["main"] files = [ {file = "sniffio-1.3.1-py3-none-any.whl", hash = "sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2"}, {file = "sniffio-1.3.1.tar.gz", hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc"}, @@ -1645,7 +1571,6 @@ version = "1.3" description = "The most basic Text::Unidecode port" optional = false python-versions = "*" -groups = ["main"] files = [ {file = "text-unidecode-1.3.tar.gz", hash = "sha256:bad6603bb14d279193107714b288be206cac565dfa49aa5b105294dd5c4aab93"}, {file = "text_unidecode-1.3-py2.py3-none-any.whl", hash = "sha256:1311f10e8b895935241623731c2ba64f4c455287888b18189350b67134a822e8"}, @@ -1657,8 +1582,6 @@ version = "0.10.2" description = "Python Library for Tom's Obvious, Minimal Language" optional = false python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" -groups = ["main"] -markers = "python_version < \"3.11\"" files = [ {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"}, {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"}, @@ -1670,8 +1593,6 @@ version = "2.2.1" description = "A lil' TOML parser" optional = false python-versions = ">=3.8" -groups = ["main"] -markers = "python_version < \"3.11\"" files = [ {file = "tomli-2.2.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249"}, {file = "tomli-2.2.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6"}, @@ -1713,7 +1634,6 @@ version = "4.12.2" description = "Backported and Experimental Type Hints for Python 3.8+" optional = false python-versions = ">=3.8" -groups = ["main"] files = [ {file = "typing_extensions-4.12.2-py3-none-any.whl", hash = "sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d"}, {file = "typing_extensions-4.12.2.tar.gz", hash = "sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8"}, @@ -1725,7 +1645,6 @@ version = "2.3.0" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "urllib3-2.3.0-py3-none-any.whl", hash = "sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df"}, {file = "urllib3-2.3.0.tar.gz", hash = "sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d"}, @@ -1743,7 +1662,6 @@ version = "6.0.0" description = "Filesystem events monitoring" optional = false python-versions = ">=3.9" -groups = ["main"] files = [ {file = "watchdog-6.0.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d1cdb490583ebd691c012b3d6dae011000fe42edb7a82ece80965b42abd61f26"}, {file = "watchdog-6.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:bc64ab3bdb6a04d69d4023b29422170b74681784ffb9463ed4870cf2f3e66112"}, @@ -1781,6 +1699,6 @@ files = [ watchmedo = ["PyYAML (>=3.10)"] [metadata] -lock-version = "2.1" +lock-version = "2.0" python-versions = "^3.10" content-hash = "54af746d30fe74837a3fe91e731bafd81f979a051e4959feacdc4205ea7cd9ef" diff --git a/pyproject.toml b/pyproject.toml index 307ac19..5ad5e74 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -33,7 +33,7 @@ createfiles = "tools.createfiles.createfiles:create_files" creatematrix = "tools.creatematrix.creatematrix:main" exportto = "tools.exportto.exportto:main" makefamilies = "tools.makefamilies.makefamilies:make_families" -sop = "tools.sop.sop:main" +sop = "tools.sop.sop:sop" makessp = "tools.makessp.makessp:main" getconfig = "tools.helpers.config:check_config" diff --git a/requirements.txt b/requirements.txt index 707d40e..a3fa217 100644 --- a/requirements.txt +++ b/requirements.txt @@ -59,9 +59,9 @@ black==25.1.0 ; python_version >= "3.10" and python_version < "4.0" \ blinker==1.9.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf \ --hash=sha256:ba0efaa9080b619ff2f3459d1d500c57bddea4a6b424b60a91141db6fd2f08bc -certifi==2024.12.14 ; python_version >= "3.10" and python_version < "4.0" \ - --hash=sha256:1275f7a45be9464efc1173084eaa30f866fe2e47d389406136d332ed4967ec56 \ - --hash=sha256:b650d30f370c2b724812bee08008be0c4163b163ddaec3f2546c1caf65f191db +certifi==2025.1.31 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:3d5da6925056f6f18f119200434a4780a94263f10d1c21d032a6f6b2baa20651 \ + --hash=sha256:ca78db4565a652026a4db2bcdf68f2fb589ea80d0be70e03929ed730746b84fe cffi==1.17.1 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ @@ -277,7 +277,7 @@ cmarkgfm==0.6.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:f0da78ef960f57aec8a6854821a99fa7a520dad77631b19becb68b2ebf8dbc2d \ --hash=sha256:f56aa4940aa4ee98fd6f3e0a648b8ae1e6a27f5007d64d406aeadc51451dc13b \ --hash=sha256:fa28b1a335adb5bad04b4a50382cbcfcc6c8d68413ba35e2cd3f657a1dc76347 -colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows" or python_version >= "3.10" and python_version < "4.0" and sys_platform == "win32" \ +colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and (platform_system == "Windows" or sys_platform == "win32") \ --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \ --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6 compliance-trestle==2.5.0 ; python_version >= "3.10" and python_version < "4.0" \ @@ -308,7 +308,7 @@ cryptography==41.0.6 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:da46e2b5df770070412c46f87bac0849b8d685c5f2679771de277a422c7d0b86 \ --hash=sha256:f39812f70fc5c71a15aa3c97b2bbe213c3f2a460b79bd21c40d033bb34a9bf36 \ --hash=sha256:ff369dd19e8fe0528b02e8df9f2aeb2479f89b1270d90f96a63500afe9af5cae -datamodel-code-generator==0.26.5 ; python_version >= "3.10" and python_version < "4.0" \ +datamodel-code-generator[http]==0.26.5 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:c4a94a7dbf7972129882732d9bcee44c9ae090f57c82edd58d237b9d48c40dd0 \ --hash=sha256:e32f986b9914a2b45093947043aa0192d704650be93151f78acf5c95676601ce defusedxml==0.7.1 ; python_version >= "3.10" and python_version < "4.0" \ @@ -326,7 +326,7 @@ et-xmlfile==2.0.0 ; python_version >= "3.10" and python_version < "4.0" \ exceptiongroup==1.2.2 ; python_version >= "3.10" and python_version < "3.11" \ --hash=sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b \ --hash=sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc -fpyutils==4.0.1 ; python_version >= "3.10" and python_version < "4.0" \ +fpyutils==4.0.1 ; python_version >= "3.10" and python_version < "4" \ --hash=sha256:006cfbdbd87915d8a1c5b7062b6c8d2f4f9fd12c3e707d89c27e6abd6c67c6b2 \ --hash=sha256:5ee8448b09863d5905ad22cf5f6c8af79d3b314617ac8fbded48eb2a414988e6 furl==2.1.3 ; python_version >= "3.10" and python_version < "4.0" \ @@ -594,6 +594,57 @@ pydantic==1.10.21 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:e7f0cda108b36a30c8fc882e4fc5b7eec8ef584aa43aa43694c6a7b274fb2b56 \ --hash=sha256:f198c8206640f4c0ef5a76b779241efb1380a300d88b1bce9bfe95a6362e674d \ --hash=sha256:f2f4a2305f15eff68f874766d982114ac89468f1c2c0b97640e719cf1a078374 +pydantic[email]==1.10.21 ; python_version >= "3.10" and python_version < "4.0" \ + --hash=sha256:0067935d35044950be781933ab91b9a708eaff124bf860fa2f70aeb1c4be7212 \ + --hash=sha256:08caa8c0468172d27c669abfe9e7d96a8b1655ec0833753e117061febaaadef5 \ + --hash=sha256:0bb58bbe65a43483d49f66b6c8474424d551a3fbe8a7796c42da314bac712738 \ + --hash=sha256:185d5f1dff1fead51766da9b2de4f3dc3b8fca39e59383c273f34a6ae254e3e2 \ + --hash=sha256:1d7c332685eafacb64a1a7645b409a166eb7537f23142d26895746f628a3149b \ + --hash=sha256:245e486e0fec53ec2366df9cf1cba36e0bbf066af7cd9c974bbbd9ba10e1e586 \ + --hash=sha256:266ecfc384861d7b0b9c214788ddff75a2ea123aa756bcca6b2a1175edeca0fe \ + --hash=sha256:298d6f765e3c9825dfa78f24c1efd29af91c3ab1b763e1fd26ae4d9e1749e5c8 \ + --hash=sha256:2b6a04efdcd25486b27f24c1648d5adc1633ad8b4506d0e96e5367f075ed2e0b \ + --hash=sha256:2c9b782db6f993a36092480eeaab8ba0609f786041b01f39c7c52252bda6d85f \ + --hash=sha256:2ed4a5f13cf160d64aa331ab9017af81f3481cd9fd0e49f1d707b57fe1b9f3ae \ + --hash=sha256:35b263b60c519354afb3a60107d20470dd5250b3ce54c08753f6975c406d949b \ + --hash=sha256:36ceadef055af06e7756eb4b871cdc9e5a27bdc06a45c820cd94b443de019bbf \ + --hash=sha256:38e6d35cf7cd1727822c79e324fa0677e1a08c88a34f56695101f5ad4d5e20e5 \ + --hash=sha256:3b7693bb6ed3fbe250e222f9415abb73111bb09b73ab90d2d4d53f6390e0ccc1 \ + --hash=sha256:3c96fed246ccc1acb2df032ff642459e4ae18b315ecbab4d95c95cfa292e8517 \ + --hash=sha256:46cffa24891b06269e12f7e1ec50b73f0c9ab4ce71c2caa4ccf1fb36845e1ff7 \ + --hash=sha256:57f0101e6c97b411f287a0b7cf5ebc4e5d3b18254bf926f45a11615d29475793 \ + --hash=sha256:5d387940f0f1a0adb3c44481aa379122d06df8486cc8f652a7b3b0caf08435f7 \ + --hash=sha256:5e8148c2ce4894ce7e5a4925d9d3fdce429fb0e821b5a8783573f3611933a251 \ + --hash=sha256:61da798c05a06a362a2f8c5e3ff0341743e2818d0f530eaac0d6898f1b187f1f \ + --hash=sha256:64b48e2b609a6c22178a56c408ee1215a7206077ecb8a193e2fda31858b2362a \ + --hash=sha256:662bf5ce3c9b1cef32a32a2f4debe00d2f4839fefbebe1d6956e681122a9c839 \ + --hash=sha256:6a497bc66b3374b7d105763d1d3de76d949287bf28969bff4656206ab8a53aa9 \ + --hash=sha256:6b64708009cfabd9c2211295144ff455ec7ceb4c4fb45a07a804309598f36187 \ + --hash=sha256:6c54f8d4c151c1de784c5b93dfbb872067e3414619e10e21e695f7bb84d1d1fd \ + --hash=sha256:79577cc045d3442c4e845df53df9f9202546e2ba54954c057d253fc17cd16cb1 \ + --hash=sha256:7ce64d23d4e71d9698492479505674c5c5b92cda02b07c91dfc13633b2eef805 \ + --hash=sha256:8a148410fa0e971ba333358d11a6dea7b48e063de127c2b09ece9d1c1137dde4 \ + --hash=sha256:8b6350b68566bb6b164fb06a3772e878887f3c857c46c0c534788081cb48adf4 \ + --hash=sha256:90e85834f0370d737c77a386ce505c21b06bfe7086c1c568b70e15a568d9670d \ + --hash=sha256:935b19fdcde236f4fbf691959fa5c3e2b6951fff132964e869e57c70f2ad1ba3 \ + --hash=sha256:98737c3ab5a2f8a85f2326eebcd214510f898881a290a7939a45ec294743c875 \ + --hash=sha256:9e3e4000cd54ef455694b8be9111ea20f66a686fc155feda1ecacf2322b115da \ + --hash=sha256:a4973232c98b9b44c78b1233693e5e1938add5af18042f031737e1214455f9b8 \ + --hash=sha256:a621742da75ce272d64ea57bd7651ee2a115fa67c0f11d66d9dcfc18c2f1b106 \ + --hash=sha256:b6b73ab347284719f818acb14f7cd80696c6fdf1bd34feee1955d7a72d2e64ce \ + --hash=sha256:b8460bc256bf0de821839aea6794bb38a4c0fbd48f949ea51093f6edce0be459 \ + --hash=sha256:b92893ebefc0151474f682e7debb6ab38552ce56a90e39a8834734c81f37c8a9 \ + --hash=sha256:c0501e1d12df6ab1211b8cad52d2f7b2cd81f8e8e776d39aa5e71e2998d0379f \ + --hash=sha256:c1ba253eb5af8d89864073e6ce8e6c8dec5f49920cff61f38f5c3383e38b1c9f \ + --hash=sha256:c261127c275d7bce50b26b26c7d8427dcb5c4803e840e913f8d9df3f99dca55f \ + --hash=sha256:c677aa39ec737fec932feb68e4a2abe142682f2885558402602cd9746a1c92e8 \ + --hash=sha256:d356aa5b18ef5a24d8081f5c5beb67c0a2a6ff2a953ee38d65a2aa96526b274f \ + --hash=sha256:db70c920cba9d05c69ad4a9e7f8e9e83011abb2c6490e561de9ae24aee44925c \ + --hash=sha256:e23a97a6c2f2db88995496db9387cd1727acdacc85835ba8619dce826c0b11a6 \ + --hash=sha256:e622314542fb48542c09c7bd1ac51d71c5632dd3c92dc82ede6da233f55f4848 \ + --hash=sha256:e7f0cda108b36a30c8fc882e4fc5b7eec8ef584aa43aa43694c6a7b274fb2b56 \ + --hash=sha256:f198c8206640f4c0ef5a76b779241efb1380a300d88b1bce9bfe95a6362e674d \ + --hash=sha256:f2f4a2305f15eff68f874766d982114ac89468f1c2c0b97640e719cf1a078374 pynacl==1.5.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858 \ --hash=sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d \ @@ -699,21 +750,18 @@ requests==2.32.3 ; python_version >= "3.10" and python_version < "4.0" \ rtyaml==1.0.0 ; python_version >= "3.10" and python_version < "4.0" \ --hash=sha256:589129e75ecb2ba0def3dcc094bb462f68faed48e42a8fa0fcf4a9d6119fd725 \ --hash=sha256:66aa6e2f2c8c29ccab9d1713072a4e06c52c6cdcfe27ebd50706df09638c4586 -ruamel-yaml-clib==0.2.12 ; python_version >= "3.10" and python_version < "3.13" and platform_python_implementation == "CPython" \ +ruamel-yaml-clib==0.2.12 ; platform_python_implementation == "CPython" and python_version < "3.13" and python_version >= "3.10" \ --hash=sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b \ --hash=sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4 \ --hash=sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef \ --hash=sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5 \ - --hash=sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3 \ --hash=sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632 \ --hash=sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6 \ - --hash=sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7 \ --hash=sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680 \ --hash=sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf \ --hash=sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da \ --hash=sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6 \ --hash=sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a \ - --hash=sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01 \ --hash=sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519 \ --hash=sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6 \ --hash=sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f \ @@ -725,10 +773,8 @@ ruamel-yaml-clib==0.2.12 ; python_version >= "3.10" and python_version < "3.13" --hash=sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c \ --hash=sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6 \ --hash=sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb \ - --hash=sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a \ --hash=sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969 \ --hash=sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28 \ - --hash=sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d \ --hash=sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e \ --hash=sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45 \ --hash=sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4 \ diff --git a/results/docs/sop/sop-ac-access-control.md b/results/docs/sop/sop-ac-access-control.md new file mode 100644 index 0000000..009263f --- /dev/null +++ b/results/docs/sop/sop-ac-access-control.md @@ -0,0 +1,243 @@ +# Access Control (AC) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [AC-01 Access Control Policy And Procedures](#ac-01-access-control-policy-and-procedures) + - [AC-02 Account Management](#ac-02-account-management) + - [AC-03 Access Enforcement](#ac-03-access-enforcement) + - [AC-03(9) Controlled Release](#ac-039-controlled-release) + - [AC-06 Least Privilege](#ac-06-least-privilege) + - [AC-07 Unsuccessful Login Attempts](#ac-07-unsuccessful-login-attempts) + - [AC-08 System Use Notification](#ac-08-system-use-notification) + - [AC-14 Permitted Actions Without Identification Or Authentication](#ac-14-permitted-actions-without-identification-or-authentication) + - [AC-17 Remote Access](#ac-17-remote-access) + - [AC-18 Wireless Access](#ac-18-wireless-access) + - [AC-19 Access Control For Mobile Devices](#ac-19-access-control-for-mobile-devices) + - [AC-20 Use Of External Information Systems](#ac-20-use-of-external-information-systems) + - [AC-22 Publicly Accessible Content](#ac-22-publicly-accessible-content) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### AC-01 Access Control Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Access Control (AC) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +Access control policy and procedures are documented in the Project Full Name SSP. Access to Project operational information or system resources is limited to only authorized users, programs or processes. The Department enforces access control policies to protect the integrity of the Project Full Name. This Department reviews and updates this policy as necessary and it has been being updated, as necessary, since April 2008. + + +### AC-02 Account Management + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS account management. + + +**a.** Ilias provides user accounts for individuals who participate in visiting, contributing to and administering the site with the following roles: +- Anonymous user – Readers of the site who either do not have an account or are not logged in. +- Guest – This role has limited visibility and read permissions +- User - Standard role for registered users. This role grants read access to most objects. +- Administrator - This role has all permissions enabled by default. + + +Operations, in collaboration with the Security Office, will set up privileged accounts accounts for the following roles: +- Developer - user level account that has access to application features and sanitized databases +- System Administrator - user accounts that enjoy full system administrator (`sudo`) access + + +Drupal provides the following information system account types to support organizational mission/business functions: + +- Anonymous user - readers of the site who either do not have an account or are not + logged in. + +- Authenticated user - All non-anonymous users inherit the "authenticated user role" + that supports personal account management capabilities. + +- Administrator - This role has all permissions enabled by default. + + +In this architecture, the baseline AWS Identity and Access Management (IAM) groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, S3 storage, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) + + +SSH system accounts are provided to contractors on an as-needed basis. + +Access privileges are used to ensure that only authorized personnel access certain areas of the Project system. User access is controlled by the completion and submission of Project system Rules of Behavior and New User Account Request forms by the user and management. These items are completed and submitted whenever a new user requires access or an existing user requires access changes. The system administrator, based on need-to-know, assigns the proper permissions. The employee’s manager approves the access rights before the initial account is created. Finally, the system administrator implements the access rights according to the New User Account Request form. The security staff and the support contractor review accounts periodically. Accounts no longer in use are removed from the system by the system administrator. + +The Project has implemented user account procedures to disable inactive user accounts after 90-days of inactivity. The Project support staff monitors all user accounts to ensure this procedure is enforced. Section 6.3, Authentication Management, of the Project SSP illustrates the exact procedures the contractor support staff follows to ensure accounts are properly managed. +The Project system does not have guest or anonymous accounts. + +**b.** Drupal defines a default set of roles; Anonymous, Authenticated, and Administrator, as well as providing for the creation of additional organizational-defined roles identified by Project Full Name + + +The CivicActions Project Manager assigns the "administrator" role for the management of all accounts issued to internal admin roles supporting the information system. Account requests are initiated by the Project Manager by completing a ticket request and the CivicActions Operation staff manages the account creation process. + + +The system Owner has oversight over all permissions that the Project Manager and Operations Staff manages. + +**c.** In accordance with Project Access Control Policy, Project group membership is determined according to the individual's position and role within the organization. A ticket request is used to request accounts and group membership. The request is authorized by the appropriate manager. + +**d.** Ilias' permissions and role-based access controls are built-in. Each role within Ilias can only access the pages and controls for which their privilege allows. + +Drupal has a sophisticated permissions and role-based access control built-in. Each role within Drupal can only access the documents and controls for which their privilege allows. + +All accounts issued for application administrators and SSH are documented in CivicActions' ticketing system. Account request tickets contain details that explain the attributes for the account including authorized users of Drupal, system infrastructure, group and role membership, and access authorizations. + + +Project user privileges vary depending on the type of user role assigned. Only users with the role of Administrator have the ability to create and modify user roles for other users. + +**e.** All accounts issued for the admin management of Application or SSH access must be approved by the System Owner or Project Manager who must create an account request. The CivicActions Operations staff applies appropriate account permissions and settings based on the job role and function documented within the request ticket using processes defined by the CivicActions' Security Office. + +The System Owner approves, and CivicActions Operations set up the initial Administrator account for Project. Subsequent client access and related approvals are managed by CivicActions Operations in collaboration with the System Owner. + +**f.** CivicActions Operations staff is responsible for the following account management activities for both internal administrative users and customer accounts: + +- Establishing account justification +- Activating accounts +- Modifying accounts +- Expiring accounts +- Disabling accounts +- Removing accounts + +**g.** Ilias monitors the usage of information accounts in a log on the server. + +Drupal monitors the usage of information accounts in the Watchdog log. + +All CivicActions systems log the usage of information accounts. + +In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled, which provide the audit trail capability for the organization to monitor the use of AWS Identity and Access Management (IAM) accounts. An Amazon S3 bucket centrally contains the CloudTrail audit logs. Amazon CloudWatch Alarm is configured to send an alert when any of the following happen: + - an API call is made to create, update, or delete a Network ACL/Security Group + - AWS account *root user* activity is detected + - multiple API actions or login attempts fail + - IAM Configuration changes are detected + - new IAM access key was created + - changes to the CloudTrail log configuration are detected + +**h.** In accordance with the CivicActions Access Control (AC-01) Policy when an account is no longer required, the Project Manager notifies the Operations Team to immediately disable all access. Users upon reassignment, change in roles, termination, or leaving employment are initially removed from all roles and groups, effectively denying them all access to privileged accounts. + +**i.** System accounts require access authorizations prior to accounts being created. The Project Manager must initiate an access request for an account to be created. CivicActions Operations staff reviews the request to ensure accuracy, including intended system usage and other attributes of the user access being requested. + + +Project governs their own administrative access. Users with +the Administrator roles are empowered to designate and approve +Administrators. + +**j.** All privileged accounts are reviewed by CivicActions Operations staff every 180 days. + + +Administrators are empowered to and responsible for reviewing their own accounts and determining whether the accounts should still be authorized. + +**k.** In accordance with standard security best practices and CivicActions policy, shared and reissued accounts for internal accounts of any kind are not created nor used for any purpose in any system. + +### AC-03 Access Enforcement + +Access control in Ilias is enforced by authentication via Shibboleth single sing on (SSO) for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. +The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. Project Administrators, HR Managers, and Org Managers are the only roles that can create new user accounts. + + +Access control in Drupal is enforced by authentication via a unique username/password for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege. +The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. Drupal Administrators are the only user roles that can create new user accounts. + + +In this architecture, AWS Identify and Access Management (IAM) and Amazon Amazon S3 enforce access to the AWS infrastructure and data in Amazon S3 buckets. The baseline IAM groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) Login/API access is restricted to those users for whom the organization has authorized and created, or federated, IAM user accounts, and assigned the appropriate IAM group and/or role memberships. Amazon S3 buckets have specific access control policies assigned to restrict access to those IAM users who are assigned the appropriate IAM roles/groups. + + +The Project Full Name ensures that assigned authorizations for controlling access to the system is enforced in accordance with the user definitions noted in Section 1.1.1 of the Project SSP. The technical support staff ensures that access to security functions and protected information is restricted to authorized personnel. Access will be controlled with access control list used on each instance. Members of one group cannot access resources defined for other groups unless explicitly permitted. + + +### AC-03(9) Controlled Release + +The Project information system does not release information outside of the established system boundary. + + +### AC-06 Least Privilege + +SSH access is provided on a least privilege basis and analyzed on an ongoing basis, at least quarterly. Findings related to these audits of accounts are reported and reviewed by the Security Office and evaluated to determine roles that need to be revoked. + +### AC-07 Unsuccessful Login Attempts + +The Project system locks out users after three unsuccessful login attempts. The information system automatically locks the account permanently, unless an administrator unlocks the account before then, when the maximum number of unsuccessful attempts (3) is exceeded. + + +**a.** Drupal can be configured to lock an account after a specified number of invalid login attempts within a specified time period. The default for Drupal is 5 failed login attempts within six hours. +**b.** Lockdown following unsuccessful attempts is configurable by Drupal administrators to conform to defined requirements. When a user exceeds the limit of invalid login attempts, their account is automatically locked for a specified time and requires administrator action to unlock the account before the lockout period expires. +### AC-08 System Use Notification + +System Use Notification is inherited from the Project. + +A warning banner ensures that all persons attempting to gain access to the system know that the system and its information are “Authorized User Only” and that attempts to illegally log on to the system could lead to criminal prosecution. The warning message displayed notifies unauthorized users that they have accessed a U.S. Government computer system and continued, unauthorized use can be punishable by fines or imprisonment. Each device logged into will display a system use notification message before the log in window is displayed. The system use notification banner will remain on the screen until the user takes an explicit action to log on to the device. The following is the notification banner displayed on all system instances: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +- The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +- At any time, the USG may inspect and seize data stored on this IS. +- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +- This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. +- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + +### AC-14 Permitted Actions Without Identification Or Authentication + +The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. + +The Project Full Name allows the general public user to read the web pages, do searches on the resource database and to review online forum information without identification and authentication for the public web site. Program and Privilege users cannot access the Project system without identification or authentication. + + +**a.** The anonymous user role has the least access to the site of all roles. Drupal sites can be configured to allow actions identified by Project Full Name + +### AC-17 Remote Access + +The CivicActions Access Control (AC) policy defines policy for remote usage restrictions. The Project Manager or System Owner may additionally provision users according to their Access Control policies. + + +The Project Full Name permits remote access for privileged functions to support operational needs. The technical staff documents, monitors, and controls all methods of remote access to the information system including remote access for privileged functions. Privileged user access is only permitted through the use of Secure Shell (SSH) where the user will authenticate to the device through this secure channel. Virtual Private Networking (VPN) is not enabled in any form within the Project accreditation boundary. + + +### AC-18 Wireless Access + +This control is not applicable. The system does not provide wireless access points. + + +### AC-19 Access Control For Mobile Devices + +This control is not applicable. The system does not maintain a facility in which mobile device access limitations are required. + + +### AC-20 Use Of External Information Systems + +This control is not applicable. The system does not connect with external information systems. + + +### AC-22 Publicly Accessible Content + +**a.** The Client Full Name grants certain Project support staff members the authority to post publicly accessible content. These individuals must complete Project system security training before being granted access to the Project and before they can post publicly accessible content within the Project Full Name. Furthermore, each authorized individual must follow the procedures delineated within the “Using Drupal” Instruction to ensure they are following a verifiable procedure throughout the entire process. This covers the Project Discussion Lists administration areas, Project Quarterly Reporting and training tools, and Drupal Content Management systems. Public content is only edited via the Drupal Content Management System. All other content is only viewable by Project system users and protected by hardened access controls. + +**b.** It is the Project responsibility to train authorized Project individuals ensuring publicly accessible information does not contain nonpublic information. + +**c.** Authorized Project individuals review the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included. + +Project Users have been authorized for creation of publicly accessible content with publishing authority from an Administrator role. The publishing authority ensures the information being published does not contain nonpublic information. + +**d.** Authorized Project individuals review the content on the publicly accessible information system for nonpublic information at least every 365 days and removes such information. diff --git a/results/docs/sop/sop-at-awareness-and-training.md b/results/docs/sop/sop-at-awareness-and-training.md new file mode 100644 index 0000000..b149bfe --- /dev/null +++ b/results/docs/sop/sop-at-awareness-and-training.md @@ -0,0 +1,87 @@ +# Awareness And Training (AT) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [AT-01 Security Awareness And Training Policy And Procedures](#at-01-security-awareness-and-training-policy-and-procedures) + - [AT-02 Security Awareness Training](#at-02-security-awareness-training) + - [AT-03 Role-Based Security Training](#at-03-role-based-security-training) + - [AT-04 Security Training Records](#at-04-security-training-records) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### AT-01 Security Awareness And Training Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Awareness and Training (AT) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + +Security awareness and training policy and procedures are formally documented in None, which provides the roles and responsibilities as it pertains to security awareness and training. The Department will ensure all users, including managers and senior executives, are exposed to basic information system security awareness materials before authorizing access to the system and at least annually thereafter. Client documents and monitors all individual information system security training activities including basic security awareness training. OMB reviews and updates the policy as necessary. + + +### AT-02 Security Awareness Training + +Client personnel and contractor employees involved with the management, operation, programming, maintenance, or use of Project system receive training in acceptable computer security practices prior to system access. All Client employees and contractors are required to complete annual IT security awareness training. This security awareness training covers issues and policies associated with information security, including end user security roles and responsibilities and rules of behavior. Some topics addressed in the training are: + +- Password protection +- System rules of behavior +- Protection of hardware, software, and data +- Proper handling of copyrighted materials +- Reporting of security breaches and violations +- Proper procedures for software installation, uploading, and use on + workstations. + + +**a.** Both regular and ad hoc training to all CivicActions personnel, including those who support the system infrastructure and applications, is provided. All employees and contractors must complete Security Awareness training upon being hired and at least annually thereafter. CivicActions Operations staff will not create accounts for individuals until they have successfully completed the trainings. Additional training will be provided as required by system changes. Training takes the following forms: + +Annual Knowledge Survey (i.e., Security Awareness Training): All employees are required to review trainings covering Security Awareness. After the training, a survey-style security awareness test is taken by employees. All CivicActions personnel are required to complete and pass the survey, and new employees are required to pass before being granted access to the Information System. In order to successfully pass the test, a score of 80% is required. This survey tests CivicActions personnel’s knowledge of critical security subjects, policies and procedures. Results from this survey are compiled by the Office of Human Resources and used to refine future training efforts. + +Ad Hoc Security Awareness: The CivicActions' Security Office oversees the approximately bi-monthly distribution of security awareness tips and articles to all CivicActions employees. This can include general tips as well as articles tailored to the specific requirements of CivicActions users. + +**b.** In the event of a major system change, the Project Manager is responsible for delivering additional training to impacted personnel. Specific training types, mediums, and delivery methods are dependent upon the nature of the system change. + +**c.** CivicActions provides annual security awareness training to its personnel. + +### AT-03 Role-Based Security Training + +Completion of role-based training is an annual requirement for personnel in roles with significant information security responsibilities that require specialized role-based training. Role-based cybersecurity training is developed and implemented to meet identified training needs and competencies associated with the various target audiences/functional roles (federal and contractor employees) that comprise the Client workforce, as is identified in and required by the FISMA and OMB A-130, Appendix III. The appropriate content of security training is determined based on the assigned roles and responsibilities of individuals and the specific security requirements of the Department, PO and the information systems to which personnel have authorized access. Annual training requirements may be met by completing one or more course(s) within the Department’s learning management systems, participating in instructor-led training provided by the OCIO, or completing an external role-based course or courses offered within their specific functional area of expertise. + + +**a.** CivicActions personnel with security responsibilities are required to complete role-based security training before being provided with access to the information system. The CivicActions' Security Office is responsible for creating the content of the training. The role-based training is provided and tracked by the CivicActions Security Office. + +**b.** The Project Manager in collaboration with CivicActions Security Office determines whether a change to the information system requires any modifications and updates to the security awareness training program and if so, works with the CivicActions' Security Office to implement the change. + +**c.** CivicActions Security Office provides users with security responsibilities role-based security training on an annual basis. The training is provided and tracked by the CivicActions Security Office. + +### AT-04 Security Training Records + +**a.** The CivicActions' Security Office tracks all security awareness training within the organization and ensures that all employees have successfully completed training when required. The training records are stored and tracked in a spreadsheet maintained by the CivicActions Security Office. + + +Client documents and monitors all individual information system security training activities including basic security awareness training. New users are required to take security training within 30 days of hire. This information is kept in the appropriate personnel files to verify users have met the training requirements. Training requirement notifications are sent to individuals as deadline for re-training approaches. + +**b.** Training records are tracked and maintained by the CivicActions Security Office. Records are maintained permanently. + + +Client maintains training certifications for the specified period. diff --git a/results/docs/sop/sop-au-audit-and-accountability.md b/results/docs/sop/sop-au-audit-and-accountability.md new file mode 100644 index 0000000..777d8ff --- /dev/null +++ b/results/docs/sop/sop-au-audit-and-accountability.md @@ -0,0 +1,312 @@ +# Audit And Accountability (AU) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [AU-01 Audit And Accountability Policy And Procedures](#au-01-audit-and-accountability-policy-and-procedures) + - [AU-02 Auditable Events](#au-02-auditable-events) + - [AU-03 Content Of Audit Records](#au-03-content-of-audit-records) + - [AU-04 Audit Storage Capacity](#au-04-audit-storage-capacity) + - [AU-05 Response To Audit Processing Failures](#au-05-response-to-audit-processing-failures) + - [AU-06 Audit Review, Analysis, And Reporting](#au-06-audit-review-analysis-and-reporting) + - [AU-08 Time Stamps](#au-08-time-stamps) + - [AU-09 Protection Of Audit Information](#au-09-protection-of-audit-information) + - [AU-11 Audit Record Retention](#au-11-audit-record-retention) + - [AU-12 Audit Generation](#au-12-audit-generation) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### AU-01 Audit And Accountability Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Audit and Accountability (AU) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + +The Project maintains a record of system activity by application process and by user activity. Audit and accountability policy and procedures are documented within the Project SSP. Security software features are used to automatically generate and store security audit log records for use in monitoring security-related events on all multi-user systems. The Client reviews and updates this policy as necessary and it was last updated in April 2008. Additional information is contained within the None. + + +### AU-02 Auditable Events + +**a.** Transaction logs are generated by the Apache web server, Ilias CMS, MySQL database and PHP page processing. Specifically, the following server, application, database and network device audit log events are captured: +- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These requests include pages, theme files, and static media files. +- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by general server issues, including capacity problems, .htaccess problems, and missing files. +- Ilias page request log: Records all Ilias page loads on your website. +- Ilias log: Records Ilias-related actions on your website. The log is recorded on your server. +- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to complete. +- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues reported here are usually caused by a website’s code, configuration, or content. + + +Drupal's Watchdog log are configured to track all relevant auditable events as defined by Client + +- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These + requests include pages, theme files, and static media files. + +- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by + general server issues, including capacity problems, .htaccess problems, and missing files. + +- Drupal page request log: Records all Drupal page loads on your website. +- Drupal Watchdog log: Records Drupal-related actions on your website. The Watchdog log is recorded on + your database if you have enabled the syslog module. + +- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to + complete. + +- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues + reported here are usually caused by a website’s code, configuration, or content. + + +CivicActions' Security Policy provides information about auditing and logging of CivicActions internal users and end-user activity on the servers and within the system application. + + +In this architecture, the following audit methods log all security-relevant user/API activities and Amazon S3 data access activities, and support the capability to audit organizationally defined events: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + +**b.** All security-related issues and events, including requests for server log analysis, are recorded in CivicActions' JIRA tracking system. + +Auditable events may change due to changes in the threat environment. CivicActions teams collaborate internally and also communicate with customers and partner organizations to identify and select auditable events. The teams that participate in this process are described in control SA-3(b). + +**c.** CivicActions has extensive experience and specialization as a host of websites that are built using the Ilias web learning platform. Should the need for additional logging become evident, we have the ability to do so by modifying the website's source code to insert additional Ilias logging hooks. + + +In this architecture, the following audit methods provide data on activities occurring within the infrastructure: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + +**d.** Information captured in the transaction logs includes, but is not limited to, the following auditable +events: +- Failed login attempts +- Successful login attempts +- New user account creation +- Password reset instructions mailed +- User logins via a one-time login link +- Content creation +- Content publishing +- Web page not found +- Website configuration changes +- System administration activities +- Slow query logs. +- PHP error logs: Captures any errors logged during execution of the PHP programming + language. + + +Information captured in the transaction logs includes, but is not limited to, the following auditable events: + +- Failed login attempts +- Successful login attempts +- User account deletions +- User account blocking/unblocking +- Changes in user role assignments +- Unauthorized attempts to alter protected user fields +- New user account creation +- Password reset instructions mailed +- User logins via a one-time login link +- User logouts +- Content creation (datasets, resources and other content types) +- Content modification +- Content deletion +- Content publishing +- Content unpublishing +- File uploads +- Web page not found +- Website configuration changes +- System administration activities +- Slow query logs. +- PHP error logs: Captures any errors logged during execution of the PHP programming language. + + +In this architecture, the following audit methods log all security-relevant events and errors related to IAM user and API activities, Amazon S3 data access, network access, and Amazon RDS database errors, and support the capability to audit organizationally defined events: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + +### AU-03 Content Of Audit Records + +The logs collected for Ilias sites include the following types of information: +- IP number of the request originator +- Timestamp +- Username +- Ilias log message (if applicable) +- Unique numerical ID of the content being modified (for content creation, modification and deletion events) +When auditing an Ilias incident, CivicActions' developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. + + +The logs collected for Drupal sites include the following types of information: + +- IP number of the request originator +- Timestamp +- Request URL +- HTTP status code returned +- Username +- Drupal Watchdog message (if applicable) +- Unique numerical ID of the content being modified (for content creation, modification and deletion + events) + +When auditing a Drupal incident, the CivicActions developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events. + + +In this architecture, the following audit methods generate records with the level of detail specified for the control: + +- **AWS CloudTrail logging**: Provides information on activities + related to infrastructure changes. + +- **Amazon S3 bucket logging**: Provides data on activities related to the + access or manipulation of data stored in Amazon S3. + +- **Elastic Load Balancing (ELB) logging**: Provides information about + requests or connections. + +- **Amazon RDS MySQL error logging**: Captures errors encountered by the + database engine. In addition, the MySQL general query log can be enabled + by the customer organization to capture when clients connect or disconnect + and SQL statements received from clients. + + +AWS logging information: + +- AWS native logging: https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/ +- AWS CloudTrail logs: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html +- Amazon S3 bucket logs: http://docs.aws.amazon.com/amazons3/latest/dev/ServerLogs.html +- ELB logs: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html + http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html + +- Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html + + +### AU-04 Audit Storage Capacity + +CivicActions ensures adequate storage capability requirements listed in AU-11 for all events from the application, database, and hosting environment. + + +In this architecture, logs track dynamic capacity growth to accommodate organizationally defined storage capacity requirements. Amazon S3 buckets are established to store audit logs from the following audit methods: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + + +### AU-05 Response To Audit Processing Failures + +When notified (e.g., via CloudWatch) of an auditing failure, CivicActions Operations staff will review the causes and take corrective action. + + +**a.** In this architecture, AWS CloudTrail is enabled, and provides the basis for audit processing within the infrastructure. + +AWS built-in features include customer alerting of AWS CloudTrail and other service failures through the following: + +- AWS Service Health Dashboard (http://status.aws.amazon.com) +- RSS feeds to which the customer organization can subscribe +- email +- alerts sent directly to the AWS account *root user* for critical events +- AWS internal Incident Response and corporate communications processes + +### AU-06 Audit Review, Analysis, And Reporting + +**a.** CivicActions security audit data is collected by the AWS CloudWatch monitoring and observability service to support real time and after-the-fact investigation at the application level for the following: + +- Indications of inappropriate or unusual activity +- Assurance that logging is functioning properly +- Adherence to logging standards identified in this procedure + +**b.** Any significant findings observed during the inspection are reported to CivicActions' Security Office. If these are considered to constitute a security incident, then the Incident Response process is invoked as described in the implementation of the Incident Response Plan (IR-8). + +### AU-08 Time Stamps + +The Project system clocks are synchronized system-wide and provide time stamps with audit records. + + +**a.** AWS includes the Amazon Time Sync Service. Running over Network Time Protocol (NTP), this service synchronizes the time on AWS instances using redundant satellite-connected and atomic clocks in all public AWS regions. The Amazon Time Sync Service provides accurate time stamp data to the following audit methods: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + +**b.** The Amazon Time Sync Service provides accurate time stamp data to the following audit methods: + +- AWS CloudTrail logging +- Amazon S3 bucket logging +- Elastic Load Balancing (ELB) logging +- Amazon RDS MySQL error logging + +Time stamps are recorded as specified in the ISO 8601 standard. ISO 8601 represents local time (with the location unspecified), as UTC, or as an offset from UTC. + +### AU-09 Protection Of Audit Information + +CivicActions ensures that audit logs are created, stored and maintained. Developers who have been assigned as members of the CivicActions Security Office are the only CivicActions personnel with logical permission to access and review audit logs. + + +Access to audit data and tools is determined by access control policies for IAM groups and roles. Only users assigned to IAM groups and roles with access to audit data and tools can access them. Additionally, AWS uses server-side encryption on Amazon S3 bucket logs, and maintains them as read-only files. + + +### AU-11 Audit Record Retention + +CivicActions audits events from the application, database, and hosting environment, and retains these records for at least 180 days. + + +AWS CloudTrail logs are stored in an Amazon S3 bucket, which dynamically allocates storage capacity to support continuous collection and storage of AWS CloudTrail log data. The storage capacity supports indefinite retention, but with 7 year retention specified, and migration to Amazon Glacier after 90 days in AWS regions where Glacier is available. + + +### AU-12 Audit Generation + +**a.** CivicActions ensures audit records are generated for its web and event logs as required in AU-2 and AU-3 for servers, application, database, and network components. + + +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled, but initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) do not have auditing enabled within the OS, as these are for example purposes only. + +AWS built-in features of logging mechanisms provide the audit record generation capability for the auditable events defined in AU-2a. by logging all security-relevant IAM user and API activities which address AWS infrastructure components (AWS Products and services), ELB + +**b.** The selected auditable events described in AU-2 are coordinated by CivicActions internal admins and client security/operations officers for each component of the production system. + + +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled AWS CloudTrail is enabled to log all available API events automatically within the AWS infrastructure and Amazon S3 bucket logging is enabled to log bucket activity. + +AWS built-in features of Identity and Access Management (IAM) allows policy to be applied to privileged users for administrator/audit access, allowing them to modify Amazon CloudWatch alarms, AWS Config rules, and Amazon S3 bucket logging to select the CloudTrail and Amazon S3 events that are to cause notification, alerting and automated reaction. + +**c.** CivicActions maintained applications generate audit records for their web and event logs as described in AU-2 and AU-3. + + +In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled. However, the initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) DO NOT have any auditing enabled within the OS, as these are in place for example purposes only. + +AWS built-in features of native logging generates audit records with the content defined in AU-3. + +AWS logging information: + +- AWS native logging: https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/ +- AWS CloudTrail logs: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html +- Amazon S3 bucket logs: http://docs.aws.amazon.com/amazons3/latest/dev/ServerLogs.html +- ELB logs: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html + + http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html + +- Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html diff --git a/results/docs/sop/sop-ca-assessment-authorization-and-monitoring.md b/results/docs/sop/sop-ca-assessment-authorization-and-monitoring.md new file mode 100644 index 0000000..29297ee --- /dev/null +++ b/results/docs/sop/sop-ca-assessment-authorization-and-monitoring.md @@ -0,0 +1,139 @@ +# Assessment Authorization And Monitoring (CA) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [CA-01 Security Assessment And Authorization Policies And Procedures](#ca-01-security-assessment-and-authorization-policies-and-procedures) + - [CA-02 Security Assessments](#ca-02-security-assessments) + - [CA-03 System Interconnections](#ca-03-system-interconnections) + - [CA-05 Plan Of Action And Milestones](#ca-05-plan-of-action-and-milestones) + - [CA-06 Security Authorization](#ca-06-security-authorization) + - [CA-07 Continuous Monitoring](#ca-07-continuous-monitoring) + - [CA-09 Internal System Connections](#ca-09-internal-system-connections) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### CA-01 Security Assessment And Authorization Policies And Procedures + +CivicActions has developed, documented and disseminated to personnel a certification, accreditation, and security assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Security Assessment and Authorization Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . + + +Project follows the None. The Project System Security Policy (SSP) provides guidance on all aspects of security for the protection of Project information technology resources. + +Project will periodically review and update the SSP when there is a significant change to the regulatory, operational, or technical environment. + + +### CA-02 Security Assessments + +**a.** CivicActions will develop a security assessment plan (SAP) that describes the security controls and control enhancements under assessment, assessment procedures used to determine effectiveness, the assessment environment, the assessment team, and the assessment roles and responsibilities. + + +The Project Full Name follows the None. The Project Full Name will conduct annual security assessments to comply with FISMA and NIST regulations. Project will draw on NIST Special Publications 800-53A security controls to complete the assessment. All controls and sub-set security controls will be evaluated and a risk assessment will be conducted. The scope of the assessment includes: + +1. Security controls and control enhancements under assessment +2. Assessment procedures to be used to determine security control effectiveness +3. Assessment environment, assessment team, and assessment roles and responsibilities + +**b.** CivicActions will assess the security controls in their system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. + +All controls assigned and documented in this System Security Plan (SSP) will be tested at least annually or when there is a major change to the system. + +**c.** CivicActions will produce a security assessment report that documents the results of the assessment. The Security Assessment Report must contain the results of the assessment, and may also contain recommendations and suggestions for plans of actions and milestones (POA&Ms). + + +The Project Authorizing Official or Designated Representative will create a Security Assessment Report (SAR). A full assessment shall be conducted by an independent third party assessor at least every three years. + +**d.** CivicActions will provide the results of the security control assessment to the System Owner, Project Manager, CivicActions Security, and the Authorization Official (AO)). The security control assessment package includes the following: + +- Security Control Matrix +- Privacy Impact Assessment +- E-Authentication +- Contingency Plan +- Configuration Management Plan +- Rules of Behavior +- Incident Response Plan + +### CA-03 System Interconnections + +This control is not applicable. CivicActions systems do not have system interconnections. The only communication conducted to CivicActions' systems is through the Internet. + + +### CA-05 Plan Of Action And Milestones + +CivicActions documents all deficiencies and vulnerabilities identified during the security certification and/or continuous monitoring phase (via security assessment, vulnerability scanning, risk assessment, etc.) within the Plan of Action and Milestones (POA&M). + +The POA&M document provides a platform for CivicActions to monitor and track the deficiency and its mitigation strategy. POA&M items will include: + +- The description of the deficiency, +- Dedicated point of contact for this deficiency. +- Cost of the mitigation strategy +- Associated risk and NIST control +- Recommended mitigation strategy + +POA&Ms are tracked throughout the lifecycle of the system until its mitigation. All POA&Ms are reviewed on a monthly basis by CivicActions Information System Security Officer to ensure all mitigation strategies are continuing as documented. + + +The Project follows the None procedures in managing POA&Ms. + + +### CA-06 Security Authorization + +The Project follows the None. The Project system received its first three-year security accreditation on March 3, 2009, and most recently received an ATO on February 5, 2016. + +ATO re-assessment will be performed every three years or when there is a major change to the application, in which a senior organizational official will sign and approve the security accreditation. + + +### CA-07 Continuous Monitoring + +**a.** CivicActions follows recommendations and best practices developed by the Ilias community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3. + +CivicActions follows recommendations and best practices developed by the Drupal community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3. + + +CivicActions implements a continuous monitoring strategy that incorporates configuration management, system scanning and log analysis processes: + +- Configuration management includes the assessment of security impact analyses of proposed and implemented changes. +- System scanning is managed by running the OpenSCAP vulnerability scanner using the DISA STIG profile. +- Log analysis is managed by feeding logs to a Graylog dashboard for analysis. + +**b.** Configuration management and log analysis is carried out in real time. OpenSCAP security scans are performed and reviewed monthly. See also: RA-5 and SI-4. + +Quarterly review of the control assessments supporting the monitoring is conducted by CivicActions Operations in collaboration with the CivicActions Security Office. + +**c.** CivicActions works closely with the Ilias security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. + +CivicActions works closely with the Drupal security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed. + +**d.** CivicActions conducts or oversees continuous system security monitoring. + +**e.** CivicActions Security reviews the results of the security scans and security assessments with associated JIRA and/or GitLab Issue tickets created to correlate and analyze security-related information generated from the monitoring tools becoming POA&M items for tracking. + +**f.** POA&M items are tracked by CivicActions Security through JIRA tickets with a security categorization assigned. The information included in the POA&M item include the severity, the due date, the weakness source identifier, and the plugin ID that identified the vulnerability. + +**g.** The security status of the system is reported up to the System Owner and Project Manager via the CivicActions Security Office to be reviewed alongside other security issues relating to the system. + +### CA-09 Internal System Connections + +Not applicable. diff --git a/results/docs/sop/sop-cm-configuration-management.md b/results/docs/sop/sop-cm-configuration-management.md new file mode 100644 index 0000000..7e25629 --- /dev/null +++ b/results/docs/sop/sop-cm-configuration-management.md @@ -0,0 +1,131 @@ +# Configuration Management (CM) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [CM-01 Configuration Management Policy And Procedures](#cm-01-configuration-management-policy-and-procedures) + - [CM-02 Baseline Configuration](#cm-02-baseline-configuration) + - [CM-04 Security Impact Analysis](#cm-04-security-impact-analysis) + - [CM-06 Configuration Settings](#cm-06-configuration-settings) + - [CM-07 Least Functionality](#cm-07-least-functionality) + - [CM-08 Information System Component Inventory](#cm-08-information-system-component-inventory) + - [CM-10 Software Usage Restrictions](#cm-10-software-usage-restrictions) + - [CM-11 User-Installed Software](#cm-11-user-installed-software) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### CM-01 Configuration Management Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Configuration Management (CM) Policy. This document can be found in the CivicActions Compliance Docs GitHub repository at . +Configuration changes are overseen by the Change Control Board (CCB) consisting of the System Owner, Project Manager, CivicActions Operations staff and the engineering team. + + +The configuration management policy and procedures are formally documented in the Project Configuration Management Plan (CMP), which provides the roles and responsibilities as it pertains to physical and environmental protection. It defines responsibilities for the implementation and oversight of the guidance contained herein. Client reviews and updates the policy as necessary. + + +### CM-02 Baseline Configuration + +The baseline configuration is maintained in Git and described in the Configuration Management Plan, which describes the change workflow and software configuration. In the context of Security Configuration Management, the baseline configuration is a collection of formally approved configuration state(s) of one or more configuration items ("features") that compose the system. The baseline configuration is used to restore and serves as the basis against which the next change or set of changes to the system is made. +The features for the system are maintained in the website's source code, which is managed in Git, a source code version control system. Once the source code is updated, Git maintains the new version of staged code once committed in the Git repository as the new baseline. All code prior to it being staged is documented, tested and approved by CivicActions Development, which is described in control SA-3. The production environment is configured to take database snapshots daily. + + +A current baseline configuration is always available - stored as a tag in the Git repository - such that the site can be regenerated or rolled back should unauthorized or failing changes be applied. + + +Hardware Baselines + +All hardware is maintained by the AWS cloud. The system inherits hardware configuration aspects of this control from the FedRAMP Provisional ATO granted to AWS, dated 1 May 2013, for the following: baseline configuration. + + +A CM process has been established and documented in the Project CMP. All updates are made in accordance with the procedures outlined in the CMP. The CM process establishes a baseline of hardware, software, firmware and documentation, as well as changes thereto, throughout the development and life cycle of the information system. CM ensures the control of the information system through its life cycle. It assures that additions, deletions, or changes made to the Project system do not unintentionally or unknowingly diminish security. If the change is major, the security of the system must be re-analyzed. + + +### CM-04 Security Impact Analysis + +Security impact analysis is conducted and documented within the Change Request (CR) process described in CM-3(b). All proposed configuration- controlled changes to the application are tested first in a sandboxed development environment before being pushed to a staging environment to be tested by another developer and by the Engineering team prior to final approval from CCB to move changes to the production environment. + + +An Information Security Program is in place to ensure all security-centric impacts to the Project are properly analyzed and conducted by personnel with information security responsibilities (i.e., Project SSO, IT Security Officer, etc.). These individuals have the appropriate skills and technical expertise to analyze the changes to the Project and their associated security ramifications. In support of continuous monitoring and to ensure the Project system lifecycle is fully sustained, a risk assessment process, be it formal or informal, is performed when changes are occur. This ensures that Client Full Name understands the security impacts and can determine if additional security controls are required. + + +### CM-06 Configuration Settings + +**a.** The Project is configured in compliance with the applicable baseline security standards. The Department and its technical support staff configure the security settings of all IT products to the most restrictive mode consistent with information system operational requirements. Project utilizes the NIST Special Publication 800-70 for guidance on configuration settings (checklists) for information technology products. When security setting checklist are not available from NIST for a particular device, good security engineering practices along with manufacture guidelines is used to develop the security settings. The CM Manager conducts configuration audits to ensure baseline compliance and documentation of hardware/software configurations throughout the system lifecycle. + +**b.** CivicActions developers follow security best practices according to the guidelines set by the CivicActions Security Office. + + +Configuration settings are implemented, monitored, and controlled in accordance with the organizational Configuration Management Plan for the security configuration management processes and tools. + +**c.** Currently, deviations do not exist for established configuration settings. In the event this changes, the following notes the process that will take place. +The CivicActions CCB, identifies, approves, and documents exceptions to mandatory configuration settings for individual components within its cloud offering only when operationally necessary. All variances identified during the monthly and annual system testing scans that must be accepted for operational purposes are tracked. + +**d.** All changes to the configuration settings are logged in the Git source code version control system, which records the identity of the developer who committed each change. Version control is enforced, with previous tagged code releases kept for rollback purposes. + +### CM-07 Least Functionality + +**a.** In this architecture, only essential capabilities for a multi-tiered web service are configured. AWS Identity and Access Management (IAM) baseline Groups and Roles are configured to support restricted access to AWS resources by privileged users and non-person entities (Amazon EC2 systems operating with a role) authorized and assigned by the organization. + + +Services are limited to provide only essential capabilities. + +**b.** In this architecture, ports, protocols, and services are restricted to those that are required for a multi-tiered web service, via AWS security group rules. + + +The Project maintains strict default deny policy with access controls at the firewall, and on individual systems. Inbound access across the system boundary is only allowed on ports 22 (ssh), 80 (http) and 443 (https), with an additional port, 25 (smtp) open on the mail server. + +### CM-08 Information System Component Inventory + +The software inventory for the application is maintained in the codebase stored CivicActions' Git source code version control system. It consists of the following components: +- The Ilias open-source web learning management system +- Ilias add-on modules, themes, and libraries available from the Ilias.de website which extend Ilias core +- Custom code written by CivicActions' developers +The inventory is reviewed monthly by CivicActions Product Engineering teams in accordance with the Configuration Management Plan. +Website content is backed up daily using CPM snapshots. This allows CivicActions to build an inventory of the system on demand. + + +**a.** AWS built-in features dynamically build and maintain an inventory of system components (infrastructure inventory) + +1. AWS built-in features provide an accurate, real time inventory of all infrastructure system and network components within the customer account and provides a single view for granularity for tracking and reporting. +2. AWS built-in features provide an accurate, real time inventory of all infrastructure system and network components within the AWS account, and AWS CloudFormation creates a unique set of stack names, and associated resource names incorporate the stack name, for tracking components deployed by CloudFormation templates that align with an authorization boundary. +3. AWS built-in features provide a level of granularity for tracking and reporting on all infrastructure system and network components and configuration settings for those components. +4. AWS built-in features provide all available information about all infrastructure system and network components to achieve effective component accountability. + +**b.** AWS built-in features provides a dynamically updated inventory of all infrastructure system and network components within the customer account. The AWS management console and AWS API calls support the capability for the organization to review the inventory. + +### CM-10 Software Usage Restrictions + +Ilias is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. + +Drupal is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law. + + +### CM-11 User-Installed Software + +**a.** All software installed in the system environment must be first approved via the CCB resulting in a Change Request (CR) being initiated and executed. Software installation on the computing nodes within the authorization boundary is restricted to administrators. All CivicActions internal administrators are informed of this during their initial training and as part of the rules of behavior document. + +**b.** CivicActions enforces software installation policies through required acknowledgment and sign-off on acceptable use policy by CivicActions personnel. CivicActions Development is responsible for enforcing compliance with the acceptable use policy. + +**c.** CivicActions monitors policy compliance continuously via the code release planning and quality control systems built into the System Development Life Cycle described in control SA-3. diff --git a/results/docs/sop/sop-cp-contingency-planning.md b/results/docs/sop/sop-cp-contingency-planning.md new file mode 100644 index 0000000..3be42f9 --- /dev/null +++ b/results/docs/sop/sop-cp-contingency-planning.md @@ -0,0 +1,106 @@ +# Contingency Planning (CP) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [CP-01 Contingency Planning Policy And Procedures](#cp-01-contingency-planning-policy-and-procedures) + - [CP-02 Contingency Plan](#cp-02-contingency-plan) + - [CP-03 Contingency Training](#cp-03-contingency-training) + - [CP-04 Contingency Plan Testing](#cp-04-contingency-plan-testing) + - [CP-09 Information System Backup](#cp-09-information-system-backup) + - [CP-10 Information System Recovery And Reconstitution](#cp-10-information-system-recovery-and-reconstitution) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### CP-01 Contingency Planning Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in Contingency Planning (CP) Policy and Procedure that can be found in the CivicActions Compliance Docs GitHub repository at . + + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +The Project and has developed a contingency planning policy consistent with NIST 800-34. Contingency planning procedures are formally documented within the Project Contingency Plan, which provides the roles and responsibilities as it pertains to contingency planning. The Project reviews and updates the policy as necessary and the policy was last updated in July 2012. + + +### CP-02 Contingency Plan + +**a.** CivicActions has developed a contingency plan for that addresses: +1. Essential missions, business functions, and associated contingency requirements +2. Recovery objectives, restoration priorities, and metrics +3. Roles and responsibilities are identified in the CP and include the ISCP Director, Incident Commander (IC), CivicActions Coordinator, and CivicActions Information System Security Officer (ISSO). +4. Maintaining essential missions and business functions despite an information system disruption, compromise, or failure +5. Full information system restoration without deterioration of the security safeguards originally planned and implemented +6. The ISCP is reviewed and approved by ISCP Director, Incident Commander (IC), CivicActions ISSO and the System Owner annually. + +**b.** The CivicActions Information System Contingency Plan (ISCP) has been distributed to all CivicActions team members. The ISCP can be found in the CivicActions Handbook at . + + +The Project Information System Contingency Plan (ISCP) has been distributed to all members who have roles in Contingency Planning and Incident Response Team. Direction by the System Owner will update who is required to receive a copy of the contingency plan. The ISCP can be found in the Project GitHub wiki at . + +**c.** The Information System Contingency Plan (ISCP) is closely integrated with the Incident Response Plan (IRP). Coordination is the responsibility of the ISCP Director and CivicActions Operations staff. + +**d.** The ISCP Director and CivicActions' Security Office are responsible to review the ISCP annually and when a change to the system occurs. + +**e.** CivicActions Operations staff and ISCP Director are required to update the ISCP to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. + +**f.** The ISCP requires that changes to the plan be communicated to those on the Incident Response/Contingency Plan Contact List. + +**g.** The ISCP is available on CivicActions GitHub repository. This repository provides the configuration management capabilities for the ISCP to be protected from unauthorized disclosure and modification. + +### CP-03 Contingency Training + +The ISCP stipulates that all CivicActions system assigned roles in the Contingency Plan Team are trained in their duties within three months of first being assigned a role in the CP, and then annually thereafter or when changes are required. CivicActions uses the Contingency Plan as described in controls CP-1 and CP-2 as a basis for personnel contingency training. + + +### CP-04 Contingency Plan Testing + +Real-world tests of the contingency plan will be held at least annually, with supplemental tests (checklist/table-top) as needed for specific scenarios. The ISCP Coordinator is responsible to facilitate annual testing exercises. The testing process for the ISCP includes a review of the ISCP, exercise, and identification of corrective actions and other improvements. + + +### CP-09 Information System Backup + +**a.** CivicActions conducts system user-level information backup in accordance with requirements (at a minimum, incremental backups must be conducted at least weekly and full backups must be conducted at least monthly). + + +In this architecture, user data is limited to that which is stored in the Amazon RDS database. Amazon RDS is fully backed up by a daily snapshot as well as through transaction logging conducted by AWS as part of this managed service. Full database recovery from snapshot or point-in-time can be initiated from the Amazon RDS console/API. + +**b.** System-level information for the application is replicated and backed up in the same way as user-level information as defined in CP-9(a). + + +AWS built-in features automatically backs up system-level information limited to infrastructure CONFIGURATION information within the AWS account. While individual running Amazon EC2 instances and attached EBS volumes are NOT backed up, they can be reconstituted from Amazon Machine Images (AMIs) provided by AWS (which are backed up by AWS) and user data scripts included in CloudFormation templates. Once deployed, the CloudFormation template contents are backed up by AWS R488within the CloudFormation service. These AWS backups of AWS services are transparent to the customer as part of AWS backend processes. + +**c.** System documentation is backed up from the GitHub repository on a daily basis with a minimum two-week retention period and off-site storage. + + +AWS built-in features back up online administrator and developer documentation, limited to that which is published at https://aws.amazon.com/documentation. + +**d.** CivicActions employees must authenticate prior to being granted access to the GitHub repository. Roles and responsibilities within GitHub determine the proper level of access for the documentation being accessed. The folder structure of GitHub protects though permissions and ownership prohibiting users from accessing unauthorized documentation. + + +AWS built-in features protect the confidentiality, integrity, and availability of information that AWS services back up. This information includes the service configuration information within an account, AWS online administrator and developer documentation, and AWS CloudFormation stacks for templates once deployed into an account. R612 + +### CP-10 Information System Recovery And Reconstitution + +The Contingency Plan documents the mechanisms with supporting procedures that allow all system components to be recovered and reconstituted to the system’s original state after a disruption or failure. This original state means that all system parameters (either default or organization- established) are reset, patches are reinstalled, system and security configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled, information from the most recent backups is available and the system is fully tested. diff --git a/results/docs/sop/sop-ia-identification-and-authentication.md b/results/docs/sop/sop-ia-identification-and-authentication.md new file mode 100644 index 0000000..40a4b52 --- /dev/null +++ b/results/docs/sop/sop-ia-identification-and-authentication.md @@ -0,0 +1,308 @@ +# Identification And Authentication (IA) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [IA-01 Identification And Authentication Policy And Procedures](#ia-01-identification-and-authentication-policy-and-procedures) + - [IA-02 Identification And Authentication (Organizational Users)](#ia-02-identification-and-authentication-organizational-users) + - [IA-02(1) Network Access To Privileged Accounts](#ia-021-network-access-to-privileged-accounts) + - [IA-02(12) Acceptance Of Piv Credentials](#ia-0212-acceptance-of-piv-credentials) + - [IA-04 Identifier Management](#ia-04-identifier-management) + - [IA-05 Authenticator Management](#ia-05-authenticator-management) + - [IA-05(1) Password-Based Authentication](#ia-051-password-based-authentication) + - [IA-05(11) Hardware Token-Based Authentication](#ia-0511-hardware-token-based-authentication) + - [IA-06 Authenticator Feedback](#ia-06-authenticator-feedback) + - [IA-07 Cryptographic Module Authentication](#ia-07-cryptographic-module-authentication) + - [IA-08 Identification And Authentication (Non-Organizational Users)](#ia-08-identification-and-authentication-non-organizational-users) + - [IA-08(1) Acceptance Of Piv Credentials From Other Agencies](#ia-081-acceptance-of-piv-credentials-from-other-agencies) + - [IA-08(2) Acceptance Of Third-Party Credentials](#ia-082-acceptance-of-third-party-credentials) + - [IA-08(3) Use Of Ficam-Approved Products](#ia-083-use-of-ficam-approved-products) + - [IA-08(4) Use Of Ficam-Issued Profiles](#ia-084-use-of-ficam-issued-profiles) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### IA-01 Identification And Authentication Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained by the CivicActions Identification and Authentication (IA) Policy. This document can be found in the CivicActions GitHub repository at . + + +The Project system owners/managers manage user identifiers by: (i) uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving authorization to issue a user identifier from an appropriate official; (iv) ensuring that the user identifier is issued to the intended party; (v) disabling user identifier after a reasonable period of inactivity as documented in its security procedures; and (vi) archiving user identifiers. Project reviews and updates this policy as necessary. + + +### IA-02 Identification And Authentication (Organizational Users) + +AWS built-in features of Identity and Access Management (IAM) provides the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users operating within the AWS account and infrastructure, providing privileges based on the credentials, group memberships, and access policies assigned to them. The customer organization, at its discretion, provides individual user accounts and privileges to both organizational non-organizational users in addition to organizational users. + + +### IA-02(1) Network Access To Privileged Accounts + +Drupal administrators and other roles with unrestricted access to live content and/or user accounts are required to use two-factor authentication. See artifact None + + +CivicActions system administrators employ a personal public- key pair for basic access and must originate from a whitelisted IP address. The whitelist is maintained by an Ansible inventory file, the current complete list (includes dev sites) of users with whitelisted IPs is in artifact: None + +To access root (sudo) privileges an additional password is required. The passwords are maintained in encrypted form in the Ansible inventory file. The mechanism to enable select users to use a password to obtain root access can be viewed in artifact: None + + +The Project employs multi-factor authentication for privileged users. + + +### IA-02(12) Acceptance Of Piv Credentials + +The Project system allows users to access the system using Common Access Cards (CAC). + + +### IA-04 Identifier Management + +**a.** Upon account creation, the Ilias software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted. + +Upon account creation, the Drupal software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted. + + +Access to the system is authorized by the System Owner or Project Manager for each role as described in AC-2. + +**b.** When Ilias user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements. + +When Drupal user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements. + + +User accounts are assigned a unique identifier in the form of a unique username, password and email address based on the system for allocating user accounts described in AC-2. + +In accordance with CivicActions Identification and Authentication (IA) Policy outlined at , CivicActions internal users are uniquely identified by the creation of an organizational account with a username based on each user's first and last names. + +**c.** Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account. + +Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account. + + +User accounts are assigned a unique identifier in the form of a unique username, password and email address based on the system for allocating user accounts described in AC-2. + +**d.** Ilias user's unique identifier (the numeric user ID, or UID) is never reused. + +Drupal user's unique identifier (the numeric user ID, or UID) is never reused. + +Account usernames may not be re-used for at least two years. +**e.** All user accounts are required to change their passwords every 90 days. The website will automatically block the accounts of users who fail to change their password within that time period, after which the account may only be unblocked by a website Administrator or CivicActions Operations staff. + +### IA-05 Authenticator Management + +**a.** Refer to control AC-2 in this SSP for further details on account provisioning. +CivicActions will create and maintain an initial Ilias Administrator (highest level of Ilias Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create. + + +Refer to control AC-2 in this SSP for further details on account provisioning. +CivicActions will create and maintain an initial Drupal Administrator (highest level of Drupal Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create. + + +Authentication for Project internal personnel are created during the personnel assignment process where requests are made to the Project admin group for proper access levels. The Project admin group verifies the identity of the user. The website performs further verification by sending an email to the user's mailbox containing a single-use activation link which must be used to log in to the account for the first time and to create a password. + +**b.** Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy. + +Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy. + + +Project admins in collaboration with CivicActions Operations are responsible for provisioning and de-provisioning end user accounts in compliance with the authentication requirements described herein. + +**c.** The system partially inherits this control from Ilias standard password strength mechanisms. + +The system partially inherits this control from Drupal standard password strength mechanisms. + +When entering a user account password upon initial login, all users must comply with the following password policies, which are enforced by the website's software configuration: + +- Password must be at least 14 characters in length. +- Password must contain at least one digit. +- Password must contain at least one special character (not whitespace or an alphanumeric). +- Password must contain at least one uppercase character. +- Password must contain at least one lowercase character. + +**d.** The system partially inherits this control from Ilias standard password management. +All password creation/change/reset operations are recorded in the website's Ilias logs. + + +The system partially inherits this control from Drupal standard password management. All password creation/change/reset operations are recorded in the website's "Drupal Watchdog" logs. + + +Project is responsible for provisioning and de-provisioning end user accounts, which must comply with the strict password policies that are enforced by the website's software configuration, as described in IA-5(d). + +In accordance with Project site configuration, the following administrative procedures exist for initial authenticator distribution, for lost/compromised/damaged authenticators, and for revoking authenticators. + +- Initial authenticator distribution: Users receive a one-time login link + by email upon creating of their user account. They use that link to log + in and then must enter a password themselves which complies with the + password complexity requirements described in IA-4(b). + +- Lost/compromised/damaged authenticators: Users who have forgotten their + password may request a new password by submitting their username or + email address. The website responds by emailing a one-time login link + to the user's email address. After using the link to log in, the user + is required to enter a new password. + +- Revoking authenticators: Users who have not changed their password in + the last 90 days are automatically blocked. Administrators may block + any user account if they believe there is a reason to do so. + +**e.** Ilias requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database. + +Drupal requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database. + +**f.** Project authenticators follow these password lifetime restrictions: + +- Maximum password age = 90 +- Minimum password age = 1 +- Password reuse restriction = 10 + +**g.** Project enforces password lifetime restrictions. The password lifetime settings for internal accounts is as follows: + +- Minimum restriction of zero (1) days and +- Maximum restriction of ninety (90) days before a password change is required. + +**h.** For all Ilias users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone. + +For all Drupal users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone. + +**i.** Ilias users are required to take appropriate measures in the handling of passwords including: +- Not transmitting user names and passwords together in an unencrypted format +- Not permitting the sending of passwords in an unencrypted format via email +- Not listing passwords in tickets +- Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. + + +Drupal users are required to take appropriate measures in the handling of passwords including: + +- Not transmitting user names and passwords together in an unencrypted format +- Not permitting the sending of passwords in an unencrypted format via email +- Not listing passwords in tickets +- Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons. + + +CivicActions users are required to take appropriate measures in the handling of passwords including: + +- Not transmitting user names and passwords together in an unencrypted format +- Not permitting the sending of passwords in an unencrypted format via email +- Not listing passwords in tickets +- Not writing down or storing passwords in a readable form in any physical or logical + location where they may be discoverable by unauthorized persons. + +**j.** This control is not applicable due to the fact that group accounts are not created within the Ilias application per IA Policy. + +This control is not applicable due to the fact that group accounts are not created within the Drupal application per IA Policy. +### IA-05(1) Password-Based Authentication + +Project is responsible for provisioning and de-provisioning end user accounts, which must comply with the strict password policies that are enforced by the website's software configuration, as described in IA-5. + + +**a.** Ilias supports the requirement for password-based authentication complexity. New users of Ilias are required to specify their password authentication as soon as they log in to the website for the first. The website requires all submitted passwords to comply with validation rules, as described above in IA-5(c). +Changing password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by {'name': 'CivicActions, Inc', 'name_short': 'CivicActions', 'address': {'street': '3527 Mt Diablo Blvd, Unit 269', 'city': 'Lafayette', 'state': 'CA', 'zip': 94549, 'country': None}, 'phone': '510-408-7510', 'website': 'www.civicactions.com', 'compliance_docs_url': 'https://github.com/CivicActions/compliance-docs', 'email_support': 'support@civicactions.com', 'security_policy_url': 'https://github.com/CivicActions/security-policy'}' Change Control Board before being implemented. + + +Drupal supports the requirement for password-based authentication complexity. New users of Drupal are required to specify their password authentication as soon as they log in to the website for the first. The website requires all submitted passwords to comply with validation rules, as described above in IA-5(c). +Changing password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by CivicActions Change Control Board before being implemented. + + +AWS built-in features of Identity and Access Management (IAM) provides minimum password complexity enforcement, but the characteristics to enforce must be manually configured by the customer. Refer to + +**b.** When required to change passwords, Ilias users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration. + +When required to change passwords, Drupal users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration. + +**c.** All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + +All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + + +AWS built-in features of AWS Identity and Access Management (IAM) and the AWS Console store passwords on AWS systems in a cryptographically-protected format and only support TLS connectivity to the console web site to protect passwords in transit via encryption. + +**d.** The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g). + +The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g). +**e.** Password reuse is limited through software configuration. + +Password reuse is limited through software configuration. +**f.** When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. + +When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further. + + +AWS built-in features of AWS Identity and Access Management (IAM) provides the capability to require new password to be entered upon login. The customer organization, at its discretion, configures IAM to enforce that requirement. + +### IA-05(11) Hardware Token-Based Authentication + +AWS built-in features of AWS Identity and Access Management (IAM) provides the capability for Hardware MFA using Gemalto SafeNet IDProve 100 and 700 OTP Tokens which are compliant to OATH open standard (time based - 6 digits) Expected battery life is 3-5 years or approximately 15,000 - 20,000 clicks. These products are handheld devices that provide strong authentication by generating a unique password that is valid for only one attempt and for 30 seconds. + +It is the customer organization's responsibility to implement Hardware MFA. Refer to and + + +Project does not support physical hardware token-based authentication. Therefore this control is Not Applicable. + + +### IA-06 Authenticator Feedback + +Feedback of authentication information is obscured during the authentication process into the Ilias application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. + +Feedback of authentication information is obscured during the authentication process into the Drupal application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS. + + +In this architecture, All Amazon EC2 instances (bastion host, web/proxy servers, application servers) employ SSH for interactive login, and when a key passphrase is prompted for, the SSH prompting mechanism obscures the feedback by default. + +AWS built-in features obscure keystroke feedback for password input during AWS console login with AWS Identity and Access Management (IAM) user credentials, and when the CloudFormation console prompts for an initial database password during Quick Start template deployment. + + +### IA-07 Cryptographic Module Authentication + +All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + +All Drupal passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS. + + +AWS built-in features of AWS Identity and Access Management (IAM) authentication employs cryptographic modules that meet requirements as specified and assessed in the AWS FedRAMP authorization package. + + +**j.** CivicActions systems employ authentication methods consistent with NIST FIPS 140-2 requirements. General public access to system web pages does not require cryptographic authentication. Privileged users accessing systems use the public-key cryptographic functionality of Secure Shell (SSH) to encrypt the exchange of information (including the password) between the remote user and the server. Where Transport Layer Security (TLS, aka SSL) is used, cryptographic modules will be configured in accordance with FIPS 140-2. + +### IA-08 Identification And Authentication (Non-Organizational Users) + +AWS built-in features of AWS Identity and Access Management (IAM) provide the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users, providing privileges based on the credentials, group memberships, and access policies assigned to them. + +The customer organization at its discretion provides user accounts and privileges to both organizational non-organizational users in addition to organizational users. + + +### IA-08(1) Acceptance Of Piv Credentials From Other Agencies + +Project allows the use of customer agency supplied Common Access Cards (CAC). + + +### IA-08(2) Acceptance Of Third-Party Credentials + +Project does not utilize FICAM approved credentials. + + +### IA-08(3) Use Of Ficam-Approved Products + +Project does not utilize FICAM approved products. + + +### IA-08(4) Use Of Ficam-Issued Profiles + +CivicActions does not utilize FICAM approved products or profiles. diff --git a/results/docs/sop/sop-ir-incident-response.md b/results/docs/sop/sop-ir-incident-response.md new file mode 100644 index 0000000..cacd3c1 --- /dev/null +++ b/results/docs/sop/sop-ir-incident-response.md @@ -0,0 +1,159 @@ +# Incident Response (IR) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [IR-01 Incident Response Policy And Procedures](#ir-01-incident-response-policy-and-procedures) + - [IR-02 Incident Response Training](#ir-02-incident-response-training) + - [IR-04 Incident Handling](#ir-04-incident-handling) + - [IR-05 Incident Monitoring](#ir-05-incident-monitoring) + - [IR-06 Incident Reporting](#ir-06-incident-reporting) + - [IR-07 Incident Response Assistance](#ir-07-incident-response-assistance) + - [IR-08 Incident Response Plan](#ir-08-incident-response-plan) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### IR-01 Incident Response Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel an incident response planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in Incident Response (IR) Policy and Procedure that can be found in the CivicActions Compliance Docs GitHub repository at . + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +The Project maintains an Incident Response Plan (IRP), consistent with NIST 800-61, which addresses purpose, scope, roles, and responsibilities. The incident response procedures address any activity or occurrence that compromises the integrity of a system, denies access to or use of IT resources, and compromises the sensitivity of the information stored in, processed by or transmitted by a system. + +Additionally, the IRP includes procedures to respond to waste, fraud, misuse, or abuse of any departmental IT system, damage or loss of software or data contained in any system, Use of unlicensed (pirated) software products, discovery of hardware or software vulnerabilities + +The Project Incident Response Plan can be found in the CivicActions GitHub repository at + + +### IR-02 Incident Response Training + +All CivicActions employees are required to participate in incident response training, as required by Incident Response Plan changes, and annually. The CivicActions Incident Response Plan () is the basis for the training and the incident response workflow created by the Security Office. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response training. + + +CivicActions Operations and users of the Project system with incident response responsibilities are required to participate in incident response training once the role is assumed within 10 days, as required by Project changes, and annually. The Incident Response Plan () is the basis for the training and the incident response workflow created by the Security team. Upon a review of past incidents, the training is updated to ensure processes and workflows are updated. + + +### IR-04 Incident Handling + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident handling. + + +The Client Computer Security Officer (CSO) handles all incidents for the Project Full Name. + +The Client Full Name utilizes proven incident handling methodologies for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Client Full Name maintains a list of lessons learned from ongoing incident handling activities and uses those lessons to update the incident response procedures accordingly. + +Preparation activities includes all CivicActions and Project internal users are trained if their role includes incident response. Detection monitoring tools providing notification to incident response personnel for analysis and action. Containment, eradication and recovery activities include AWS and LAMP-stack inherited fixes and Project system administrators adjusting IP port blocking security groups and SELinux policies. + + +**a.** CivicActions has implemented an Incident Response Plan () that explains the process for incident handling and discusses preparation, detection and analysis, containment, eradication, and recovery. +Preparation activities include all CivicActions team members who are trained in incident response. Detection and monitoring tools providing notification to incident response personnel for analysis and action. + +**b.** CivicActions' Operations staff and Security Office team members are members of the CivicActions Contingency and Incident Response Plan teams which coordinates activities accordingly through the life of the incident event. + +**c.** The CivicActions Operations staff and Security Office conduct a post-incident analysis to assist in documenting lessons learned and suggesting changes to improve the incident response process. Tickets created in response to the incident event are reviewed upon completion by the Operations staff and Security Office. Changes to the Incident Response Plan () require a team review session for approval. + +### IR-05 Incident Monitoring + +CivicActions utilizes the JIRA ticketing tool for tracking and reporting of incident events from reporting to resolution and post- incident analysis. Initial reporting can come from continuous monitoring tools as well as client and public submissions made to support@civicactions.com. Jira processes the tickets for the public submissions and the CivicActions Support Team creates associated GitHub Issues. Internal incidents reported are processed within the GitHub Issue queue. Details of the handling procedures are included in the CivicActions Incident Response Plan () Response Process. + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident monitoring. + + +The Project utilizes network and host-based intrusion detection systems, monitoring the system and application logs for anomalous events. Incidents are tracked using the same ticketing system that is used to track all system-related changes and events. + + +### IR-06 Incident Reporting + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident reporting. + + +If an incident involves suspicious activity, CivicActions Operations will contact the Project System Owner who may then contact the Project CSO. + +The CivicActions Computer Security Officer (CSO) handles all incidents for the Project. The CSO is prepared to report all incidents to the Client Full Name. + + +**a.** CivicActions personnel, as soon as an incident event is detected and/or communicated, are required to report the incident event to the CivicActions Security Office. Methods of detection and/or communication may include one or more of: + +- Through continuous monitoring tools (StatusCake, OSSEC, others). +- As a result of application notifications where CivicActions Security + receives notifications (AIDE, OpsGenie, others). + +- Event logging described in AC-2 +- Host-based alerts from the cloud infrastructure or platform. + +**b.** CivicActions personnel, as soon as the incident event is detected and/or communicated, are required to report the incident event to the CivicActions Security Office. + +### IR-07 Incident Response Assistance + +CivicActions Help Desk team provides first response assistance to any users of the system. Response time for external reporting of incidents through e-mail is one business day. Internal users are able to request support thought the same process or initiate the incident response workflow. Tickets created in the Jira (customer ticketing system) and GitLab (internal ticketing system) documents all details related to the incident to assist the Incident Response Teams in handling the incident. + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response assistance. + + +### IR-08 Incident Response Plan + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response plan. + + +The Project Incident Response Plan () includes a comprehensive incident response program, which details the implementation of procedures and tools required for incident handling. The incident response program details the roles and responsibilities of Project/ CivicActions IR Team. The IR Team includes members from CivicActions Security and Operations teams. Incident response plays a pivotal role in monitoring, detecting and handling security incidents of the entire information system. The IRP details categorization of incidents in accordance with NIST 800-61 and accordingly documents and reports incidents. The IRP is reviewed annually and updated as needed by ISSO, with the assistance of the Incident Response Team. + + +**a.** Incident response plays a pivotal role in monitoring, detecting and handling security incidents of the entire information system. CivicActions has developed an Incident Response Plan () that: + +1. Provides CivicActions with procedures and tools required for incident handling; +2. Describes the structure and organization of the incident response capability; +3. Provides a high-level approach for how the incident response capability fits into + CivicActions and the systems it maintains; + +4. Meets the mission, size, structure, and functions of CivicActions; +5. Defines reportable incidents; +6. Provides metrics for measuring the incident response capability and details categorization + of incidents in accordance with NIST 800-61; + +7. Defines the roles and responsibilities of CivicActions IR Team; +8. Is reviewed annually and updated as needed by the CivicActions Security Office, + with the assistance of the Incident Response Team. + +**b.** The CivicActions Incident Response Plan is distributed to all CivicActions team members as part of the CivicActions Handbook (). + The Incident Response Team includes members from the Security Office, + Operations staff, and Drupal Engineering teams. + +**c.** The CivicActions Security Office and the Incident Response team is responsible for reviewing the Incident Response Plan annually. The entire Incident Response Team will review the plan and update it as necessary. Ultimately, the Security Office has the final say and will approve all updates to the plan. + +**d.** The CivicActions Security Office is responsible for managing the IR Plan, including annual reviews and updates. The IR Plan is updated to reflect any changes to processes, systems or applications. In addition, any concerns or difficulties encountered during IR Plan implementation, execution, or testing are addressed in an update to the IR Plan. + +**e.** Modifications to the IR Plan are conducted by the IR team the (CivicActions Security Office, Operations staff and Engineering teams) and communicated to the CivicActions team. + +**f.** The IR Plan is available in the CivicActions Handbook and is maintained in the CivicActions GitHub repository. GitHub provides the configuration management capabilities for the IR Plan to be protected from unauthorized disclosure and modification. diff --git a/results/docs/sop/sop-ma-maintenance.md b/results/docs/sop/sop-ma-maintenance.md new file mode 100644 index 0000000..70b9c8c --- /dev/null +++ b/results/docs/sop/sop-ma-maintenance.md @@ -0,0 +1,103 @@ +# Maintenance (MA) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [MA-01 System Maintenance Policy And Procedures](#ma-01-system-maintenance-policy-and-procedures) + - [MA-02 Controlled Maintenance](#ma-02-controlled-maintenance) + - [MA-04 Non-Local Maintenance](#ma-04-non-local-maintenance) + - [MA-05 Maintenance Personnel](#ma-05-maintenance-personnel) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### MA-01 System Maintenance Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Maintenance (MA) Policy and Procedure document that can be found in the CivicActions GitHub repository at . + + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +System maintenance policy and procedures are formally documented in the Project SSP, which provides the roles and responsibilities as it pertains to software and systems maintenance and updates. The Project Full Name ensures that maintenance controls are developed, disseminated, reviewed, and updated as necessary. + +Physical and environmental protection is fully inherited from the AWS FedRAMP certified us-east cloud. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +### MA-02 Controlled Maintenance + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +The Project schedules, performs, and documents regular maintenance on the software components of all systems, including but not limited to: + +- Hourly automated snapshot backups +- Daily disaster recovery remote backups +- Daily Intrusion Detection (OSSEC) / Data Integrity Assurance (AIDE) +- As needed help desk support +- Twice-monthly OS updates/patches + + +### MA-04 Non-Local Maintenance + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +**a.** System maintenance is done from remote sites as there is no direct access to the server instances in the AWS cloud; this is the government-approved method of doing business. Approval, QA, and monitoring are conducted by the team performing the specific maintenance. + +**b.** Remote diagnostics tools, such as OSSEC, AIDE, fail2ban, and OpenSCAP are used to verify the integrity of files, perform log analysis, monitor login attempts and check for rootkits and other vulnerabilities. + +**c.** All nonlocal maintenance requires the same authentication requirements to perform the maintenance activities to access the system as defined in controls AC-3 and IA-2. SSH is used to secure all communications between the remote user and the components located in the AWS cloud. + +**d.** CivicActions records for nonlocal maintenance is managed through JIRA tickets and the Git issue queue as well as normal system logs. CivicActions administrator activity to the system is also logged through the implementation of the AU-2 (Audit Events) and AU-3 (Content of Audit Records). + +**e.** Any session for internal maintenance activities is terminated when the user completes their session, disconnects from the system, or logs out. In addition, sessions are terminated after 15 minutes of inactivity. + +### MA-05 Maintenance Personnel + +Maintenance of the system and applications can only be performed by personnel designated as having internal administrator privileges and responsibilities. Access rights for the internal administrators are assigned and granted access to perform their specific job responsibilities. All physical maintenance requirements are inherited from AWS. + + +This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +Client maintains a list of authorized contract (CivicActions) personnel who perform maintenance and repair activities on the Project Project system components, and only these authorized personnel may perform the maintenance. All maintenance personnel have the required personnel security elements in place. diff --git a/results/docs/sop/sop-mp-media-protection.md b/results/docs/sop/sop-mp-media-protection.md new file mode 100644 index 0000000..654d634 --- /dev/null +++ b/results/docs/sop/sop-mp-media-protection.md @@ -0,0 +1,74 @@ +# Media Protection (MP) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [MP-01 Media Protection Policy And Procedures](#mp-01-media-protection-policy-and-procedures) + - [MP-02 Media Access](#mp-02-media-access) + - [MP-06 Media Sanitization](#mp-06-media-sanitization) + - [MP-07 Media Use](#mp-07-media-use) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### MP-01 Media Protection Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in CivicActions Media Protection (MP) Policy and Procedure document that can be found in the CivicActions GitHub repository at . + + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. Media protection policy and procedures are fully inherited from AWS Cloud. + + +### MP-02 Media Access + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### MP-06 Media Sanitization + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### MP-07 Media Use + +This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. diff --git a/results/docs/sop/sop-pe-physical-and-environmental-protection.md b/results/docs/sop/sop-pe-physical-and-environmental-protection.md new file mode 100644 index 0000000..875c4f7 --- /dev/null +++ b/results/docs/sop/sop-pe-physical-and-environmental-protection.md @@ -0,0 +1,128 @@ +# Physical And Environmental Protection (PE) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [PE-01 Physical And Environmental Protection Policy And Procedures](#pe-01-physical-and-environmental-protection-policy-and-procedures) + - [PE-02 Physical Access Authorizations](#pe-02-physical-access-authorizations) + - [PE-03 Physical Access Control](#pe-03-physical-access-control) + - [PE-06 Monitoring Physical Access](#pe-06-monitoring-physical-access) + - [PE-08 Visitor Access Records](#pe-08-visitor-access-records) + - [PE-12 Emergency Lighting](#pe-12-emergency-lighting) + - [PE-13 Fire Protection](#pe-13-fire-protection) + - [PE-14 Temperature And Humidity Controls](#pe-14-temperature-and-humidity-controls) + - [PE-15 Water Damage Protection](#pe-15-water-damage-protection) + - [PE-16 Delivery And Removal](#pe-16-delivery-and-removal) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### PE-01 Physical And Environmental Protection Policy And Procedures + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-02 Physical Access Authorizations + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-03 Physical Access Control + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-06 Monitoring Physical Access + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-08 Visitor Access Records + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-12 Emergency Lighting + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-13 Fire Protection + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-14 Temperature And Humidity Controls + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-15 Water Damage Protection + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. + + +### PE-16 Delivery And Removal + +This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications. + +For the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP). + +Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. diff --git a/results/docs/sop/sop-pl-planning.md b/results/docs/sop/sop-pl-planning.md new file mode 100644 index 0000000..7e74003 --- /dev/null +++ b/results/docs/sop/sop-pl-planning.md @@ -0,0 +1,104 @@ +# Planning (PL) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [PL-01 Security Planning Policy And Procedures](#pl-01-security-planning-policy-and-procedures) + - [PL-02 System Security Plan](#pl-02-system-security-plan) + - [PL-04 Rules Of Behavior](#pl-04-rules-of-behavior) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### PL-01 Security Planning Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a system planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Planning (PL) Policy and Procedure document that can be found in the CivicActions GitHub repository at . + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + +The Project developed its security policy planning and procedures based on None, guidance from NIST, the Office of Management and Budget and industry best practices. Security policies and procedures are formally documented within the Project SSP, which provides the roles and responsibilities as it pertains to security planning. It provides guidance on all aspects of security for the protection of Project information technology resources. It defines responsibilities for the implementation and oversight of the guidance contained herein. The plan was last updated in December, 2015. + + +### PL-02 System Security Plan + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS system security plan. + + +The System Security Plan (SSP) was developed and implemented for Project system in accordance with None, NIST SP 800-18 and NIST SP 800-37. The SSP includes a description of the management, operational, and technical controls in place or planned for the application. The SSP is included as a key document in an application’s C&A package and is reviewed and approved by designated officials. The SSP identifies the system owner and responsible parties for managing system access and the overall security of the system. The Chief Information Security Officer reviews and approves the SSP. The SSP will be reviewed at least annually and updated to account for any changes to the Project system and to address any changes in security controls. + + +**a.** CivicActions has developed this system security plan (SSP) for the information system as part of compliance with NIST 800-53 and FIPS 199. The SSP defines the security categorization, system boundary, and security requirements and controls meeting the requirements of the NIST Risk Management Framework (RMF). Specifically the SSP: + +1. Is consistent with the organization’s enterprise architecture +2. Explicitly defines the authorization boundary for the system +3. Describes the operational context of the information system in terms of missions and business + processes + +4. Provides the security categorization of the information system including supporting rationale +5. Describes the operational environment for the information system and relationships with or + connections to other information systems + +6. Provides an overview of the security requirements for the system +7. Identifies any relevant overlays, if applicable +8. Describes the security controls in place or planned for meeting those requirements including a + rationale for the tailoring decisions + +9. Is reviewed and approved by the authorizing official or designated representative prior to plan + implementation + +**b.** The SSP is reviewed and approved by the authorizing official prior to plan implementation. A copy of the SSP is provided to authorized CivicActions and assessing personnel including the System Owner, Authorizing Official, Information System Security Officer, System/Network Administrator, and the CivicActions Operations staff. The SSP is maintained by the CivicActions Security Office. + +**c.** The SSP is reviewed at least annually by the System Owner and the CivicActions Operations staff in collaboration with the CivicActions Security Office. + +**d.** The CivicActions Operations staff in collaboration with the CivicActions Security Office updates the system description and control descriptions within the SSP as needed to verify the SSP is an accurate description of the system. + +**e.** The SSP is currently available to authorized users on GitLab. Per the Acceptable Use Policy, all entities granted access to CivicActions information assets are required to complete a non-disclosure agreement (NDA) to uphold information confidentiality. GitLab provides the configuration management capabilities for the SSP to be protected from unauthorized disclosure and modification. + +### PL-04 Rules Of Behavior + +**a.** CivicActions has created and made readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage. These rules, defined as the Acceptable Use Policy, are included in the CivicActions Security Policy accessible here: which has also been uploaded to CSAM as ''Appendix J1 - System Rules of Behavior - Privileged User'' (CivicActions Security Policy 20190226.docx).' + + +Project has created and made readily available to individuals requiring access to the information system the rules that describes their responsibilities and expected behavior with regard to information and information system usage. These rules are captured in ‘Appendix J2 - System Rules of Behavior - General User’ (ProjectSystemRoB2019-template.docx). + +Project has reviewed and accepted as a superset alternative the CivicActions Acceptable Use Policy. + +**b.** CivicActions HR receives a signed acknowledgment from all employees, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. The text of the electronically signed (via DocuSign) acknowledgment document has been uploaded to CSAM as artifact: ''CivicActions Security Policy Acknowledgement.docx'' + + +The Project System Owner receives a signed acknowledgment from such individuals that are not CivicActions employees, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. + +**c.** CivicActions reviews the CivicActions Security Policy at least annually and updates as required. + + +Project reviews the Rules of Behavior at least annually and updates it as required. + +**d.** CivicActions requires individuals who have signed a previous version of the CivicActions Security Policy to read and re-sign when any part of it, including the Acceptable Use Policy/Rules of Behavior, is revised/updated. + + +Project requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the Rules of Behavior are revised/updated. diff --git a/results/docs/sop/sop-ps-personnel-security.md b/results/docs/sop/sop-ps-personnel-security.md new file mode 100644 index 0000000..85a4b11 --- /dev/null +++ b/results/docs/sop/sop-ps-personnel-security.md @@ -0,0 +1,150 @@ +# Personnel Security (PS) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [PS-01 Personnel Security Policy And Procedures](#ps-01-personnel-security-policy-and-procedures) + - [PS-02 Position Risk Designation](#ps-02-position-risk-designation) + - [PS-03 Personnel Screening](#ps-03-personnel-screening) + - [PS-04 Personnel Termination](#ps-04-personnel-termination) + - [PS-05 Personnel Transfer](#ps-05-personnel-transfer) + - [PS-06 Access Agreements](#ps-06-access-agreements) + - [PS-07 Third-Party Personnel Security](#ps-07-third-party-personnel-security) + - [PS-08 Personnel Sanctions](#ps-08-personnel-sanctions) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### PS-01 Personnel Security Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in CivicActions Personnel Security (PS) Policy document that can be found in the CivicActions GitHub repository at . + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + +The Project documents the security policy and procedures in addressing position categorization, personnel screening, personnel termination, personnel transfer, and access agreements within the Project SSP. Project adopts the Client personnel security standards and determines position risks levels based on public trust responsibilities. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +### PS-02 Position Risk Designation + +Project position sensitivity levels are assigned by the Client Full Name. Each position designation is documented on the Standard Position Description (SPD) and assigned a risk level (or sensitivity level) commensurate with the sensitivity of the information, the risk to that information and the system maintaining that information. The levels of risk still need to be designated by Client for employee and contractor positions but since Project system does not have any sensitive data, a low risk scenario can be assumed. + +- Employee risk levels and background investigations are: Low Risk= NACI, Moderate Risk= LBI, + High Risk= BI. + +- Contractor risk levels and background investigations are: Low Risk= NACI, Moderate Risk= NACC, + High Risk= BI. + + +In order to ensure every employee is assigned to a position, which has been reviewed for sensitivity by the NCC, the SPD is a required data attribute of an employee’s HR record. Position risks designations are reviewed and revised when NCC or OPM publish changes to sensitivity levels. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog + + +**a.** Risk designations are assigned to all CivicActions positions. The CivicActions Office of Human Resources works in coordination with the CivicActions Security Office to assign risk designations. + +**b.** The CivicActions Office of Human Resources works in coordination with the CivicActions Security Office to establish screening criteria for all CivicActions positions. + +**c.** At least every three (3) years, the CivicActions Office of Human Resources reviews and revises position risk designations. If the Office of Human Resources determines that significant changes must be made to the position risk descriptions the Office of Human Resources works in coordination with the CivicActions Security Office to implement changes as required. + +### PS-03 Personnel Screening + +Minimum background investigations are conducted, since all data is non-sensitive, for individuals requiring access to Project information and information systems. The type of background investigation conducted for an individual is determined by the individual’s position risk categorization noted in control PS-2. Client conducts periodic reinvestigations in accordance with OPM and NIST guidelines. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +**a.** Prospective CivicActions employees undergo background checks commensurate with the individual’s job duties, the classification of the information they will access, and the risks associated with the role. At the discretion of the CivicActions Security Office, these checks may also be conducted on contractors and/or third party users in cases where they will have access to application data that is not meant to be consumed by the public. In these instances, the Security Office will instruct the Office of Human Resources to conduct a background check before granting access to the information system. + +**b.** Re screening is conducted as required by the individual’s job duties, the classification of the information they will access, and the risks associated with the role. A basic background check is performed for all CivicActions employees. + +### PS-04 Personnel Termination + +Client Full Name HR policy states that managers or designated officials are responsible for recovering and properly securing employee badges and returning it to the local physical security office. The Client executes termination procedures that remove personnel access privileges, computer accounts. When an employee is terminated, the employee’s manager or designated official completes a form requesting termination of access for the user. Local management and the security manager coordinate disabling or removing Project privileged access with the system administrator. The employee’s manager or designated official is responsible for recovering and properly securing his/her ID badge and returning it to the local physical security office. The employee’s manager or designated official ensures that any information on the system that the employee was responsible for will be available to the appropriate personnel. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +**a.** Information system access is terminated immediately upon the voluntary or involuntary departure of an employee. In the case of involuntary departure, in addition to immediate termination of system access, at no point is a departing employee allowed access to any part of the CivicActions infrastructure. +In the case of voluntary departure, employees are permitted access to the information system for the duration of their off-boarding period. The departing employee’s manager is responsible for informing the Information Technology department when the employee off-boarding period concludes. At this time system and facility, access is terminated. + +**b.** The terminated user’s accounts are disabled and all access associated with the individual is revoked. + +**c.** The employee's manager or the Office of Human Resources conducts exit interviews with all employees who leave CivicActions voluntarily. There is a general discussion about the process of turning in any/all company-issued devices, laptops, etc. + +**d.** CivicActions employees provide their own equipment that must be hardened to security requirements depending upon their roles and duties. CivicActions supplies two-factor authentication tokens that become the property of the employee. +Some employees may receive company-issued hardware for working on particular projects. These items are collected before the employee exits CivicActions. In the case of an involuntary termination, the Office of Human Resources works to collect company-issued devices and provides paperwork highlighting confidential protections for customers. + +**e.** Access to CivicActions information and information systems is always shared so that the termination of an individual will not prevent CivicActions from having access to needed resources. + +**f.** When a person is terminated, a standard off-boarding process is used to notify management and CivicActions' Operations staff, and to track the process of disabling access to the information system/information system components. The CivicActions Operations staff and Security Office are given at least four hours notice to schedule the deactivation of access upon termination. Deactivation is a manual process that is tracked via a Trello card in order to meet the four hour turnaround time before termination. + +### PS-05 Personnel Transfer + +When an employee is reassigned or transferred, the employee’s manager or designated official is required to request transfer of access (as appropriate) for the user. + +In accordance with the Client Full Name HR policy, the employee’s manager or designated official is responsible for recovering and properly securing his/her ID badge and returning it to the local physical security office. The manager provides prompt notification to the Project system/security administrator when an employee changes assignments and/or location. This includes taking prompt and appropriate action to change employee access profile and/or remove employee from the system; and ensure that users’ system access is cancelled when the need no longer exists. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +**a.** When an employee, third party personnel and/or contractor is transferred to a new project or position within CivicActions, they may maintain access to the previous system they were working on in order to facilitate the process of maintenance and knowledge transfer. However, as part of the practices of account management (AC-2) and least privilege (AC-6), regular audits of privileged users are conducted and access privileges may be removed when no longer needed. Additionally, adherence to specific client SLAs may enhance the frequency of such audits or the timeliness of privilege removal during personnel transfer. + +**b.** When an employee, third party personnel and/or contractor is transferred to a new position within CivicActions and there is a requirement for access change, such access changes are normally completed within five business days. + +**c.** Access authorizations are modified as needed to coincide with changes in duties or operational needs upon personnel transfer or reassignment. + +**d.** CivicActions Operations staff is informed of transfers that require access authorization modifications within five business days by the Project Manager, System Owner or Office of Human Resources. + +### PS-06 Access Agreements + +**a.** All users of the Project system must read and accept access agreements upon every login. + +**b.** The Access Agreements are reviewed at least annually or when a significant change occurs. + +**c.** All individuals requiring access to the Project system are required to sign the Access Agreements before login is granted. When the Access Agreements are updated, the individual will be required to sign the new copy before regaining access. + +### PS-07 Third-Party Personnel Security + +**a.** Personnel security requirements including security roles and responsibilities that apply to primary contracting organizations flow down to their subcontractors. + +**b.** Personnel security policies and procedures that apply to primary contracting organizations flow down to their subcontractors. + +**c.** All personnel security requirements are documented in PS-1 and other related Personnel Security controls. + +**d.** For personnel transfers and terminations of third-party personnel, the procedures defined in employee termination (PS-4) and employee transfer (PS-5) flow down to subcontractors. + +**e.** Compliance measures for assessing third-party personnel and/or contractors are determined on a case-by-case basis. Third-party personnel are monitored to ensure compliance with personnel security requirements. + +### PS-08 Personnel Sanctions + +The disciplinary sanctions for personnel failing to comply with establish IT security policies and procedures are included in Client Full Name HR policy. If an employee violates the Client information security policies and procedures, the employee may be subject to disciplinary action at the discretion of management. Actions may range from verbal or written warning, removal of system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation. Disciplinary sanctions are reported to the OCIO. + + +**a.** The CivicActions Security Office and/or the Office of Human Resources is responsible for determining and enforcing sanctions for failing to comply with established information security policies and procedures. Coaching may be considered prior to sanctions. Sanctions may include but are not limited to written warnings, reduction in system access, demotion, or termination. + +**b.** When employee sanctions processes are initiated, the Office of Human Resources notifies the respective Project Manager(s) and CivicActions' Security Office within five business days. diff --git a/results/docs/sop/sop-ra-risk-assessment.md b/results/docs/sop/sop-ra-risk-assessment.md new file mode 100644 index 0000000..cdeb005 --- /dev/null +++ b/results/docs/sop/sop-ra-risk-assessment.md @@ -0,0 +1,106 @@ +# Risk Assessment (RA) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [RA-01 Risk Assessment Policy And Procedures](#ra-01-risk-assessment-policy-and-procedures) + - [RA-02 Security Categorization](#ra-02-security-categorization) + - [RA-03 Risk Assessment](#ra-03-risk-assessment) + - [RA-05 Vulnerability Scanning](#ra-05-vulnerability-scanning) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### RA-01 Risk Assessment Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions Risk Assessment (RA) Policy and Procedure that can be found in the CivicActions GitHub repository at . + + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013. + + +The Client follows the risk assessment policy and procedures formally documented within None. Furthermore, a Risk Assessment Plan was originally initiated to determine the extent of the potential threat and the risk associated with Project throughout its System Development Life Cycle (SDLC). The Project Risk Assessment defines the methodology approach to determine the likelihood risks, and identify potential mitigation options to reduce risks to the Project system. + +The Project Risk Assessment will be conducted in accordance with the Department’s risk assessment policy and procedures. By doing so, the responsible parties associated with the Project will be able to determine the risk, likelihood and impact that could result from exploiting vulnerabilities within the system. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +### RA-02 Security Categorization + +**a.** In accordance with FIPS 199 requirement and guidelines provided in NIST SP800-60 Rev.1, the organization categorized the system as a Low system: Confidentiality (Low), Integrity (Low), Availability (Low). + +**b.** The security categorization was determined by evaluating the type of information that is stored, processed, and/or transmitted by the application and the potential impact levels associated with the confidentiality, integrity, and availability of that information. The application’s security categorization has been documented in this SSP. + +**c.** The security categorizations have been reviewed by the designated application POCs, were approved during the C&A effort. The formal security categorization document is available upon request. The system inventory for the Project Project is revalidated semiannually. + +### RA-03 Risk Assessment + +**a.** CivicActions/Project will perform risk assessments for the Project system based on SP 800-30 Rev. 1 Guide for Conducting Risk Assessments at least annually and as part of the change management activities for the Project system that warrant a new or updated risk assessment. + +**b.** The results of risk assessments will be compiled into a risk assessment report to be reviewed by CivicActions Security and relevant personnel, and also added to the GitLab system for the Project system. + +**c.** CivicActions/Project reviews risk assessment +results at least annually. + +**d.** The Risk Assessment report will be disseminated to the appropriate +personnel through the Project Manager and CivicActions +Security. + +**e.** Risk assessments are conducted annually or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system, as defined in NIST Special Publication 800-37 Revision 1. +A significant change includes: + +- Changing authentication or access control implementations; +- Changing storage implementations; +- Changing a COTS product to another product; +- Changing the backup mechanisms and process; and, +- Adding new interconnections to an outside service provide. + +### RA-05 Vulnerability Scanning + +The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: vulnerability scanning. + + +The Project uses vulnerability scanning software to document and determine risks to the system. These scans are run monthly and the results of these scans are being used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. + + +**a.** CivicActions Operations uses vulnerability scanning software to document and determine risks to the system. Operating system and application vulnerability scans include: + +- The CivicActions system environment employs the OpenSCAP scanner with the Red Hat STIG baseline to check for vulnerabilities. +- The CivicActions application environment is tested by the penetration tester OWASP ZAP, an open-source web application security scanner to report on needed updates based on known flaws. + +CivicActions Operations has automated the process to perform the scans on a monthly basis. The resulting reports list vulnerabilities and rank them by severity. These reports are stored in Amazon S3 buckets and are used to inform changes to the system and verify that security controls are working correctly. These scans are used to document the current state of the system, and to analyze security trends as changes are made over time. + +**b.** CivicActions employs the automated vulnerability scanning tools OpenSCAP and OWASP ZAP which are interoperable with standard web browsers, the Open Source Ansible infrastructure provisioning system and other Open Source tools. + +**c.** The CivicActions Security Office reviews all vulnerabilities identified from automated scans and security assessments. "False positive" findings are documented and may be tailored out. Vulnerabilities found and deemed legitimate are assigned an impact rating and response time thought creation of an issue or ticket. The CivicActions Operations staff reviews current scans and compare with older scans to identify trends and to verify previous vulnerabilities have been mitigated. + +**d.** Identified and reported vulnerabilities are assigned an impact rating and response time by CivicActions' Security and must be remediated according to the following time requirements: + +- Critical - Within 15 days of discovery (usually within 1 week)) +- High - Within 30 days of discovery (usually within 1 week)) +- Moderate - Within 90 days of discovery (usually within 2 weeks) +- Low - Within 180 days of discovery + +**e.** Results of the vulnerability scans and security assessments are shared with all appropriate CivicActions personnel supporting continuous monitoring requirements. CivicActions Security assigns each vulnerability an impact rating and response time through JIRA or the Git issue tool for tracking to the established remediation deadlines listed in RA-5(d). diff --git a/results/docs/sop/sop-sa-system-and-services-acquisition.md b/results/docs/sop/sop-sa-system-and-services-acquisition.md new file mode 100644 index 0000000..576deb0 --- /dev/null +++ b/results/docs/sop/sop-sa-system-and-services-acquisition.md @@ -0,0 +1,279 @@ +# System And Services Acquisition (SA) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [SA-01 System And Services Acquisition Policy And Procedures](#sa-01-system-and-services-acquisition-policy-and-procedures) + - [SA-02 Allocation Of Resources](#sa-02-allocation-of-resources) + - [SA-03 System Development Life Cycle](#sa-03-system-development-life-cycle) + - [SA-04 Acquisition Process](#sa-04-acquisition-process) + - [SA-04 Acquisitions](#sa-04-acquisitions) + - [SA-04(10) Use Of Approved Piv Products](#sa-0410-use-of-approved-piv-products) + - [SA-05 Information System Documentation](#sa-05-information-system-documentation) + - [SA-09 External Information System Services](#sa-09-external-information-system-services) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### SA-01 System And Services Acquisition Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained by the CivicActions System and Services Acquisition (SA) Policy document that can be found in the CivicActions GitHub repository at . + + +The Project complies with the None. The Project will identify new threats/vulnerabilities and technologies that may require updating of solicitation documents. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +### SA-02 Allocation Of Resources + +The Project System Owner is responsible for leading the annual budgeting process and for tracking organizational spending. The System Owner coordinates with the CivicActions Project Manager and CivicActions Security on at least monthly basis to track security priorities and spending patterns and determine financial requirements. The System Owner also coordinates the approval process for interim increases to the security budget, if required. This data is used to support the development of the annual budget. + +Security costs are included in Exhibit 53 in the Department's on-line electronic Capital Planning and Investment Control system (eCPIC) in order to provide adequate business case information for budget purposes. Security costs are represented across the life cycle in the business case (Exhibit 300) for major investments and (Exhibit 53) for non-major projects - Project is a non-major project. Security costs are summarized and listed as a line item on the Exhibit 53 in the budget submitted to Treasury. + +Costs for providing security at the infrastructure level are contained in the business cases for infrastructure supporting computing platforms, desktop processing, the network environment, and web capability. Since the Exhibit 53 includes projections for multiple fiscal years, its intention is to identify and anticipate security resources required. + + +**a.** CivicActions' Security Office, in collaboration with the System Owner, act and/or meet on a pre-determined basis to determine information system security requirements and to develop implementation budgets and plans. + +**b.** The CivicActions Security Office, in collaboration with the System Owner, determines, designates, documents, and allocates the resources required to protect the system as part of its capital planning and investment control processes. + +**c.** The annual budget developed by the System Owner includes explicit budgetary line items for FISMA security requirements. Additional security-related expenditures that fall outside of explicit compliance requirements are addressed in sub-lines under the CivicActions Information Technology budget. + +### SA-03 System Development Life Cycle + +The Project draws from the None, NIST SP 800-64, and Agile software development methodology to ensure security requirements are incorporated during each phase of the life cycle. This helps to ensure the development of secure systems and effective risk management. + + +**a.** The system and application(s) are managed by CivicActions using the Agile software development methodology, which provides a continuous System Development Life Cycle (SDLC) methodology. CivicActions Agile management continues to improve the software through ongoing planned code releases. The process is overseen by the Change Control Board (CCB) as described in CM-1. Each point release introduces code and configuration changes to the website through the following SDLC methodology: + +- Code release planning: A code release ticket is created in the Change Request project of the + CivicActions ticketing system which describes the overall goals of the code release. + The code release ticket is linked to other tickets in the ticketing system which describe issues to + be addressed by the planned code release. Those issues may include bug fixes and feature enhancements + as well as upgrades to newer versions of the software packages that have been used to build the + website. + +- Sprints: The tickets covered by the planned code release are then implemented through a series of + planned sprints, each of which typically lasts two weeks. Each sprint begins with a sprint planning + session at which the CCB selects a list of tickets to be implemented. CivicActions + Development holds daily coordination meetings throughout the sprint to share information and resolve + any problems that may be blocking progress toward completion. At the end of the sprint, a + retrospective is performed in which progress is reviewed to determine which issues have been + resolved and which need further work. + +- Development/unit testing: Work on each ticket is performed within a separate code branch within the + CivicActions Git repository, and tested using the GitLab Runner continuous integration + platform. Developers also write unit tests to prove their code behaves as expected and address security + considerations such as information leakage, bounds checking, and input validation. Once work on a + ticket is completed, the developer creates a merge request, and the changes are submitted to at least + one other developer for review to ensure they meet functional requirements and address security + considerations before the pull request is merged into the Git repository's development branch for the + planned code release. + +- Integration testing: Once all work tickets have been completed, the code and configuration necessary + to implement the changes are merged into the website's staging server, where it undergoes additional + testing to ensure there are no conflicts between the work that has been done on individual tickets. + +- User acceptance testing (UAT): The code release undergoes manual testing against a checklist of + expected site behaviors and options each of the website's defined user roles to further verify that + the functional changes work as expected and to identify any changes in user experience that need to + be documented in release notes to be shared with the customer. + +- Approval for deployment: After all the planned code release has passed all of the above tests, the + code release is scheduled for deployment to production and presented to CivicActions' + Change + Control Board (CCB) for review and approval. + +- Deployment to production: A full backup of the website is performed immediately prior to the + deployment. + +- Security scan: After the deployment to production, the website undergoes a security scan using a web + vulnerability scanner. + + Security issues to be addressed in the planned code release may come from a variety of sources: + +- Customer support requests received by the CivicActions Help Desk +- Security concerns, incidents, and site performance issues reported by users +- Security incident reports, including server log analysis and root cause analysis of those incidents + performed by the CivicActions Security Office and Operations staff + +- Security notifications received by the CivicActions Security Office from external + security teams and other software vendors + +- Vulnerabilities detected during security scans of the website performed by the + CivicActions Security Office + +- Issues reported by the CivicActions Security Office, Operations staff and Development +- Security issues reported through continuous monitoring + +**b.** The CivicActions organization defines and documents information security roles and responsibilities throughout the SDLC. The following teams participate in this process: + +- Customer Support: Files tickets when incidents are reported and shares incident reports with customers +- The CivicActions Security Office: Receives security notifications from the Drupal security + team and other software vendors; performs security scans; uses CivicActions JIRA ticketing + system to request mitigation of all reported vulnerabilities + +- CivicActions Development: Performs server log analysis when security incidents are + reported; assists in root cause analysis + +- Change Control Board: Meets weekly to review and approve upcoming planned code changes to the website, + include security-related code releases. + +- AWS Cloud: Monitors server and application events; proactively respond to security incidents, and + reports incidents to CivicActions + +- Users: Communicates customer security requirements and expectations, and alerts the + CivicActions customer support team whenever it detects a security or site performance + issue + + +Security responsibilities performed by these teams include the following: + +- Perform configuration management during information system design, development, implementation, and + operation; + +- Implement only organization-approved changes; +- Document approved changes; +- Manage and control changes to the system; +- Fully test all changes, taking into account security considerations as well as other functional + requirements; + +- Track security flaws and flaw resolution; and +- Employ code analysis tools to examine software for common flaws and document the results of the + analysis. + +**c.** Each of the CivicActions teams described in SA-3(b) has a team leader who is responsible for defining the roles and responsibilities of individual personnel members within that team. CivicActions uses role-based management for access and authentication implementation and enforcement. + +**d.** The CivicActions organization integrates the organizational information security risk management process into system development life cycle activities by requiring that the processes defined in SA-3(a) and (b) above are adhered to by all information system developers and associated security personnel. + +### SA-04 Acquisition Process + +The CivicActions System and Services Acquisition Policy affects all personnel with purchasing authorization and applies to all purchases or deployments including infrastructure, software or hardware. The CivicActions System and Services Acquisition Policy contains the process for determining acceptance criteria for all system software and application services. + +The Acquisition Security Policy includes an assessment that evaluates the product based on the vendor’s security practices, policies, and past performance. It also details the potential maintenance and end-of-life ramifications with regards to security. + +The CivicActions Security Office is responsible for determining the security documentation that must be included in the information system or services acquisition contracts. + +Configuration and design of the development and production environments are hosted in the CivicActions Git repository. All documentation is strictly controlled regarding transportation and storage in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. + + +### SA-04 Acquisitions + +The Project follows the guidelines and procedures within the overarching None. The requirements in the information system acquisition contract permit updating security controls as new threat/vulnerabilities are identified and new technologies are implemented. + +The Project System and Services Acquisition Policy contains the process for determining acceptance criteria for all Project system software and services. + +The Project organization reviews and approves all acquisition contracts in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. + + +### SA-04(10) Use Of Approved Piv Products + +CivicActions/Project and AWS describes this control as “not applicable”, as PIV credentials are not applicable to the Project system. Access and Authentication requirements for the Project system for internal CivicActions and customer are implemented under access management and enforcement (AC-2 and AC-3) and identification and authentication for all users (IA-2 and IA-8). + +It is the responsibility of CivicActions for implementation of PIV capability for authentication as required. + + +### SA-05 Information System Documentation + +Client maintains adequate documentation for the Project system. The Project system documentation is protected as required and made available to authorized personnel. Procedures for protecting system documentation include management in the private CivicActions Git repository and the publicly available documentation trees for Free and Open Source Software (FOSS). The documentation maintained for the Project system includes: + +- System Security Plan (SSP) – this document +- Configuration documentation +- Incident Response and Contingency Plans +- Rules of Behavior (Acceptable Use Policy) +- FOSS Reference Manuals (Drupal, GNU/Linux, Apache, MySQL, PHP, Postfix, + etc.) + + +**a.** Public documentation related to Ilias is maintained by the Ilias Association and is located at . This documentation contains administrator documentation for the information system that describes: +- secure configuration, installation, and operation of the system, component, or service; +- effective use and maintenance of security functions/mechanisms; and +- known vulnerabilities regarding configuration and use of administrative functions; + + +Some application features are built on a custom basis and are not part of standard FOSS packages. Administrator documentation for those custom features is maintained in the CivicActions Git repository documentation system. + + +In this architecture, documentation of the infrastructure configuration in the form of AWS CloudFormation templates in JSON or YAML format, architecture diagrams, deployment user guide and security controls implementation details is included. + +AWS built-in features include online documentation for management of the infrastructure at + +**b.** The public documentation at Ilias.de contains user documentation for the information system that describes: +- user-accessible security functions/mechanisms and how to effectively use those + security functions/mechanisms; +- methods for user interaction, which enables individuals to use the system, + component, or service in a more secure manner; and +- user responsibilities in maintaining the security of the system, component, or service; + + +The publicly-available FOSS package documentation described in control SA-5(a) also includes user documentation for non-administrators as described in control AC-3. This includes documentation on how to create and manage user accounts as well as how to create, update and delete content. + +CivicActions follows the user documentation standard practice to provide context-sensitive help as well as access to a Help Desk in publicly facing applications. + +The CivicActions Customer Support team, described in control SA-3(b), handles questions about how to use the system. Questions are submitted by sending an email to support@civicactions.com, which triggers the creation of a ticket in the CivicActions customer support ticketing system. + + +AWS built-in features include online documentation of AWS services at + +1. AWS built-in features include online documentation for AWS account users at + such as user Guides, API reference guides, CLI + reference guides and developer reference guides to provide information on how to + effectively use security functions. + +2. AWS built-in features include online documentation for AWS account users within the + infrastructure at such as user Guides, API + reference guides, CLI reference guides and developer reference guides to provide + information on how to access AWS services and components in a more secure manner. + +3. AWS built-in features include online documentation for AWS account users at + that provides information + related to security responsibilities of customers using AWS services. + +**c.** As a popular and well-used and maintained free and open source (FOSS) project, in the event that sought after documentation is not available on Ilias.de, it can usually be found in one of the many forums, mailing lists or Stack Exchange sites covering Ilias and its many contributed modules. + +If the information needed to answer a question is not already included in the website's public-facing documentation, a ticket is created to determine whether the question is sufficiently general in nature to warrant adding the answer to the website's documentation. + +**d.** The Ilias.de documentation is multi-sourced on GitHub and private repositories. + +All administrator documentation is housed in a protected Git repository. User documentation is publicly available. + + +AWS built-in features include online documentation that is protected by AWS from unauthorized modification or deletion within AWS system. + +**e.** As the Ilias.de documentation is publicly available, there is no need to provide distribution mechanisms. + +As needed and approved by the CivicActions Security Office, documentation is available to appropriate personnel by granting access to the private Git repository. + + +AWS built-in features include online documentation located at that is publicly available. + +### SA-09 External Information System Services + +CivicActions does not have any dedicated interconnections between information system components within the authorization boundary and external third-party vendor information systems for the purposes of storing, processing or transmitting federal agency data. + + +Project does not have any dedicated interconnections between information system components within the authorization boundary and external third-party vendor information systems for the purposes of storing, processing, or transmitting federal agency data. + +Project is hosted on the AWS Cloud platform, which was approved under the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013. diff --git a/results/docs/sop/sop-sc-system-and-communications-protection.md b/results/docs/sop/sop-sc-system-and-communications-protection.md new file mode 100644 index 0000000..2c992fe --- /dev/null +++ b/results/docs/sop/sop-sc-system-and-communications-protection.md @@ -0,0 +1,128 @@ +# System And Communications Protection (SC) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [SC-01 System And Communications Protection Policy And Procedures](#sc-01-system-and-communications-protection-policy-and-procedures) + - [SC-05 Denial Of Service Protection](#sc-05-denial-of-service-protection) + - [SC-07 Boundary Protection](#sc-07-boundary-protection) + - [SC-12 Cryptographic Key Establishment And Management](#sc-12-cryptographic-key-establishment-and-management) + - [SC-13 Cryptographic Protection](#sc-13-cryptographic-protection) + - [SC-15 Collaborative Computing Devices](#sc-15-collaborative-computing-devices) + - [SC-20 Secure Name / Address Resolution Service](#sc-20-secure-name--address-resolution-service) + - [SC-21 Secure Name / Address Resolution Service](#sc-21-secure-name--address-resolution-service) + - [SC-22 Architecture And Provisioning For Name / Address Resolution Service](#sc-22-architecture-and-provisioning-for-name--address-resolution-service) + - [SC-39 Process Isolation](#sc-39-process-isolation) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### SC-01 System And Communications Protection Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a system and communication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions System and Communications Protection (SC) Policy CivicActions document that can be found in the CivicActions GitHub repository at . + + +System and communications protection policy and procedures are formally documented in the None and the Project SSP. The Department reviews and updates the policy as necessary and has been continually updated since April 2008. +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +### SC-05 Denial Of Service Protection + +Ilias has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by CivicActions Operations. + +Drupal has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by CivicActions Operations. + +The Project system is configured to reduce vulnerabilities in its operating system and applications to protect against Denial of Service (DoS) attacks. +The Project support staff ensures the system is protected against or limits the effect of DoS attacks as specified in the None. + + +### SC-07 Boundary Protection + +Ilias, when deployed on SELinux in full enforcing mode, minimizes the number of services and computing nodes that are exposed to the Internet. Ilias employs both the AWS platform safeguards and the Ilias logging in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. + +Drupal, when deployed on SELinux in full enforcing mode, minimizes the number of services and computing nodes that are exposed to the Internet. Drupal employs both the AWS platform safeguards and the Drupal Watchdog module in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS. + + +The Project system has monitored and controlled communications at the external boundary of the information system and at key internal boundaries within the system, where appropriate. The Project allocates publicly accessible information system components (e.g., public web servers) specific IP address and port combinations. Public access into the organization’s internal networks is prevented except as appropriately mediated. + + +**a.** In this architecture, network communications to, from, and between VPCs, subnets and Amazon S3 buckets are controlled as follows: AWS Route Tables specify which subnets in each VPC are accessible through gateways and which are isolated/private. AWS Security Groups provide stateful inbound/outbound port/protocol restrictions, Amazon Simple Storage Service (Amazon S3) buckets support access control restrictions based on network source/destination. + +**b.** In this architecture, subnetworks for publicly accessible system components are logically separated from internal private subnetworks via AWS security groups, refined routing tables, and NACLs. + +**c.** In this architecture, connection to external networks is possible only through Internet Gateways (IGWs) or NAT gateways (in regions where supported by AWS VPC) and are restricted based on ports/protocols via AWS Security groups, and default subnet rules provided by NACLs. + +### SC-12 Cryptographic Key Establishment And Management + +In this architecture, initial private/public SSH keys stored in Identity and Access Management (IAM) are supplied to Amazon EC2 instances upon launch, and the public key portion is managed within the AWS Amazon EC2 service. In addition, server-side encryption is used for Amazon S3 storage and Amazon RDS databases, using key management provided by AWS for the storage buckets and Amazon RDS databases. + + +Use of cryptographic key management for the Project system is in use for at the time of implementation for authentication. CivicActions utilizes customer agency supplied PIV credentials for access to customer instances of the Project. Access enforcement and authentication requirements for Project are described in AC-2 & IA-2. AWS platform does not utilize or manage cryptographic keys within the ACE boundary. + + +### SC-13 Cryptographic Protection + +The information system implements: + +- Cryptographic modules through Secure Shell (SSH) to allow administrators to securely logon to the + various system components + +- HTTPS/SSL (TLS) for connection to web-based services +- TLS for connection to email services +- AES-256 (FIPS 140-2 validated) for data at rest (with Elastic Block Store (EBS) volumes) + + +In this architecture, encryption mechanisms are employed for data at rest and in transit. For data at rest, AES-256 Server Side encryption is employed for data stored in Amazon S3, and Amazon RDS databases. For data in transit, to protect against exposure of any cleartext data transmitted deliberately (upload/download) or incidentally during interactive systems management operations, Amazon S3 object access can only be conducted over encrypted sessions via TLS; the bastion host, Amazon EC2 instances and associated security groups are configured for encrypted SSH sessions only. For web user access, the Elastic Load Balancing (ELB) employs a TLS endpoint. + +AWS built-in features employ TLS for AWS Management Console sessions, AWS API calls, and AWS Command Line Interface connections. + + +### SC-15 Collaborative Computing Devices + +This control is not applicable, as the Project system does +employ any collaborative computing devices. + + +### SC-20 Secure Name / Address Resolution Service + +The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (authoritative source) + + +### SC-21 Secure Name / Address Resolution Service + +The system inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: secure name / address resolution service (recursive or caching resolver) + + +### SC-22 Architecture And Provisioning For Name / Address Resolution Service + + + +### SC-39 Process Isolation + +Process isolation is maintained on the Linux platform. Linux is the only operating system that is part of the boundary. + + +In this architecture, the AMIs that make up the operating systems deployed on Amazon EC2 instances maintain separate execution domains/address spaces for executing processes within the customer operating environment. + +AWS built-in features of the hypervisors that support the infrastructure maintain separate execution domains/address spaces for executing processes. diff --git a/results/docs/sop/sop-si-system-and-information-integrity.md b/results/docs/sop/sop-si-system-and-information-integrity.md new file mode 100644 index 0000000..39db3f8 --- /dev/null +++ b/results/docs/sop/sop-si-system-and-information-integrity.md @@ -0,0 +1,132 @@ +# System And Information Integrity (SI) Standard (SOP) + +*Reviewed and updated 2025-01-31* + +---- + +**Table of Contents** + + +- [Introduction](#introduction) + - [Purpose](#purpose) + - [Scope](#scope) +- [Standards](#standards) + - [SI-01 System And Information Integrity Policy And Procedures](#si-01-system-and-information-integrity-policy-and-procedures) + - [SI-02 Flaw Remediation](#si-02-flaw-remediation) + - [SI-03 Malicious Code Protection](#si-03-malicious-code-protection) + - [SI-04 Information System Monitoring](#si-04-information-system-monitoring) + - [SI-05 Security Alerts, Advisories, And Directives](#si-05-security-alerts-advisories-and-directives) + - [SI-12 Information Handling And Retention](#si-12-information-handling-and-retention) + - [SI-12 Information Output Handling And Retention](#si-12-information-output-handling-and-retention) + + + +---- + +## Introduction + +### Purpose + +The Office of the Chief Information Officer (OCIO) Information Assurance Services (IAS) publication Information Technology (IT) System Access Controls Standard of February 11, 2022 provides a comprehensive basis for management across all systems in the Department. This document provides specific guidance as defined and implemented by the Project. + +### Scope + +This system has been categorized as a FIPS-199 LOW system, and as such this document applies only to relevant controls, policies, processes and procedures as defined within the system. + +## Standards + +### SI-01 System And Information Integrity Policy And Procedures + +CivicActions has developed, documented and disseminated to personnel a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the policy and associated controls. This information is maintained in the CivicActions System and Information Integrity (SI) Policy document that can be found in the CivicActions GitHub repository at . + + +System and information integrity policy and procedures for the Project system are formally documented in the Project SSP, which provides the roles and responsibilities as it pertains to physical and environmental protection systems. The Project system support staff monitors the network on a daily basis and employs up-to-date patches to protect the integrity of the system. + +Additional information is contained within the None. + +This is Agency common control. More data about implementation can be obtained from the Agency common control catalog. + + +### SI-02 Flaw Remediation + +Ilias contains built-in security status monitoring of the core application and contributed modules. + +**a.** Identification of information system security flaws are detected as early as possible by the following methods: + +- Vulnerability scans, as described in RA-5. +- Log analysis from monitoring described in SI-4. +- Service flaw notifications (CVEs, etc.) are received by the + CivicActions Security Office and passed on to + CivicActions Operations staff when relevant. + +Any security issues found are ticketed through JIRA and/or the Git issue queue. CivicActions Operations staff prioritizes high findings. Changes made to correct the information system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB as implemented in CM-3. + +**b.** CivicActions testing of the system as a result of security flaw remediation is done through a development environment through the use of internal software and automated testing that ensures the system is working as intended. When a change is made by a developer, testing though a peer review is conducted as part of the Change Request process to ensure the correct analysis is completed. Then the changed code is tested in an automatic test environment as described in the Configuration Management Plan (CMP). Tracking of the testing is documented in JIRA and/or the Git issue queue. + +**c.** CivicActions security-software updates are tested prior to implementation on production. The CivicActions Security framework for installation requires updates to be made within 30 days for high vulnerabilities, 90 days for moderate vulnerabilities, and 240 for low vulnerabilities. An issue ticket is created to track any updates made to the system. + +**d.** Flaw remediation is part of the CivicActions configuration management process. Any security issues found are ticketed through JIRA or the Git issue queue. The CivicActions Security Office prioritizes the high findings within the application. Changes made to correct the system as a result of the system flaws are scheduled and coordinated through the CCB Change Request Process and appropriate approvals required from the CCB Chair as implemented in CM-3. + +### SI-03 Malicious Code Protection + +**a.** Virus scans are performed by ClamAV, a server-hosted tool protecting the application from Trojans, Viruses and other malicious cyber-threats. Real-time scans are conducted whenever files are uploaded from any external source and malicious code is blocked or quarantined when detected. All file-based traffic traversing the server is sanitized before being delivered. All input form text is validated and sanitized. + +**b.** Anti-virus definitions and malicious code protection mechanisms are configured and updated automatically on a nightly basis. + +**c.** CivicActions Operations staff receives information system security alerts, advisories, and notifications in response to malicious code detection. These messages are sent to group email distribution lists to ensure all members of the team receive the proper information in a timely manner. + +**d.** False positives during malicious code detection and eradication are dealt with on a case by case basis. Potential impacts on the availability of the information system are detailed in a false positive report depending on if the report is for the OS, database or web application. + +### SI-04 Information System Monitoring + +**a.** CivicActions systems use a collection of monitoring systems, including: + +- ClamAV - provides signature-based malware detection/quarantine +- OSSEC host-based intrusion detection system (HIDS) +- AIDE Advanced Intrusion Detection Environment (IDS)) +- fail2ban, an intrusion prevention system (IPS) framework +- SELinux - a Mandatory Access Control (MAC) IPS +- auditd - a secure system audit daemon +- CloudWatch - AWS monitoring and measurement system +- StatusCake - website monitoring tool +- OpsGenie - a slack/email/text/phone incident escalation tool + +**b.** Logs from the systems described in SI-4(a) are sent to the CivicActions SIEM tool for analysis. These logs can identify unauthorized use of the information system. + +**c.** Monitoring and log collection occur throughout the system. +**d.** The Configuration Management process, remote log gathering, and SELinux MAC protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. + +**e.** In the event of a performance score lower than CivicActions standards, a notification is sent to the CivicActions Security Office. CivicActions subscribes to security mailing lists in the event the monitoring activity is required based on law enforcement information, intelligence information, or other credible sources of information. + +**f.** Internal legal counsel is utilized as required when system notifications indicate such action based on user and/or malicious activity. Legal counsel is engaged for any actions that may necessitate increased user monitoring or evidence/forensic actions. + +**g.** System alerts generated by CivicActions internal monitors (StatusCake, OSSEC, ClamAV, others) are sent to the Incident Response team via OpsGenie. + +### SI-05 Security Alerts, Advisories, And Directives + +CivicActions Security and Operations receive Ilias Security Advisories on a regular basis. + +Project representatives and system administrators receive alerts from US-CERT on a regular basis. Support personnel take appropriate action in response to relevant areas of concern. + + +**a.** The CivicActions Security Office and Operations staff receive the following security alerts, advisories, and directives on an ongoing basis: + +- Mailing lists relevant to web application security +- US-CERT +- Technical Cyber Security Alerts +- Drupal Security Advisories + +**b.** CivicActions utilizes StatusCake for front line monitoring for real time system status and events of the application. StatusCake can feed to the OpsGenie incident escalation system. + +**c.** The CivicActions Security Office disseminates security alerts, advisories, and directives to all CivicActions internal personnel and client personnel as directed. + +**d.** The CivicActions Security Office is responsible for ensuring the dissemination and implementation of relevant security alerts and advisories. + +### SI-12 Information Handling And Retention + +Project representatives and systems administrators receive annual training from Client regarding information assurance and information handling requirements. These personnel are required to operate the system and handle system data and output in accordance with legal requirements. Personnel training and system guidelines ensure that data and programs are handled appropriately. + + +### SI-12 Information Output Handling And Retention + +The CivicActions organization retains all information, system-related information, incident-related information, and system output in accordance with customers’ requirements retention periods and other NIST guidance and standards, Federal policies, procedures, federal laws, and executive orders. Audit records are retained for 365 days. diff --git a/frontmatter/front-matter.md b/results/frontmatter/front-matter.md similarity index 100% rename from frontmatter/front-matter.md rename to results/frontmatter/front-matter.md diff --git a/tools/sop/sop.py b/tools/sop/sop.py index 8462ddb..6c85017 100644 --- a/tools/sop/sop.py +++ b/tools/sop/sop.py @@ -232,7 +232,7 @@ def sort_controls(families: dict) -> dict: "-c", "components_dir", required=False, - default="components/", + default="results/components/", type=click.Path(exists=True, dir_okay=True, file_okay=False), help="Rendered components directory", ) @@ -241,11 +241,14 @@ def sort_controls(families: dict) -> dict: "-o", "output_dir", type=click.Path(exists=False, dir_okay=True, readable=True), - default="docs/", + default="results/docs/", help="Output directory (default: docs/)", ) -def main(components_dir: str, output_dir: str): +def sop(components_dir: str, output_dir: str): out_dir = Path(output_dir).joinpath("sop") + if not out_dir.is_dir(): + out_dir.mkdir(parents=True) + config = load_template_args() rendered_components = Path(components_dir) @@ -258,4 +261,4 @@ def main(components_dir: str, output_dir: str): if __name__ == "__main__": - main() + sop() diff --git a/tools/watchers/component_watcher.py b/tools/watchers/component_watcher.py index 2cd3987..3130b77 100644 --- a/tools/watchers/component_watcher.py +++ b/tools/watchers/component_watcher.py @@ -1,6 +1,6 @@ import asyncio -from watchdog.events import FileCreatedEvent, FileModifiedEvent, FileSystemEventHandler +from watchdog.events import FileClosedEvent, FileSystemEventHandler from watchdog.observers import Observer @@ -10,16 +10,13 @@ def __init__(self, loop: asyncio.AbstractEventLoop): self.queue: asyncio.Queue = asyncio.Queue() self.loop = loop - def on_modified(self, event: FileModifiedEvent) -> None: - asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) - - def on_created(self, event: FileCreatedEvent) -> None: + def on_modified(self, event: FileClosedEvent) -> None: asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) async def process_events(self): while True: event = await self.queue.get() - if isinstance(event, (FileModifiedEvent, FileCreatedEvent)): + if isinstance(event, FileClosedEvent): if self.debounce_task and not self.debounce_task.done(): self.debounce_task.cancel() @@ -27,10 +24,13 @@ async def process_events(self): async def _debounce(self): await asyncio.sleep(0.5) - await self.make_families() + success = await self.make_families() + await asyncio.sleep(0.5) + if success: + await self.make_sop() @staticmethod - async def make_families(): + async def make_families() -> bool: process = await asyncio.create_subprocess_shell( "python tools/makefamilies/makefamilies.py", stdout=asyncio.subprocess.PIPE, @@ -42,6 +42,21 @@ async def make_families(): if stderr: print(f"makefamilies.py error:\n{stderr.decode()}") + return True if process.returncode == 0 else False + + @staticmethod + async def make_sop() -> None: + process = await asyncio.create_subprocess_shell( + "python tools/sop/sop.py", + stdout=asyncio.subprocess.PIPE, + stderr=asyncio.subprocess.PIPE, + ) + stdout, stderr = await process.communicate() + if stdout: + print(f"SOP:\n{stdout.decode()}") + if stderr: + print(f"sop.py error:\n{stderr.decode()}") + async def watch_components(path: str, loop: asyncio.AbstractEventLoop): handler = WatchComponentsHandler(loop=loop) diff --git a/tools/watchers/template_watcher.py b/tools/watchers/template_watcher.py index 0c9fec1..c630198 100644 --- a/tools/watchers/template_watcher.py +++ b/tools/watchers/template_watcher.py @@ -1,7 +1,7 @@ import asyncio from pathlib import Path -from watchdog.events import FileCreatedEvent, FileModifiedEvent, FileSystemEventHandler +from watchdog.events import FileClosedEvent, FileSystemEventHandler from watchdog.observers import Observer @@ -12,16 +12,13 @@ def __init__(self, loop: asyncio.AbstractEventLoop): self.queue: asyncio.Queue = asyncio.Queue() self.loop = loop - def on_modified(self, event: FileModifiedEvent) -> None: - asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) - - def on_created(self, event: FileCreatedEvent) -> None: + def on_modified(self, event: FileClosedEvent) -> None: asyncio.run_coroutine_threadsafe(self.queue.put(event), self.loop) async def process_events(self): while True: event = await self.queue.get() - if isinstance(event, (FileModifiedEvent, FileCreatedEvent)): + if isinstance(event, FileClosedEvent): self.file_path = event.src_path if self.debounce_task and not self.debounce_task.done(): self.debounce_task.cancel()