Cloud.Gov Application SSP Example
A generic SSP setup example for Cloud.Gov-based applications.
Because Cloud.Gov was designed to be compliant with U.S. Government security standards (see NIST-800-53), many of the infrastructure and platform security requirements have been pre-implemented for all applications deployed on Cloud.Gov.
Nevertheless, U.S. Government security standards necessitate that every public-facing application (even those deployed on Cloud.Gov) implement additional security measures and document the compliance requirements of the entire application infrastructure.
In order to leverage Cloud.Gov's existing compliance documentation, 18F is starting to construct its documentation using the Compliance Masonry CLI.
The Compliance Masonry CLI allows users to build documentation like they build code. This includes the ability to set Cloud.Gov's Compliance Documentation as a dependency for their application's documentation in the same way a developer set dependencies in package.json, Gemfile, or requirements.txt files.
The schema or language used to create compliance documentation for compliance masonry is the opencontrol schema.
The opencontrol.yaml defines an application's documentation configuration settings, in the same vein as a manifest.yaml defines the deployment configuration settings for an application built on Cloud.Gov.
See this repository's opencontrol.yaml for a minimal example for an application built on top of cloud.gov.
- Clone this repository.
- Follow the Compliance Masonry Quick Start.