From 9d1ffd893c3b86636ca9e3aa8877b7e5087437da Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 00:08:00 -0400
Subject: [PATCH 1/7] correcting AC syntax issues

---
 .../policies/AC-Access_Control/component.yaml | 133 ++++++++++--------
 1 file changed, 71 insertions(+), 62 deletions(-)

diff --git a/OpenShift-v3/policies/AC-Access_Control/component.yaml b/OpenShift-v3/policies/AC-Access_Control/component.yaml
index 7e3f3d8..d926ec0 100644
--- a/OpenShift-v3/policies/AC-Access_Control/component.yaml
+++ b/OpenShift-v3/policies/AC-Access_Control/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Access Control
 schema_version: 3.0.0
@@ -11,11 +12,11 @@ satisfies:
     - key: a
       text: |
         '
-        <The customer will be responsible for developing, documenting, and 
+        <The customer will be responsible for developing, documenting, and
         disseminating Access Control policy and procedures. A successful
         control response will need to address the content of the policy
         (which must include purpose, scope, roles, responsibilities,
-        management committment, coordination, and compliance) and 
+        management committment, coordination, and compliance) and
         procedures (which must facilitate the implimentation of the policies
         and associated controls).>
 
@@ -23,7 +24,7 @@ satisfies:
         group the relevant access granted by the role. OpenShift administrators
         can add and remove roles to and from users and groups using OpenShift
         commands. Documentation for the management of OpenShift Role Bindings
-        can be found at: 
+        can be found at:
 
         https://docs.openshift.com/container-platform/latest/admin_guide/manage_authorization_policy.html#managing-role-bindings>
         '
@@ -53,7 +54,7 @@ satisfies:
         in use.>'
     - key: b
       text: |
-        '<The customer will be responsible for assigning account managers, who  
+        '<The customer will be responsible for assigning account managers, who
         will have responsibilities related to the creation, management, and
         removal of accounts. A successful control response will need to discuss
         how account managers are identified within the organization>'
@@ -85,10 +86,10 @@ satisfies:
     - key: g
       text: |
         '<The customer will be responsible for monitoring the use of information
-        system accounts. This may include reviewing records of account management
-        activities. A successful control response will relate the monitoring
-        activities required for this control to the auditing activities in the
-        AU control family.>'
+        system accounts. This may include reviewing records of account
+        management activities. A successful control response will relate the
+        monitoring activities required for this control to the auditing
+        activities in the AU control family.>'
     - key: h
       text: |
         '<The customer will be responsible for notifying account managers when
@@ -128,8 +129,8 @@ satisfies:
         response will need to address all automated mechanisms used for account
         management.>
 
-        <3rd party software must be used to fully support automated management 
-        of OpenShift accounts. Documentation on authentication configuration 
+        <3rd party software must be used to fully support automated management
+        of OpenShift accounts. Documentation on authentication configuration
         options exposed in OpenShift can be found here:
 
         https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/authentication.html>'
@@ -141,17 +142,18 @@ satisfies:
   narrative:
     - text: |
         '<The customer will be responsible for automatically removing or
-        disabling emergency and temporary accounts within the required timeframe.
-        A successful control response will need to address all of the procedures
-        and mechanisms involved in disabling these accounts.>
+        disabling emergency and temporary accounts within the required
+        timeframe. A successful control response will need to address
+        all of the procedures and mechanisms involved in disabling these
+        accounts.>
 
-        <3rd party software must be used to fully support management of 
-        temporary and emergency accounts. OpenShift does not have the capability 
+        <3rd party software must be used to fully support management of
+        temporary and emergency accounts. OpenShift does not have the capability
         to automatically disable accounts after a configured period of time. To
-        meet this requirement, an authentication provider (such as Active 
-        Directory) must be used. Integration between OpenShift and Active 
-        Directory can be accomplished through the use of Kerberos cross-realm 
-        trusts. Refer to the LDAP Authentication section of the OpenShift 
+        meet this requirement, an authentication provider (such as Active
+        Directory) must be used. Integration between OpenShift and Active
+        Directory can be accomplished through the use of Kerberos cross-realm
+        trusts. Refer to the LDAP Authentication section of the OpenShift
         Administrators guide:
 
         https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth>'
@@ -162,18 +164,18 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for automatically disabling user 
+        '<The customer will be responsible for automatically disabling user
         accounts after the specified period of inactivity. A successful control
         response will need to address all automated mechanisms involved in
         disabling inactive accounts.>
 
-        <3rd party software must be used to fully support automatic disablement 
-        of inactive OpenShift accounts. OpenShift does not have the capability 
-        to automatically disable accounts after a configured period of time. To 
-        meet this requirement, an authentication provider (such as Active 
-        Directory) must be used. Integration between OpenShift and Active 
+        <3rd party software must be used to fully support automatic disablement
+        of inactive OpenShift accounts. OpenShift does not have the capability
+        to automatically disable accounts after a configured period of time. To
+        meet this requirement, an authentication provider (such as Active
+        Directory) must be used. Integration between OpenShift and Active
         Directory can be accomplished throguh the use of Kerberos cross-realm
-        trusts. Refer to the LDAP Authentication section of the OpenShift 
+        trusts. Refer to the LDAP Authentication section of the OpenShift
         Administrators guide:
 
         https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth>'
@@ -190,19 +192,19 @@ satisfies:
         the personnel or roles that must be notified of account management
         activities, and the means by which notifications occur.>
 
-        <OpenShift will log events to standardized files, however automatic 
-        notification (outside of generating  audit data) is not possible. As an 
-        OpenShift Container Platform cluster administrator, you can deploy the 
-        EFK stack to aggregate logs for a range of OpenShift Container Platform 
+        <OpenShift will log events to standardized files, however automatic
+        notification (outside of generating  audit data) is not possible. As an
+        OpenShift Container Platform cluster administrator, you can deploy the
+        EFK stack to aggregate logs for a range of OpenShift Container Platform
         services and setup alerting.
 
-        Application developers can view the logs of the projects for which they 
-        have view access. The EFK stack aggregates logs from hosts and 
-        applications, whether coming from multiple containers or even deleted 
+        Application developers can view the logs of the projects for which they
+        have view access. The EFK stack aggregates logs from hosts and
+        applications, whether coming from multiple containers or even deleted
         pods.
 
-        For documentation on how to setup Elasticsearch, Fluentd, and Kibana, 
-        refer to the Aggregate Logging" section of the OpenShift Installation 
+        For documentation on how to setup Elasticsearch, Fluentd, and Kibana,
+        refer to the Aggregate Logging" section of the OpenShift Installation
         and Configuration Guide:
 
         https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging.html>'
@@ -212,9 +214,9 @@ satisfies:
   covered_by: []
   implimentation_status: Implemented
   narrative:
-   - text: |
-        '<Within OpenShift, the sessionMaxAgeSeconds variable in the 
-        master-config.yaml file controls when/if users must logout after a 
+    - text: |
+        '<Within OpenShift, the sessionMaxAgeSeconds variable in the
+        master-config.yaml file controls when/if users must logout after a
         period of inactivity.>'
 
 - control_key: AC-2 (7)
@@ -231,11 +233,13 @@ satisfies:
         organization of the RBAC scheme.>
 
         <Adding, or binding, a role to users or groups give the user or group
-        the relevant access granted by the role. You can add and remove roles 
-        to and from users and groups using OpenShift commands. Documentation 
+        the relevant access granted by the role. You can add and remove roles
+        to and from users and groups using OpenShift commands. Documentation
         for the management of Role Bindings can be found at:
 
-        https://docs.openshift.com/container-platform/latest/admin_guide/manage_authorization_policy.html#managing-role-bindings >'
+        https://docs.openshift.com/container-platform/latest/admin_guide/
+        manage_authorization_policy.html#managing-role-bindings >'
+
     - key: b
       text: |
         '<The customer will be responsible for monitoring privileged role
@@ -264,16 +268,17 @@ satisfies:
         as the process for reviewing membership of shared or group accounts to
         verify that all individuals with access still require that access.>
 
-        <By default, OpenShift does not support group authenticators. OpenShift 
-        does provide a role-based access control (RBAC) mechanism and user 
-        identity metadata, including group membership. Identity and RBAC 
-        controls are enforced against all user (privileged and non) actions and 
-        resources. RBAC access controls can be applied to provide access to 
-        resources by individual users or groups of users. Groups are typically 
+        <By default, OpenShift does not support group authenticators. OpenShift
+        does provide a role-based access control (RBAC) mechanism and user
+        identity metadata, including group membership. Identity and RBAC
+        controls are enforced against all user (privileged and non) actions and
+        resources. RBAC access controls can be applied to provide access to
+        resources by individual users or groups of users. Groups are typically
         configured in accordance with Section 3.4, Managing User and Group i
         Labels in OpenShift Cluster Administration Guide:
 
-        https://docs.openshift.com/container-platform/3.3/admin_guide/manage_users.html#managing-users-managing-user-and-group-labels >'
+        https://docs.openshift.com/container-platform/3.3/admin_guide/
+        manage_users.html#managing-users-managing-user-and-group-labels >'
 
 - control_key: AC-2 (10)
   standard_key: NIST-800-53
@@ -313,20 +318,22 @@ satisfies:
         For aggregate log sizing information, refer to the Aggregate Logging
         Sizing Guidelines of the Installation and Configuration Guide:
 
-        https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging_sizing.html 
+        https://docs.openshift.com/container-platform/3.3/install_config/
+        aggregate_logging_sizing.html
 
         For instructions on how to configure aggregate logging, refer to the
-        Aggregating Container Logs section of the Installation and 
+        Aggregating Container Logs section of the Installation and
         Configuration guide:
 
-        : https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging.html >'
+        https://docs.openshift.com/container-platform/3.3/install_config/
+        aggregate_logging.html >'
+
     - key: b
       text: |
         '<The customer will be responsible for reporting atypical use of
-        information system accounts. A successful control response will 
+        information system accounts. A successful control response will
         discuss the personnel or roles that must be notified and the process
         for notification.>'
-        
 
 - control_key: AC-3
   standard_key: NIST-800-53
@@ -338,7 +345,8 @@ satisfies:
         online. Each OpenShift deployment may chose differing authorization
         processes/configurations. Documentation can be found at:
 
-        https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/authorization.html >'
+        https://docs.openshift.com/container-platform/3.3/architecture/
+        additional_concepts/authorization.html >'
 
 - control_key: AC-4
   standard_key: NIST-800-53
@@ -355,7 +363,8 @@ satisfies:
         <A review of OpenShift v3 networking can be found in the OpenShift
         Architecture guide:
 
-        https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/networking.html >'
+        https://docs.openshift.com/container-platform/3.3/architecture/
+        additional_concepts/networking.html >'
 
 - control_key: AC-4 (21)
   standard_key: NIST-800-53
@@ -439,7 +448,7 @@ satisfies:
         '<The customer will be responsible for defining specific personnel
         or roles who require privileged access, and restricting privileged
         access to those personnel or roles. A successful response will need
-        to address the job functions or responsibilities for which 
+        to address the job functions or responsibilities for which
         privileged access is required.>'
 
 - control_key: AC-6 (9)
@@ -448,7 +457,7 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for auditing the execution of 
+        '<The customer will be responsible for auditing the execution of
         privileged functions. A successful control response will need
         to relate this requirement to the general auditing requirements
         of the AU control family,>'
@@ -472,7 +481,7 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for enforcing a limit on consecutive 
+        '<The customer will be responsible for enforcing a limit on consecutive
         failed login attempts.>'
     - key: b
       text: |
@@ -506,7 +515,7 @@ satisfies:
         information message to users. A successful control response will need
         to address the conditions under which the message will be
         displayed (if a non-government user accesses the system, the system
-        use information message may not be appropriate), as well as the 
+        use information message may not be appropriate), as well as the
         contents of the notification message, including references to
         applicable monitoring, recording, or auditing, and authorized usage
         of the system.>'
@@ -684,7 +693,7 @@ satisfies:
     - text: |
         '<OpenShift utilizes the firewall technology embedded into Red Hat
         Enterprise Linux. This technology, named firewalld, allows a system
-        administrator to configure host-bsaed rules which take effect 
+        administrator to configure host-bsaed rules which take effect
         immediately. This gives an OpenShift operator the ability to immediately
         drop all remote connections. For additional information on embedded
         firewall capabilities, refer to the *Using Firewalls* section of the
@@ -696,7 +705,7 @@ satisfies:
         designation will migrate applications from a given cluster node to
         another, disconnecting any active sessions to a given cluster node.
 
-        If immediate disconnect of all hosted applications are desired, 
+        If immediate disconnect of all hosted applications are desired,
         individual containers may be halted. This will disconnect user sessions
         for tenant applications immediately.>'
 
@@ -774,7 +783,7 @@ satisfies:
     - key: 'b'
       text: |
         '<The customer will be responsible for establishing terms and conditions
-        allowing authorized individuals to process, store, or transmit 
+        allowing authorized individuals to process, store, or transmit
         customer-controlled information using external information systems. A
         successful control response will need to outline the terms and
         conditions and the external information systems to which those terms

From b8802c2680a1180cd51564b7f368e9b2844bec20 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 00:39:42 -0400
Subject: [PATCH 2/7] adding make checks

---
 OpenShift-v3/Makefile | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/OpenShift-v3/Makefile b/OpenShift-v3/Makefile
index 03dc30d..753b517 100644
--- a/OpenShift-v3/Makefile
+++ b/OpenShift-v3/Makefile
@@ -22,7 +22,7 @@ clean:
 	rm -rf exports/ opencontrols/
 
 pdf: exports
-	cd exports/ && gitbook pdf ./ ./OpenShift_v3_Compliance.pdf
+	cd exports/ && gitbook pdf ./ ./Red_Hat_Enterprise_Linux_7_Compliance.pdf
 
 serve: exports
 	cd exports && gitbook serve
@@ -30,15 +30,17 @@ serve: exports
 exports: opencontrols
 	${CM} docs gitbook FedRAMP-low
 
-#opencontrols: opencontrol.yaml policies/*/.yaml
 opencontrols: opencontrol.yaml 
-	${CM} get
+	-${CM} get
 
 coverage:
 	${CM} diff FedRAMP-low
 
 fedramp: default
-	${GOPATH}/bin/fedramp-templater fill opencontrols/ ../FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx exports/FedRAMP-Filled-v2.1.docx
+	${GOPATH}/bin/fedramp-templater fill opencontrols/ FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx exports/FedRAMP-Filled-v2.1.docx
 
 fedramp-diff:
 	${GOPATH}/bin/fedramp-templater diff opencontrols/ FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx
+
+checks:
+	yamllint policies/

From 338a91ddc3c504f5074fb47a0f72864bfb4ab0a2 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 00:40:05 -0400
Subject: [PATCH 3/7] adding RHEL7 make checks

---
 RHEL7/Makefile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/RHEL7/Makefile b/RHEL7/Makefile
index 524675c..753b517 100644
--- a/RHEL7/Makefile
+++ b/RHEL7/Makefile
@@ -41,3 +41,6 @@ fedramp: default
 
 fedramp-diff:
 	${GOPATH}/bin/fedramp-templater diff opencontrols/ FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx
+
+checks:
+	yamllint policies/

From 31f392179daf6e92224dd18123e242181891361b Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 01:34:24 -0400
Subject: [PATCH 4/7] yamllint and updated string tags

---
 .../policies/AC-Access_Control/component.yaml | 426 ++++++++++++------
 1 file changed, 282 insertions(+), 144 deletions(-)

diff --git a/OpenShift-v3/policies/AC-Access_Control/component.yaml b/OpenShift-v3/policies/AC-Access_Control/component.yaml
index d926ec0..5451711 100644
--- a/OpenShift-v3/policies/AC-Access_Control/component.yaml
+++ b/OpenShift-v3/policies/AC-Access_Control/component.yaml
@@ -11,32 +11,35 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '
-        <The customer will be responsible for developing, documenting, and
+        '//* 
+        The customer will be responsible for developing, documenting, and
         disseminating Access Control policy and procedures. A successful
         control response will need to address the content of the policy
         (which must include purpose, scope, roles, responsibilities,
         management committment, coordination, and compliance) and
         procedures (which must facilitate the implimentation of the policies
-        and associated controls).>
+        and associated controls).
 
-        <Adding, or binding, a role to users or groups gives the user or
+        Adding, or binding, a role to users or groups gives the user or
         group the relevant access granted by the role. OpenShift administrators
         can add and remove roles to and from users and groups using OpenShift
         commands. Documentation for the management of OpenShift Role Bindings
         can be found at:
 
-        https://docs.openshift.com/container-platform/latest/admin_guide/manage_authorization_policy.html#managing-role-bindings>
-        '
+        https://docs.openshift.com/container-platform/latest/admin_guide/
+        manage_authorization_policy.html#managing-role-bindings
+        */'
 
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
-         Access Control policy every 3 years, and procedures annually. A
+        '//* 
+        The customer will be responsible for reviewing and updating the
+        Access Control policy every 3 years, and procedures annually. A
         successful control response will need to address and review and
         update process, including the role(s) responsible for initiating
         the review process, updating the policy and procedures, and
-        providing approval of the updates.>'
+        providing approval of the updates.
+        */'
 
 - control_key: AC-2
   standard_key: NIST-800-53
@@ -45,78 +48,100 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for identifying and selecting the
+        '//*
+        The customer will be responsible for identifying and selecting the
         types of accounts required to support the customer application.
         Examples of account types include individual, shared, group,
         system, guest/annonymous, emergency, developer/manufacturer/vendor,
         temporary, and service. A successful control response will need to
         address the specific requirements fulfulled by each account type
-        in use.>'
+        in use.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for assigning account managers, who
+        '//*
+        The customer will be responsible for assigning account managers, who
         will have responsibilities related to the creation, management, and
         removal of accounts. A successful control response will need to discuss
-        how account managers are identified within the organization>'
+        how account managers are identified within the organization
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for setting conditions for group and
+        '//*
+        The customer will be responsible for setting conditions for group and
         role membership. A successful control response will need to outline
-        these conditions and how they are enforced.>'
+        these conditions and how they are enforced.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for specifying authorized users,
+        '//*
+        The customer will be responsible for specifying authorized users,
         group and role membership, and privileges for each account. A successful
         control response will need to addess the process by which authorized
-        users are specified and privilege levels are determined.>'
+        users are specified and privilege levels are determined.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for requiring approval by designated
+        '//*
+        The customer will be responsible for requiring approval by designated
         personnel or roles prior to creating information system accounts. A
         successful control response will need to outline the personnel or roles
         responsible for approving information system accounts and the process by
-        which those personnel or roles are notified and approval is granted.>'
+        which those personnel or roles are notified and approval is granted.
+        */'
     - key: f
       text: |
-        '<The customer will be repsonsible for defining and enforcing procedures
+        '//*
+        The customer will be repsonsible for defining and enforcing procedures
         or conditions for the creation, management, and removal of information
         system accounts. A successful control response will outline the
         conditions for each action and the tools or procedures used to enforce
-        those conditions.>'
+        those conditions.
+        */'
     - key: g
       text: |
-        '<The customer will be responsible for monitoring the use of information
+        '//*
+        The customer will be responsible for monitoring the use of information
         system accounts. This may include reviewing records of account
         management activities. A successful control response will relate the
         monitoring activities required for this control to the auditing
-        activities in the AU control family.>'
+        activities in the AU control family.
+        */'
     - key: h
       text: |
-        '<The customer will be responsible for notifying account managers when
+        '//*
+        The customer will be responsible for notifying account managers when
         accounts are no longer required, when users are terminated or
         transferred, or when system usage or need-to-know changes. A successful
         control response will need to address the methods by which these
-        triggering events are identified and the managers are notified.>'
+        triggering events are identified and the managers are notified.
+        */'
     - key: i
       text: |
-        '<The customer will be responsible for authorizing access to the
+        '//*
+        The customer will be responsible for authorizing access to the
         customer application. A successful control response will need to address
         ensuring that all accounts are granted access based on a valid
-        authorization for a specific intended usage.>'
+        authorization for a specific intended usage.
+        */'
     - key: j
       text: |
-        '<The customer will be responsible for reviewing accounts for compliance
+        '//*
+        The customer will be responsible for reviewing accounts for compliance
         with account management requirements at the specified frequency. A
         successful control response will need to address the process used to
         review accounts, the means by which compliance is verified, and the
-        process for remediation of any accounts found not to be in compliance.>'
+        process for remediation of any accounts found not to be in compliance.
+        */'
     - key: k
       text: |
-        '<The customer will be responsible for reissing shared/group account
+        '//*
+        The customer will be responsible for reissing shared/group account
         credentials when individuals are removed from the group. A
         successful control response will need to discuss how a triggering
         event is notified, what the process and timeframe for reissuing
-        credentials is, and how the process is enforced.>'
+        credentials is, and how the process is enforced.
+        */'
 
 - control_key: AC-2 (1)
   standard_key: NIST-800-53
@@ -124,7 +149,8 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for employing automated mechanisms
+        '//*
+        The customer will be responsible for employing automated mechanisms
         to support account management activities. A successful control
         response will need to address all automated mechanisms used for account
         management.>
@@ -133,7 +159,8 @@ satisfies:
         of OpenShift accounts. Documentation on authentication configuration
         options exposed in OpenShift can be found here:
 
-        https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/authentication.html>'
+        https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/authentication.html
+        */'
 
 - control_key: AC-2 (2)
   standard_key: NIST-800-53
@@ -141,7 +168,8 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for automatically removing or
+        '//*
+        The customer will be responsible for automatically removing or
         disabling emergency and temporary accounts within the required
         timeframe. A successful control response will need to address
         all of the procedures and mechanisms involved in disabling these
@@ -156,7 +184,8 @@ satisfies:
         trusts. Refer to the LDAP Authentication section of the OpenShift
         Administrators guide:
 
-        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth>'
+        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth
+        */'
 
 - control_key: AC-2 (3)
   standard_key: NIST-800-53
@@ -164,7 +193,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for automatically disabling user
+        '//*
+        The customer will be responsible for automatically disabling user
         accounts after the specified period of inactivity. A successful control
         response will need to address all automated mechanisms involved in
         disabling inactive accounts.>
@@ -178,7 +208,8 @@ satisfies:
         trusts. Refer to the LDAP Authentication section of the OpenShift
         Administrators guide:
 
-        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth>'
+        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth
+        */'
 
 - control_key: AC-2 (4)
   standard_key: NIST-800-53
@@ -186,7 +217,8 @@ satisfies:
   implimentation_status: Implemented
   narrative:
     - text: |
-        '<The customer will be responsible for automatically auditing account
+        '//*
+        The customer will be responsible for automatically auditing account
         management actions. A successful control response will need to address
         all automated mechanisms involved in monitoring account management,
         the personnel or roles that must be notified of account management
@@ -207,7 +239,8 @@ satisfies:
         refer to the Aggregate Logging" section of the OpenShift Installation
         and Configuration Guide:
 
-        https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging.html>'
+        https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging.html
+        */'
 
 - control_key: AC-2 (5)
   standard_key: NIST-800-53
@@ -215,9 +248,11 @@ satisfies:
   implimentation_status: Implemented
   narrative:
     - text: |
-        '<Within OpenShift, the sessionMaxAgeSeconds variable in the
+        '//*
+        Within OpenShift, the sessionMaxAgeSeconds variable in the
         master-config.yaml file controls when/if users must logout after a
-        period of inactivity.>'
+        period of inactivity.
+        */'
 
 - control_key: AC-2 (7)
   standard_key: NIST-800-53
@@ -226,7 +261,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing and administering
+        '//*
+        The customer will be responsible for establishing and administering
         privileged accounts in accordance with a role-based access (RBAC)
         scheme. A successful control response will need to address the types
         of users or rules that receive privileged access as well as the
@@ -238,22 +274,27 @@ satisfies:
         for the management of Role Bindings can be found at:
 
         https://docs.openshift.com/container-platform/latest/admin_guide/
-        manage_authorization_policy.html#managing-role-bindings >'
+        manage_authorization_policy.html#managing-role-bindings 
+        */'
 
     - key: b
       text: |
-        '<The customer will be responsible for monitoring privileged role
+        '//*
+        The customer will be responsible for monitoring privileged role
         assignments. A successful control response will need to address
         the process by which role assignments are reviewed for continued
-        appropriateness.>'
+        appropriateness.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for defining and executing actions
+        '//*
+        The customer will be responsible for defining and executing actions
         to take when privileged role assignments are no longer appropriate.
         A successful control response will need to address the criteria for
         determining whether assignments are no longer appropriate, the actions
         to be taken, and the roles or personnel responsible for taking those
-        actions.>'
+        actions.
+        */'
 
 - control_key: AC-2 (9)
   standard_key: NIST-800-53
@@ -261,7 +302,8 @@ satisfies:
   implimentation_status: Implemented
   narrative:
     - text: |
-        '<The customer will be responsible for defining and enforcing
+        '//*
+        The customer will be responsible for defining and enforcing
         conditions for the use of shared group accounts. A successful control
         response will need to address the specific need for the existing of
         a shared or group account versus multiple individual accounts, as well
@@ -278,7 +320,8 @@ satisfies:
         Labels in OpenShift Cluster Administration Guide:
 
         https://docs.openshift.com/container-platform/3.3/admin_guide/
-        manage_users.html#managing-users-managing-user-and-group-labels >'
+        manage_users.html#managing-users-managing-user-and-group-labels 
+        */'
 
 - control_key: AC-2 (10)
   standard_key: NIST-800-53
@@ -286,12 +329,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for terminating or changing
+        '//*
+        The customer will be responsible for terminating or changing
         credentials for shared or group accounts when membership to those
         groups changes. A successful control response will need to discuss how
         group membership change is detected and reported, the peronnel or roles
         responsible for changing the affected credentials, and the process or
-        mechanism used to perform the change.>'
+        mechanism used to perform the change.
+        */'
 
 - control_key: AC-2 (12)
   standard_key: NIST-800-53
@@ -300,7 +345,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for monitoring information system
+        '//*
+        The customer will be responsible for monitoring information system
         accounts for atypical use. A successful control response will relate
         the monitoring activities required for this control to the auditing
         activities in the AU control family, and will discuss the criteria
@@ -326,14 +372,17 @@ satisfies:
         Configuration guide:
 
         https://docs.openshift.com/container-platform/3.3/install_config/
-        aggregate_logging.html >'
+        aggregate_logging.html 
+        */'
 
     - key: b
       text: |
-        '<The customer will be responsible for reporting atypical use of
+        '//*
+        The customer will be responsible for reporting atypical use of
         information system accounts. A successful control response will
         discuss the personnel or roles that must be notified and the process
-        for notification.>'
+        for notification.
+        */'
 
 - control_key: AC-3
   standard_key: NIST-800-53
@@ -341,12 +390,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Documentation on OpenShift Authorization frameworks can be found
+        '//*
+        Documentation on OpenShift Authorization frameworks can be found
         online. Each OpenShift deployment may chose differing authorization
         processes/configurations. Documentation can be found at:
 
         https://docs.openshift.com/container-platform/3.3/architecture/
-        additional_concepts/authorization.html >'
+        additional_concepts/authorization.html 
+        */'
 
 - control_key: AC-4
   standard_key: NIST-800-53
@@ -354,7 +405,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for controlling the flow of
+        '//*
+        The customer will be responsible for controlling the flow of
         information within the customer application, and between the customer
         application and external systems. A successful control response will
         need to address the customer information flow control policies,
@@ -364,7 +416,8 @@ satisfies:
         Architecture guide:
 
         https://docs.openshift.com/container-platform/3.3/architecture/
-        additional_concepts/networking.html >'
+        additional_concepts/networking.html 
+        */'
 
 - control_key: AC-4 (21)
   standard_key: NIST-800-53
@@ -372,11 +425,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for separating information flows
+        '//*
+        The customer will be responsible for separating information flows
         within the customer application. A successful control response will
         need to address the csutomer organizational requirements for
         the separation of information flows, and the mechanisms and
-        techniques used to accomplish this separation.>'
+        techniques used to accomplish this separation.
+        */'
 
 - control_key: AC-5
   standard_key: NIST-800-53
@@ -385,23 +440,29 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for defining separation of duties
+        '//*
+        The customer will be responsible for defining separation of duties
         between individuals so as to reduce the risk of insider threat without
         collusion. A successful control response will need to consider the
         possible actions a malicious insider could take to undermine the
         security of the system, and delineate how duties are separated to
-        prevent or reduce the likelihood of those actions.>'
+        prevent or reduce the likelihood of those actions.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for documenting separation of duties.
+        '//*
+        The customer will be responsible for documenting separation of duties.
         A successful control response will need to address the location of this
-        documentation and the process for reviewing it if necessary.>'
+        documentation and the process for reviewing it if necessary.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for defining access authorizations
+        '//*
+        The customer will be responsible for defining access authorizations
         to support separation of duties, for example by using Role Based
         Access Control. A successful control response will need to address
-        policy and technical enforcement of separation of duties.>'
+        policy and technical enforcement of separation of duties.
+        */'
 
 - control_key: AC-6
   standard_key: NIST-800-53
@@ -409,12 +470,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for following least-privilege
+        '//*
+        The customer will be responsible for following least-privilege
         principles when granting authorized access. A successful control
         response will need to address the use of business requirements
         to determine the level of access required to perform each job function,
         and how that is related to the role-based access control scheme used
-        within the system.>'
+        within the system.
+        */'
 
 - control_key: AC-6 (1)
   standard_key: NIST-800-53
@@ -422,11 +485,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for defining key security functions
+        '//*
+        The customer will be responsible for defining key security functions
         and security-relevant information, and for explicitly authorizing
         access to those functions and information. A successful control response
         will need to address the criteria used to determine which functions
-        and information require explicit access authorization.>'
+        and information require explicit access authorization.
+        */'
 
 - control_key: AC-6 (2)
   standard_key: NIST-800-53
@@ -434,10 +499,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for requiring users to use the
+        '//*
+        The customer will be responsible for requiring users to use the
         lowest level of access required to perform any given function. A
         successful control response will need to discuss how the level of
-        access in use is monitored and enforced.>'
+        access in use is monitored and enforced.
+        */'
 
 - control_key: AC-6 (5)
   standard_key: NIST-800-53
@@ -445,11 +512,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for defining specific personnel
+        '//*
+        The customer will be responsible for defining specific personnel
         or roles who require privileged access, and restricting privileged
         access to those personnel or roles. A successful response will need
         to address the job functions or responsibilities for which
-        privileged access is required.>'
+        privileged access is required.
+        */'
 
 - control_key: AC-6 (9)
   standard_key: NIST-800-53
@@ -457,10 +526,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for auditing the execution of
+        '//*
+        The customer will be responsible for auditing the execution of
         privileged functions. A successful control response will need
         to relate this requirement to the general auditing requirements
-        of the AU control family,>'
+        of the AU control family,
+        */'
 
 - control_key: AC-6 (10)
   standard_key: NIST-800-53
@@ -468,11 +539,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that non-privileged
+        '//*
+        The customer will be responsible for ensuring that non-privileged
         users cannot execute privileged functions. A successful control
         response will need to discuss the use of centralized authentication
         and authorization and any other means of enforcement of privilege
-        levels.>'
+        levels.
+        */'
 
 - control_key: AC-7
   standard_key: NIST-800-53
@@ -481,12 +554,16 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for enforcing a limit on consecutive
-        failed login attempts.>'
+        '//*
+        The customer will be responsible for enforcing a limit on consecutive
+        failed login attempts.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for taking the FedRAMP required
-        actions defined by the customer, upon account lockout.>'
+        '//*
+        The customer will be responsible for taking the FedRAMP required
+        actions defined by the customer, upon account lockout.
+        */'
 
 - control_key: AC-8
   standard_key: NIST-800-53
@@ -495,48 +572,60 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for displaying a system use
+        '//*
+        The customer will be responsible for displaying a system use
         notification banner to users. A successful control response will need
         to address the conditions under which the banner will be displayed
         (if a non-government user accesses the system, the system use
         notification banner may not be appropriate), as well as the contents
-        of the nofication message.>'
+        of the nofication message.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for displaying the use notification
+        '//*
+        The customer will be responsible for displaying the use notification
         banner until the user acknowledges the usage condition and takes
         explicit actions to further access the system. A successful control
         response will need to address the means by which the user will indicate
-        acknowlegement and move forward.>'
+        acknowlegement and move forward.
+        */'
     - key: c
       text: |
         '
-        '<The customer will be responsible for displaying a system use
+        '//*
+        The customer will be responsible for displaying a system use
         information message to users. A successful control response will need
         to address the conditions under which the message will be
         displayed (if a non-government user accesses the system, the system
         use information message may not be appropriate), as well as the
         contents of the notification message, including references to
         applicable monitoring, recording, or auditing, and authorized usage
-        of the system.>'
+        of the system.
+        */'
     - key: 'Req. 1'
       text: |
-        '<The customer will be responsible for determining the conditions
+        '//*
+        The customer will be responsible for determining the conditions
         under which the system use notification will be displayed. These
-        conditions must be reviewed and accepted by the FedRAMP JAB.>'
+        conditions must be reviewed and accepted by the FedRAMP JAB.
+        */'
     - key: 'Req. 2'
       text: |
-        '<The customer will be responsible for how the system use notification
+        '//*
+        The customer will be responsible for how the system use notification
         will be verified and how often it should be re-displayed and
         re-verified. These conditions must be reviewed an accepted by the
-        FedRAMP JAB.>'
+        FedRAMP JAB.
+        */'
     - key: 'Req. 3'
       text: |
-        '<The customer will be responsible for verifying that the system use
+        '//*
+        The customer will be responsible for verifying that the system use
         notification is being displayed as required, either through a
         configuration baseline check or via other means. If this verification
         does not happen through a configuration baseline check, the JAB must
-        review and accept the process used to perform the verification.>'
+        review and accept the process used to perform the verification.
+        */'
 
 - control_key: AC-10
   standard_key: NIST-800-53
@@ -544,10 +633,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for limiting the number of
+        '//*
+        The customer will be responsible for limiting the number of
         concurrent sessions to the customer application as required.
         A successful control implemented will need to address the technical
-        mechanism used to enforce this limit.>'
+        mechanism used to enforce this limit.
+        */'
 
 - control_key: AC-11
   standard_key: NIST-800-53
@@ -582,11 +673,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for defining events or conditions
+        '//*
+        The customer will be responsible for defining events or conditions
         requiring disconnection (for example, user requesting logout), and for
         terminating the session when those events or conditions arise. A
         successful control response will need to outline the qualifying events
-        or conditions.>'
+        or conditions.
+        */'
 
 - control_key: AC-14
   standard_key: NIST-800-53
@@ -605,14 +698,17 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing and documenting
+        '//*
+        The customer will be responsible for establishing and documenting
         usage restrictions, configuration and connection requirements, and
         implementation guidance for access to the customer application
         (note that in a cloud environment, all user access will be remote
-        access).>'
+        access).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for authorizing remote access before
+        '//*
+        The customer will be responsible for authorizing remote access before
         allowing such connections. Due to the nature of the cloud environment,
         a successful control response will need to indicate that authorizing
         remote access is equivalent to authorizing any access, and relate this
@@ -655,12 +751,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for requiring remote access
+        '//*
+        The customer will be responsible for requiring remote access
         connections to the customer application to be routed through
         customer-defined network access control points. A successful control
         response will need to address the nature, number, and location of
         such access control points, as well as the security controls in place
-        to protect those access control points.>'
+        to protect those access control points.
+        */'
 
 - control_key: AC-17 (4)
   standard_key: NIST-800-53
@@ -669,20 +767,24 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for authoring the execution of
+        '//*
+        The customer will be responsible for authoring the execution of
         privileged commands and access to security-relevant information via
         remote access. Due to the nature of the cloud environment, a
         successful control response will need to indicate that authorizing
         these activities over remote access is equivalent to authorizing them
-        at all, and refer to AC-2.>'
+        at all, and refer to AC-2.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for authorizing the execution of
+        '//*
+        The customer will be responsible for authorizing the execution of
         privileged commands and access to security-relevant information via
         remote access. Due to the nature of the cloud environment, a successful
         control response will need to indicate that authorizing these activities
         over remote access is equivalent to authorizing them at all, and refer
-        to AC-2.>'
+        to AC-2.
+        */'
 
 
 - control_key: AC-17 (9)
@@ -691,7 +793,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<OpenShift utilizes the firewall technology embedded into Red Hat
+        '//*
+        OpenShift utilizes the firewall technology embedded into Red Hat
         Enterprise Linux. This technology, named firewalld, allows a system
         administrator to configure host-bsaed rules which take effect
         immediately. This gives an OpenShift operator the ability to immediately
@@ -707,7 +810,8 @@ satisfies:
 
         If immediate disconnect of all hosted applications are desired,
         individual containers may be halted. This will disconnect user sessions
-        for tenant applications immediately.>'
+        for tenant applications immediately.
+        */'
 
 - control_key: AC-18
   standard_key: NIST-800-53
@@ -716,16 +820,20 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<Given the data center focus of the infrastructure running OpenShift,
+        '//*
+        Given the data center focus of the infrastructure running OpenShift,
         it is likely this control is not applicable. A successful response
         will document if wireless connectivity is enabled, and if so,
-        how usage and connection requirements were created.>'
+        how usage and connection requirements were created.
+        */'
     - key: 'b'
       text: |
-        '<A successful control response will document how connections are
+        '//*
+        A successful control response will document how connections are
         authorized prior to recieving full connectivity to the wireless
         network. This is frequently accomplished via WEP2 and other
-        encrption and/or passphrase requirements.>'
+        encrption and/or passphrase requirements.
+        */'
 
 
 - control_key: AC-18 (1)
@@ -734,10 +842,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Given the data center focus of OpenShift deployments, it is likely
+        '//*
+        Given the data center focus of OpenShift deployments, it is likely
         this requirement is not applicable. A successful control response will
         document how, if wireless connectivity is permitted, users and devices
-        authenticate to the wireless network.>'
+        authenticate to the wireless network.
+        */'
 
 - control_key: AC-19
   standard_key: NIST-800-53
@@ -746,17 +856,21 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<Given the data center focus for OpenShift deployments, it is likely
+        '//*
+        Given the data center focus for OpenShift deployments, it is likely
         this requirement is not applicable. A successful control response will
         document how, if wireless connectivity is permitted, end-user
         devices are organizationally managed (configurations, connections,
-        and applications).>'
+        and applications).
+        */'
     - key: 'b'
       text: |
-        '<Given the data center focus for OpenShift deployments, it is likely
+        '//*
+        Given the data center focus for OpenShift deployments, it is likely
         this requirement is not applicable. A successful control response will
         document how, if wireless connectivity is permitted, mobile devices
-        are authorized to connect to organizational networks (e.g. MDM).>'
+        are authorized to connect to organizational networks (e.g. MDM).
+        */'
 
 - control_key: AC-19 (5)
   standard_key: NIST-800-53
@@ -764,9 +878,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<A successful control response will document how either full-device
+        '//*
+        A successful control response will document how either full-device
         encryption on mobile devices is being used. This is only applicable
-        if mobile is within scope of your security package.>'
+        if mobile is within scope of your security package.
+        */'
 
 - control_key: AC-20
   standard_key: NIST-800-53
@@ -775,19 +891,23 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for establishing terms and conditions
+        '//*
+        The customer will be responsible for establishing terms and conditions
         allowing authorized individuals to access the customer application
         from external information sysetms. A successful control response will
         need to outline the terms and conditions and the external information
-        systems to which those terms and conditions apply.>'
+        systems to which those terms and conditions apply.
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for establishing terms and conditions
+        '//*
+        The customer will be responsible for establishing terms and conditions
         allowing authorized individuals to process, store, or transmit
         customer-controlled information using external information systems. A
         successful control response will need to outline the terms and
         conditions and the external information systems to which those terms
-        and conditions apply.>'
+        and conditions apply.
+        */'
 
 - control_key: AC-20 (1)
   standard_key: NIST-800-53
@@ -796,17 +916,21 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for verifying the implementation of
+        '//*
+        The customer will be responsible for verifying the implementation of
         required security controls on external information systems used to
         access the customer application. A successful control response will
         need to address how this verification occurs (e.g. through an
-        independent assessment).>'
+        independent assessment).
+        */'
     - key: 'b'
       text: |
-        '<If part (a) is not possible, then the customer will be responsible
+        '//*
+        If part (a) is not possible, then the customer will be responsible
         for establishing and retaining approved information system connection
         or processing agreements with the external entity hosting the external
-        information system used to access the customer application.>'
+        information system used to access the customer application.
+        */'
 
 - control_key: AC-20 (2)
   standard_key: NIST-800-53
@@ -814,11 +938,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for restricting or prohibiting the
+        '//*
+        The customer will be responsible for restricting or prohibiting the
         use of customer-controlled portable storage devices on external
         information systems. If such use is not prohibited, a successful
         control repsonse will need to address specific restrictions on how
-        or under what conditions such use may occur.>'
+        or under what conditions such use may occur.
+        */'
 
 - control_key: AC-21
   standard_key: NIST-800-53
@@ -827,16 +953,20 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for determining when authorized users
+        '//*
+        The customer will be responsible for determining when authorized users
         are required to use discretion as to whether to share information. A
         successful control response will need to address the circumstances
         where user direction (rather than automatic access enforcement) is
-        required.>'
+        required.
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for defining and employing automated
+        '//*
+        The customer will be responsible for defining and employing automated
         mechanisms or manual processes to assist users in making information
-        sharing decisions.>'
+        sharing decisions.
+        */'
 
 - control_key: AC-22
   standard_key: NIST-800-53
@@ -845,27 +975,35 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for designating individuals
+        '//*
+        The customer will be responsible for designating individuals
         authorized to post information publicly. A successful control response
         will need to address the specific business requirements or job functions
-        that justify such access.>'
+        that justify such access.
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for trianing designated authorized
+        '//*
+        The customer will be responsible for trianing designated authorized
         individuals to prevent disclosure of nonpublic information. A
         successful control response will need to outline the training
-        provided.>'
+        provided.
+        */'
     - key: 'c'
       text: |
-        '<The customer will be responsible for reviewing information prior to
+        '//*
+        The customer will be responsible for reviewing information prior to
         public posting to ensure that nonpublic information is not included. A
         successful control response will need to address the roles or personnel
-        responsible for this review and the process for signoff.>'
+        responsible for this review and the process for signoff.
+        */'
     - key: 'd'
       text: |
-        '<The customer will be responsible for reviewing publicly available
+        '//*
+        The customer will be responsible for reviewing publicly available
         information at the reqired frequency and removing nonpublic information
         when discovered. A successful control response will need to address the
         roles or personnel responsible for the review, the process used to
         review publicly available information, and the process for removal of
-        nonpublic information.>'
+        nonpublic information.
+        */'

From e9516708be6fb32ab8dfa7f64a4fabc9d8f01623 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 01:49:42 -0400
Subject: [PATCH 5/7] updating string wrapping

---
 .../AT-Awareness_and_Training/component.yaml  |  73 ++--
 .../component.yaml                            | 228 +++++++----
 .../component.yaml                            | 210 ++++++----
 .../component.yaml                            | 309 ++++++++++-----
 .../CP-Contingency_Planning/component.yaml    | 267 ++++++++-----
 .../component.yaml                            | 337 ++++++++++------
 .../IR-Incident_Response/component.yaml       | 219 +++++++----
 .../policies/MA-Maintenance/component.yaml    | 149 ++++---
 .../MP-Media_Protection/component.yaml        |  21 +-
 .../component.yaml                            |  17 +-
 .../policies/PL-Planning/component.yaml       |  99 +++--
 .../PS-Personnel_Security/component.yaml      | 171 ++++++---
 .../RA-Risk_Assessment/component.yaml         | 137 ++++---
 .../component.yaml                            | 301 ++++++++++-----
 .../component.yaml                            | 225 +++++++----
 .../component.yaml                            | 362 +++++++++++-------
 16 files changed, 2052 insertions(+), 1073 deletions(-)

diff --git a/OpenShift-v3/policies/AT-Awareness_and_Training/component.yaml b/OpenShift-v3/policies/AT-Awareness_and_Training/component.yaml
index 7576a56..d868a91 100644
--- a/OpenShift-v3/policies/AT-Awareness_and_Training/component.yaml
+++ b/OpenShift-v3/policies/AT-Awareness_and_Training/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Awareness and Training
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Security Awareness and Training policy and procedures.
         A successful control response will need to address the content of the
-        policy (which must include purpose, scope, roles, responsibilities, 
+        policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and
-        associated controls).>'
+        associated controls).
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Security Awareness and Training policy every 3 years, and procedures
         annually. A successful control response will need to address the
         review and update process, including the role(s) responsible for
         initiating the review process, updating the policy and procedures,
-        and providing approval of the updates.>'
+        and providing approval of the updates.
+        */'
 
 - control_key: AT-2
   standard_key: NIST-800-53
@@ -33,24 +38,30 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for providing basic security
+        '//*
+        The customer will be responsible for providing basic security
         awareness training as part of initial training. A successful control
         response will outline the content of the training and will discuss the
-        process for ensuring that all users undergo the required training.>'
+        process for ensuring that all users undergo the required training.
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for providing updated basic security
+        '//*
+        The customer will be responsible for providing updated basic security
         awareness training as required by information system changes. A
         succesful control response will discuss the process for determining
         what information system changes require updated training, how the
         training content is updated, and how users are notified of the need for
-        re-training.>'
+        re-training.
+        */'
     - key: 'c'
       text: |
-        '<The customer will be responsible for refreshing the basic security
-        awareness training annually. A successful control response will 
+        '//*
+        The customer will be responsible for refreshing the basic security
+        awareness training annually. A successful control response will
         discuss the process for ensuring that all users undergo the required
-        re-trianing.>'
+        re-trianing.
+        */'
 
 - control_key: AT-2 (2)
   standard_key: NIST-800-53
@@ -58,11 +69,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for including information about
+        '//*
+        The customer will be responsible for including information about
         indicators of insider threat in security awareness training materials.
         A successful control response will summarize potential indicators of
         insider threat and outline the process for reporting them to appropriate
-        organizational officials.>'
+        organizational officials.
+        */'
 
 - control_key: AT-3
   standard_key: NIST-800-53
@@ -71,25 +84,31 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for providing role-based security
+        '//*
+        The customer will be responsible for providing role-based security
         training prior to users commencing work on their system. A successful
         control response will outline the content of the training (including
         how the content varies by assigned role) and will discuss the process
         for ensuring that all users undergo the required training for their
-        roles.>'
+        roles.
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for providing updated role-based
+        '//*
+        The customer will be responsible for providing updated role-based
         security training as required by information system changes. A
         successful control response will discuss the process for determining
         what information system changes require updated training, how the
         training content is updated, and hw users are notified of the need
-        for re-training.>'
+        for re-training.
+        */'
     - key: 'c'
       text: |
-        '<The custmoer will be responsible for refreshing role-based security
+        '//*
+        The custmoer will be responsible for refreshing role-based security
         training annually. A successful control response will discuss the
-        process for ensuring that all users undergo the required re-training.>'
+        process for ensuring that all users undergo the required re-training.
+        */'
 
 - control_key: AT-4
   standard_key: NIST-800-53
@@ -98,13 +117,17 @@ satisfies:
   narrative:
     - key: 'a'
       text: |
-        '<The customer will be responsible for tracking successful completion
+        '//*
+        The customer will be responsible for tracking successful completion
         of basic security awareness training and role-based training
         security training activities. A successful control response will discuss
-        the process or system used to monitor and document completion of 
-        training for each user.>'
+        the process or system used to monitor and document completion of
+        training for each user.
+        */'
     - key: 'b'
       text: |
-        '<The customer will be responsible for retaining training records for
+        '//*
+        The customer will be responsible for retaining training records for
         the required timeframe. A successful control response will outline the
-        methods by which required retention is achieved.>'
+        methods by which required retention is achieved.
+        */'
diff --git a/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml b/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml
index 80c6285..8774093 100644
--- a/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml
+++ b/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Audit and Accountability
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Audit and Accountability policy and procedures. A
         successful control repsonse will need to address the content of the
         policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and
-        associated controls).>'
+        associated controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Audit and Accountability policy every 3 years, and procedures annually.
         A successful control response will need to address the review and update
         process, including the role(s) responsible for initiating the review
         process, updating the policy and procedures, and providing approval
-        of the updates.>'
+        of the updates.
+        */'
 
 - control_key: AU-2
   standard_key: NIST-800-53
@@ -33,7 +38,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for determining which events their
+        '//*
+        The customer will be responsible for determining which events their
         software applications must be capable of auditing. A successful control
         response will need to address the FedRAMP-required auditable events
         listed above as well as any additional events the customer feels should
@@ -41,24 +47,30 @@ satisfies:
 
         <OpenShift, when deployed on Red Hat Enterprise Linux, utilizes the
         underlying audit subsystem. When the audit subsystem is enabled, the
-        metadata required by this control is generated.>'
+        metadata required by this control is generated.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for implementing this control. A
+        '//*
+        The customer will be responsible for implementing this control. A
         successful control response will need to address coordination with all
         interested parties (such as an internal SOC or security team) and
         incorporation of their input into business requirements in order to
-        determine the selection of auditable events.>'
+        determine the selection of auditable events.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for implimenting this control. A
+        '//*
+        The customer will be responsible for implimenting this control. A
         successful control response will include a discussion of the decision
         process behind the selection of auditable events and a justification for
         the selected events being sufficient to support after-the-fact
-        investigation.>'
+        investigation.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for selecting a subsec of the events
+        '//*
+        The customer will be responsible for selecting a subsec of the events
         listed in Part A to be audited by the system. For FedRAMP compliance,
         these events must be monitored continuously. A successful control
         response will include a discussion of the rationale for the events
@@ -67,7 +79,9 @@ satisfies:
         <Details on configuring the OpenShift audit subsystem can be found
         here:
 
-        https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-configuring_the_audit_service.html >'
+        https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
+        html/Security_Guide/sec-configuring_the_audit_service.html 
+        */'
 
 - control_key: AU-2 (3)
   standard_key: NIST-800-53
@@ -75,10 +89,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for reviewing and updating the audited
+        '//*
+        Customers are responsible for reviewing and updating the audited
         events annually or whenever there is a change in the threat environment.
         A successful control response will outline how often events are
-        reviewed.>'
+        reviewed.
+        */'
 
 - control_key: AU-3
   standard_key: NIST-800-53
@@ -86,12 +102,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsiblef or generating audit records that contain
+        '//*
+        Customers are responsiblef or generating audit records that contain
         information that establishes what type of event occured, when the event
         occurred, where the event occured, the source of the event, the
         outcome of the event, and the identity of any individuals or subjects
         associated with the event. A successful control response will outline
-        what customers require their audit records to contain.>'
+        what customers require their audit records to contain.
+        */'
 
 - control_key: AU-3 (1)
   standard_key: NIST-800-53
@@ -99,10 +117,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible ensuring that the information generates
+        '//*
+        Customers are responsible ensuring that the information generates
         audit records containing all of the information required to meet
         FedRAMP requirements. A successful control response will outline the
-        systems audit generation, and the content that it includes.>'
+        systems audit generation, and the content that it includes.
+        */'
 
 - control_key: AU-4
   standard_key: NIST-800-53
@@ -110,10 +130,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for allocating audit record storage capacity
+        '//*
+        Customers are responsible for allocating audit record storage capacity
         in accordance with the organizations requirements. A successful control
         response will explain the procedures in place to ensure that audit
-        storage is allocated according to meet customer requirements.>'
+        storage is allocated according to meet customer requirements.
+        */'
 
 - control_key: AU-5
   standard_key: NIST-800-53
@@ -122,16 +144,20 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible for alerting personnel or roles in the
+        '//*
+        Customers are responsible for alerting personnel or roles in the
         event of an audit processing failure. A successful control response
         will outline the process taken to alert personnel when an auditing
-        failure occures.>'
+        failure occures.
+        */'
     - key: b
       text: |
-        '<In the event of an audit processing failure, customers are responsible
+        '//*
+        In the event of an audit processing failure, customers are responsible
         for: overwriting the oldest audit records for low impact systems and
         shutting down moderate impact systems. A successful control response
-        will outline the actions taken when an auditing failure occurs.>'
+        will outline the actions taken when an auditing failure occurs.
+        */'
 
 - control_key: AU-6
   standard_key: NIST-800-53
@@ -140,29 +166,35 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible for review and analysis of the information
+        '//*
+        Customers are responsible for review and analysis of the information
         system audit records at least weekly for indications of inappropriate
         or unusual activity. A successful control response will outline how
         often audit records are reviewed, and types of activities they are
-        reviewed for.>'
+        reviewed for.
+        */'
     - key: b
       text: |
-        '<Customers are responsible for ensuring that audit review findings are
+        '//*
+        Customers are responsible for ensuring that audit review findings are
         reported to the appropriate personnel. A successful control response
-        will outline how the audit review findings are reported.>'
+        will outline how the audit review findings are reported.
+        */'
 
 - control_key: AU-6 (1)
   standard_key: NIST-800-53
   covered_by: []
   implimentation_status: none
   narrative:
-     - text: |
-        '<Customers are responsible for employing automated mechanisms to
+    - text: |
+        '//*
+        Customers are responsible for employing automated mechanisms to
         integrate audit, review, analysis, and reporting process to support
         organizational processes for investigation and response to suspicious
         activities. A successful control response will review the automated
         tools used for integrating review, analysis, and reporting, and how
-        these tools are employed.>'
+        these tools are employed.
+        */'
 
 - control_key: AU-6 (3)
   standard_key: NIST-800-53
@@ -170,11 +202,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for analyzing and correlating audit records
+        '//*
+        Customers are responsible for analyzing and correlating audit records
         accross different repositories to gain organiational-wide situational
         awareness. A successful control response will discuss how the customer
         correlates and analyzes audit records from different sources. This can
-        include processes and tools used to meet these goals.>'
+        include processes and tools used to meet these goals.
+        */'
 
 - control_key: AU-7
   standard_key: NIST-800-53
@@ -183,11 +217,12 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible for ensuring that the information system 
-        provides an audit reduction and report generation capability that 
+        '//*
+        Customers are responsible for ensuring that the information system
+        provides an audit reduction and report generation capability that
         supports on demand audit review, analysis, and reporting requirements
         and after-the-fact investigations of security incidents. A successful
-        control response will discuss how the information system provides 
+        control response will discuss how the information system provides
         audit reduction and report generation that supports these requirements.
         This can include a discussion of tools used to provide this capability,
         and how they are used.>
@@ -204,22 +239,28 @@ satisfies:
         For aggregate log sizing information, refer to the Aggregate Logging
         Sizing Guidelines of the Installation and Configuration guide:
 
-        https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging_sizing.html 
+        https://docs.openshift.com/container-platform/3.3/install_config/
+        aggregate_logging_sizing.html
 
         For instructions on how to configure aggregate logging, refer to the
-        Aggregating Container Logs section of the Installation and 
+        Aggregating Container Logs section of the Installation and
         Configuration guide:
 
-        https://docs.openshift.com/container-platform/3.3/install_config/aggregate_logging.html >'
+        https://docs.openshift.com/container-platform/3.3/install_config/
+        aggregate_logging.html 
+        */'
+
     - key: b
       text: |
-        '<Openshift relies upon the underlying Audit Subsystem of Red Hat 
+        '//*
+        Openshift relies upon the underlying Audit Subsystem of Red Hat
         Enterprise Linux. This subsystem has underone Common Criteria testing,
         which verifie slog integrity during remote transmittal. Certification
         documents can be found publicly at:
 
-        https://www.redhat.com/en/technologies/industries/government/standards 
-        >'
+        https://www.redhat.com/en/technologies/industries/government/standards
+        
+        */'
 
 - control_key: AU-7 (1)
   standard_key: NIST-800-53
@@ -227,11 +268,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for ensuring that the information system
+        '//*
+        Customers are responsible for ensuring that the information system
         provides the capability to process audit records for events of interest
         based on defined fields within audit records. A successful control
         response will discuss how audit records can be queried based on these
-        fields.>'
+        fields.
+        */'
 
 - control_key: AU-8
   standard_key: NIST-800-53
@@ -240,17 +283,20 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The Linux audit subsystem, upon which OpenShift logs are generated,
-        uses the system clock by default. This is non-configurable behavior.>'
+        '//*
+        The Linux audit subsystem, upon which OpenShift logs are generated,
+        uses the system clock by default. This is non-configurable behavior.
+        */'
     - key: b
       text: |
-        '<The system time is always kept in Coordinated Universal Time (UTC) and
+        '//*
+        The system time is always kept in Coordinated Universal Time (UTC) and
         converted in applications to local time as needed. Local time is the
         actual time on your current time zone, taking into account daylight
         savings time. The real-time clock can use either UTC or local time.
         UTC is recommended.
 
-        By default, OpenShift hosts are configured to use UTC. To manually 
+        By default, OpenShift hosts are configured to use UTC. To manually
         verify this, the dimedatectl command may be used:
 
         $ timedatectl set-local-rtc no
@@ -258,7 +304,10 @@ satisfies:
         Refer to the RHEL7 Administrators Guide for additional information on
         configuring time on OpenShift nodes:
 
-        https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/chap-Configuring_the_Date_and_Time.html#sect-Configuring_the_Date_and_Time-timedatectl-Time_Zone >'
+        https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
+        7/html/System_Administrators_Guide/chap-Configuring_the_Date_and_Time.
+        html#sect-Configuring_the_Date_and_Time-timedatectl-Time_Zone 
+        */'
 
 - control_key: AU-8 (1)
   standard_key: NIST-800-53
@@ -267,15 +316,18 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible for comparing the internal information
+        '//*
+        Customers are responsible for comparing the internal information
         system clocks at least hourly with an authoritative time source. A
         successful control response will discuss the time source that system
-        clocks are synced with.>'
+        clocks are synced with.
+        */'
     - key: b
       text: |
-        '<Customers are responsible for synchonizing internal system clocks to
+        '//*
+        Customers are responsible for synchonizing internal system clocks to
         the authoritative time source when the time difference is greater than
-        the organization has defined. A successful control response will 
+        the organization has defined. A successful control response will
         discuss how system clocks are synced.>
 
         <OpenShift utilizes the time services of the underyling operating
@@ -285,24 +337,30 @@ satisfies:
 
         server <<time source>> iburst
 
-        For detailed NTP configuration, reference the Red Hat Enterprise Linu
+        For detailed NTP configuration, reference the Red Hat Enterprise Linux
         7 System Administrators guide:
 
-        https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-Configure_NTP.html >'
+        https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
+        7/html/System_Administrators_Guide/s1-Configure_NTP.html 
+        */'
+
     - key: 'Req.1'
       text: |
-        '<Customers are responsible for selecting primary and secondary time
+        '//*
+        Customers are responsible for selecting primary and secondary time
         servers used by the NIST internet time services and ensuring that the
         secondary server is selected from a different region than the primary.
         A successful control response will discuss which internet time services
-        are used by the system.>'
+        are used by the system.
+        */'
     - key: 'Req. 2'
       text: |
         'Customers are responsible for syncronizing the system clocks of
-        network computers that run operating systems other than Windows to the 
+        network computers that run operating systems other than Windows to the
         Windows Domain Controler emulator, or the same time source for that
         server. A successful conttrol response will discuss which Internet time
-        services are for non-Windows systems.>'
+        services are for non-Windows systems.
+        */'
 
 - control_key: AU-9
   standard_key: NIST-800-53
@@ -310,11 +368,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are required to protect the audit information and audit 
+        '//*
+        Customers are required to protect the audit information and audit
         tools from unauthorized access, modification, and deletion. A successful
-        control response will discuss the way that audit information and tools 
-        are protected. This can include how access is controlled to audit 
-        information and tools.>'
+        control response will discuss the way that audit information and tools
+        are protected. This can include how access is controlled to audit
+        information and tools.
+        */'
 
 - control_key: AU-9 (2)
   standard_key: NIST-800-53
@@ -322,11 +382,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are required to back up audit records at least weekly to a
+        '//*
+        Customers are required to back up audit records at least weekly to a
         physically different system or component than the system being audited.
         A successful control response will discuss the way that audit records
         are backed up to a system other than the one being audited. This can
-        include a centralized repository for all audit records.>'
+        include a centralized repository for all audit records.
+        */'
 
 - control_key: AU-9 (4)
   standard_key: NIST-800-53
@@ -334,11 +396,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are required to authorize access to management of audit
+        '//*
+        Customers are required to authorize access to management of audit
         functionality to only a subset of privileged users. A successful control
         response will discuss how access to audit functionality is restricted
         to only appropriate personnel. This can include a description of who
-        this functionality is restricted to, and how this is controlled.>'
+        this functionality is restricted to, and how this is controlled.
+        */'
 
 - control_key: AU-11
   standard_key: NIST-800-53
@@ -346,15 +410,17 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are required to retain audit records for at least ninety 
+        '//*
+        Customers are required to retain audit records for at least ninety
         days to provide support for after the fact investigations of security
         incidents and to meet regulatory and organizational information
-        retention requirements. A successful control response will discuss how 
+        retention requirements. A successful control response will discuss how
         long audit records are retained.>
 
         <Audit log retention may be configured in the underlying Red Hat
-        Enterprise Linux audit daemon. If using a central or 3rd party 
-        logging solution, this may likely need to be configured in that tool.>'
+        Enterprise Linux audit daemon. If using a central or 3rd party
+        logging solution, this may likely need to be configured in that tool.
+        */'
 
 - control_key: AU-12
   standard_key: NIST-800-53
@@ -363,26 +429,32 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are required to provide record generation capability for the
+        '//*
+        Customers are required to provide record generation capability for the
         events defined in AU-2a at all information system components where audit
         capability is available. A successful control response will discuss the
         coniguration of all system components to capture the events that were
-        defined in AU-2.>'
+        defined in AU-2.
+        */'
     - key: b
       text: |
-        '<Customers are required to allow defined personnel or roles to select
+        '//*
+        Customers are required to allow defined personnel or roles to select
         which auditable events are to be audited by specific components of the
         information system. A successful control response will discuss how
-        audit generation is implemented, and who selects and configures 
+        audit generation is implemented, and who selects and configures
         auditable events on the information system>
 
         <Audit rules may be added/removed through modifying the
         /etc/audit/audit.rules or applicable file under /etc/audit/rules.d/. It
         is recommended that OpenShift specific audit rules be added to
-        /etc/audit/rules.d/openshift.rules >'
+        /etc/audit/rules.d/openshift.rules 
+        */'
     - key: c
       text: |
-        '<Customers are required to generate audit records for the events
+        '//*
+        Customers are required to generate audit records for the events
         defined in AU-2d with the content defined in AU-3. A successful control
         response will discuss how audit records are generated, and how they meet
-        the requirements defined in AU-2 and AU-3.>'
+        the requirements defined in AU-2 and AU-3.
+        */'
diff --git a/OpenShift-v3/policies/CA-Security_Assessment_and_Authorization/component.yaml b/OpenShift-v3/policies/CA-Security_Assessment_and_Authorization/component.yaml
index 065f7da..223e71b 100644
--- a/OpenShift-v3/policies/CA-Security_Assessment_and_Authorization/component.yaml
+++ b/OpenShift-v3/policies/CA-Security_Assessment_and_Authorization/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Security Assessment and Authorization
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Security Assessment and Authorization policy and
         procedures. A successful control response will need to address the
         content of the policy (which must include purpose, scope, roles,
         responsibilities, management commitment, coordination, and compliance)
         and procedures (which must facilitate the implementation of the policies
-        and associated controls).>'
+        and associated controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the 
+        '//*
+        The customer will be responsible for reviewing and updating the
         Security Assessment and Authorization policy every 3 years, and
         procedures annually. A successful control response will need to address
         the review and update process, including the role(s) responsible for
         initiating the review process, updating the policy and procedures, and
-        providing approval of the updates.>'
+        providing approval of the updates.
+        */'
 
 - control_key: CA-2
   standard_key: NIST-800-53
@@ -33,33 +38,41 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing a Security Assessment
+        '//*
+        The customer will be responsible for developing a Security Assessment
         Plan. A successful control response will need to address the involement
         of a FedRAMP-accredited 3PAO (see CA-2(1)), the scope of the
         assessment, and any specific requirements the customer has for the
-        3PAO.>'
+        3PAO.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for assessing the security controls
+        '//*
+        The customer will be responsible for assessing the security controls
         on the customer system at the required frequency. A successful control
         response will need to address the methodology used to determine the
-        security and compliance posture of the system.>'
+        security and compliance posture of the system.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for producing a Security Assessment
+        '//*
+        The customer will be responsible for producing a Security Assessment
         Report as a result of the assessment. A successful control response
         will need to address the involvement of the 3PAE as well as any
         specific requirements for the report (e.g., it should include controls
         that are considered "other than satisfied," potential weaknesses in
         controls that meet minimum requirements, recommended remediation steps,
-        and risks associated with the system).>'
+        and risks associated with the system).
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for delivering the Security
+        '//*
+        The customer will be responsible for delivering the Security
         Assessment Report and any supplementary materials to required
         individuals, including the FedRAMP PMO. A successful control response
         will need to address the individuals or roles responsible for
-        managing the package for submission and engaging with the PMO.>'
+        managing the package for submission and engaging with the PMO.
+        */'
 
 - control_key: CA-2 (1)
   standard_key: NIST-800-53
@@ -67,10 +80,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employing a FedRAMP-accredited
+        '//*
+        The customer will be responsible for employing a FedRAMP-accredited
         3PAO to conduct security control assessments. In addition to performing
         the assessment, this 3PAO will assist in the development of the Security
-        Assessment Plan and Security Assessment Report (see CA-2).>'
+        Assessment Plan and Security Assessment Report (see CA-2).
+        */'
 
 - control_key: CA-2 (2)
   standard_key: NIST-800-53
@@ -78,13 +93,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that, at a minimum,
+        '//*
+        The customer will be responsible for ensuring that, at a minimum,
         vulnerability scanning is performed annually as part of the
         assessment process. A successful control response will need to address
         the minimum requirement, as well as discussing any additional testing
         performed during assessments, such as malicious user testing, insider
         threat assessment, performance/load testing, or other tests the customer
-        chooses to perform.>'
+        chooses to perform.
+        */'
 
 - control_key: CA-2 (3)
   standard_key: NIST-800-53
@@ -92,11 +109,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for working with a 3PAO to assess
+        '//*
+        The customer will be responsible for working with a 3PAO to assess
         the system using the methodology prescribed by FedRAMP. A successful
         control response will need to address how the assessment will be carried
         out and how the results will be documented and submitted to FedRAMP
-        for approval.>'
+        for approval.
+        */'
 
 - control_key: CA-3
   standard_key: NIST-800-53
@@ -105,28 +124,34 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for authorizing connections to
+        '//*
+        The customer will be responsible for authorizing connections to
         external information systems. A successful control response will
         need to address the individuals or roles responsible for engaging with
         authorized points of contact for such external systems and the process
         for documenting and signing the conditions of the connections in
-        Interconnection System Agreements.>'
+        Interconnection System Agreements.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for documenting the details of each
+        '//*
+        The customer will be responsible for documenting the details of each
         interconnection. A successful control response will need to address
         the process for verifying the interface characteristics, security
         requirements, and the nature of the information communicated; a summary
         of this information will need to be included as part of the table
-        above.>'
+        above.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Interconnection Security Agreements at the required frequency. A
         successful control response will need to discuss the initiation of the
         review process, as well as the roles or individuals responsible for
         reviewing, verifying, updating, and approving any changes to the
-        documentation.>'
+        documentation.
+        */'
 
 - control_key: CA-3 (3)
   standard_key: NIST-800-53
@@ -134,11 +159,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for requiring unclassified,
+        '//*
+        The customer will be responsible for requiring unclassified,
         non-national security systems to connec tto customer applications
         through a TIC. A successful control response will need to address
         whether this requirement is enforced using technical means or via
-        policy considerations.>'
+        policy considerations.
+        */'
 
 - control_key: CA-3 (5)
   standard_key: NIST-800-53
@@ -146,13 +173,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for determining whether connections
+        '//*
+        The customer will be responsible for determining whether connections
         to external information systems will be governed by an
         allow-all/deny-by-exception policy or by a deny-all/allow-by-exception
         policy. A successful control response will need to address the rationale
         for the selection. In addition, the policy choice and its rationale will
         need to be included in the Architecture Briefing and in the introductory
-        sections of this Security Plan.>'
+        sections of this Security Plan.
+        */'
 
 - control_key: CA-5
   standard_key: NIST-800-53
@@ -161,20 +190,24 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing a plan of action and
+        '//*
+        The customer will be responsible for developing a plan of action and
         milestones (POA&M) for the remediation of any weaknesses of deficiences
         discovered during the security assessment. Additionally, any
         vulnerabilities found as a result of regularly vulnerability scanning
         (see RA-5) must be included in the POA&M reporting. A successful control
         response will need to discuss the roles or individuals responsible for
-        creating and tracking POA&M items.>'
+        creating and tracking POA&M items.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for updating the POA&M items at a
+        '//*
+        The customer will be responsible for updating the POA&M items at a
         required frequency. A successful control response will need to address
         the roles or individuals responsible for updating the POA&M items,
         as well as the process by which POA&M items will be updated and
-        remediated.>'
+        remediated.
+        */'
 
 - control_key: CA-6
   standard_key: NIST-800-53
@@ -183,24 +216,30 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for working with FedRAMP to designate
+        '//*
+        The customer will be responsible for working with FedRAMP to designate
         an authorizing official. A successful control response will need to
-        address how an appropriate authorizing official is selected.>'
-    - key: b 
+        address how an appropriate authorizing official is selected.
+        */'
+    - key: b
       text: |
-        '<The customer will be responsible for recieving official authorizaiton
+        '//*
+        The customer will be responsible for recieving official authorizaiton
         from the authorizing official prior to commencing operations for
         federal customers. A successful control response will need to address
         the inputs provided to the authorizing official so that an accreditation
-        decision can be made.>'
+        decision can be made.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for updating the accreditation
+        '//*
+        The customer will be responsible for updating the accreditation
         package at the required frequency. A successful control response will
         need to address the components of the package that will be updated, the
         process for re-assessing the system in alignment with the updated
         package, and the personnel or roles responsible for managing the update
-        process and engaging with FedRAMP for renewal of authorization.>'
+        process and engaging with FedRAMP for renewal of authorization.
+        */'
 
 - control_key: CA-7
   standard_key: NIST-800-53
@@ -209,69 +248,89 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing a continuous
+        '//*
+        The customer will be responsible for developing a continuous
         monitoring strategy that meets the requirements. For metrics to be
         monitored, a successful control response will need to include a
         discussion of what information the customer considers important to
         monitor, as well as a rationale for that information being sufficient
-        to demonstrate the ongoing security of the system.>'
+        to demonstrate the ongoing security of the system.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for developing a continuous
+        '//*
+        The customer will be responsible for developing a continuous
         monitoring strategy that meets the requirements. For frequency of
         monitoring, a successful control response will need to address the
         rationale for the selected frequency. This frequency should be
-        compatible with the frequency of POA&M reporting specified in CA-5.>'
+        compatible with the frequency of POA&M reporting specified in CA-5.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for including ongoing security
+        '//*
+        The customer will be responsible for including ongoing security
         control assessments as part of the continuous monitoring program. This
         may include assessment of controls specifically found to be other than
         satisfied as part of the 3PAO assessments discussed in CA-2, as well as
         internal assessment of satisfied controls to verify continued
         effectiveness of implementation. A successful control response will
         need to address the roles or individuals responsible for testing, as
-        well as the methodology used for testing.>'
+        well as the methodology used for testing.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for monitoring the metrics defined
+        '//*
+        The customer will be responsible for monitoring the metrics defined
         in part (a) as part of continuous monitoring. A successful control
         response will need to discuss how metrics are gathered and reported,
         as well as the conditions under which monitoring will lead to changes
-        or additions to related reporting, such as POA&M reporting.>'
+        or additions to related reporting, such as POA&M reporting.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for correlating and analyzing
+        '//*
+        The customer will be responsible for correlating and analyzing
         security-related information gathered from multiple sources, including
         periodic assessments and continuous monitoring. A successful control
-        response will need to address tools or processes used to perform        
-        correlation and analysis.>'
+        response will need to address tools or processes used to perform
+        correlation and analysis.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for responding appropriately
+        '//*
+        The customer will be responsible for responding appropriately
         to the results of the analysis in part (e). A successful control
         response will need to discuss under what conditions each response action
         should be taken (for example, if a new vulnerability is found in the
-        system, a POA&M item should be opened).>'
+        system, a POA&M item should be opened).
+        */'
     - key: g
       text: |
-        '<The customer will be responsible for reporting the security status of
+        '//*
+        The customer will be responsible for reporting the security status of
         the system in accordance with FedRAMP requirements at a regular
         frequency. This frequency should be compatible with the frequency of
-        POA&M reporting specified in CA-5.>'
+        POA&M reporting specified in CA-5.
+        */'
     - key: 'Req. 1'
       text: |
-        '<The customer will be responsible for performing vulnerability scans
-        of operating systems at least monthly. See also RA-5.>'
+        '//*
+        The customer will be responsible for performing vulnerability scans
+        of operating systems at least monthly. See also RA-5.
+        */'
     - key: 'Req. 2'
       text: |
-        '<The customer will be responsible for performing vulnerability scans
-        of databases and web applications at least monthly. See also RA-5.>'
+        '//*
+        The customer will be responsible for performing vulnerability scans
+        of databases and web applications at least monthly. See also RA-5.
+        */'
     - key: 'Req. 3'
       text: |
-        '<The customer will be responsible for ensuring that an independent
+        '//*
+        The customer will be responsible for ensuring that an independent
         assessor performs vulnerability scans at least annually. See also
-        CA-2(2).>'
+        CA-2(2).
+        */'
 
 - control_key: CA-7 (1)
   standard_key: NIST-800-53
@@ -279,14 +338,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for monitoring security controls on
+        '//*
+        The customer will be responsible for monitoring security controls on
         an ongoing basis with the assistance of an assessment team with a
         control-defined level of independance. Note that this may be the 3PAO
         used for recurring assessments, it may be a different independent
         assessor, or it may be a team of personnel employed by the customer. A
         successful control response will need to address the nature of this team
         and the methods by which they access security controls within the
-        system.>'
+        system.
+        */'
 
 - control_key: CA-8
   standard_key: NIST-800-53
@@ -294,12 +355,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for conducting penetration testing
+        '//*
+        The customer will be responsible for conducting penetration testing
         at the required frequency. A successful control response will need to
         address the systems or components tested and outline the rules of
         engagement for testing (e.g. operational personnel are/are not notified
         in advance of testing, certain components of the system are off-limits
-        for this test, etc.).>'
+        for this test, etc.).
+        */'
 
 - control_key: CA-8 (1)
   standard_key: NIST-800-53
@@ -307,9 +370,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employing an independent agent
+        '//*
+        The customer will be responsible for employing an independent agent
         or team to perform penetration testing. A successful control response
-        will need to address how independence is ensured.>'
+        will need to address how independence is ensured.
+        */'
 
 - control_key: CA-9
   standard_key: NIST-800-53
@@ -318,17 +383,20 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for authorizing connections within
+        '//*
+        The customer will be responsible for authorizing connections within
         the system, such as between two types of virtual machines within the
         customer environment. A successful control response will need to address
         the individual or roles with the authorizing responsibility, as well
         as how a determination is made to allow a connection between
-        components or classes of components.>'
+        components or classes of components.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for documenting the required
+        '//*
+        The customer will be responsible for documenting the required
         information for each internal connection. This may be documented in
         e.g. data flow diagrams or architectural diagrams. A successful control
         response will need to address the process by which this documentation
-        is created.>'
-        
+        is created.
+        */'
diff --git a/OpenShift-v3/policies/CM-Configuration_Management/component.yaml b/OpenShift-v3/policies/CM-Configuration_Management/component.yaml
index c276d86..b6b7854 100644
--- a/OpenShift-v3/policies/CM-Configuration_Management/component.yaml
+++ b/OpenShift-v3/policies/CM-Configuration_Management/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Configuration Management
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Configuration Management policy and procedures. A
         successful control response will need to address the content of the
         policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and
-        associated controls).>'
+        associated controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Configuration Management policy every 3 years, and procedures annually.
         A successful control response will need to address the review and
         update process, including the role(s) responsible for initiating the
         review process, updaitng the policy and procedures, and providing
-        approval of the updates>'
+        approval of the updates
+        */'
 
 - control_key: CM-2
   standard_key: NIST-800-53
@@ -32,11 +37,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         maintaining configuration control, a current baseline configuration
         of the information system. A successful control response will need to
         address the way the baseline configurations are managed and
-        maintained.>'
+        maintained.
+        */'
 
 - control_key: CM-2 (1)
   standard_key: NIST-800-53
@@ -45,23 +52,29 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         baseline configuration of the information system at least annually.
         A successful control response will need to address how often the
-        baseline configuration is reviewed and updated.>'
+        baseline configuration is reviewed and updated.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         baseline configuration of the information system when required by the
         JAB. A successful control response will need to address updates to the
-        baseline configuration when required by the JAB.>'
+        baseline configuration when required by the JAB.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         baseline configuration of the information system as a part of
         information system component installations and upgrades. A
         successful control response will need to address updates to the baseline
-        configuration as a part of installations and upgrades.>'
+        configuration as a part of installations and upgrades.
+        */'
 
 - control_key: CM-2(2)
   standard_key: NIST-800-53
@@ -69,11 +82,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employing automated mechanisms to
+        '//*
+        The customer will be responsible for employing automated mechanisms to
         maintain an up-to-date, completed, accurate, and readily available
         baseline configuration of the information system. A successful control
         response will need to address what automated mechanisms are in use to
-        help maintain the baseline configurations of the information system.>'
+        help maintain the baseline configurations of the information system.
+        */'
 
 - control_key: CM-2 (3)
   standard_key: NIST-800-53
@@ -81,11 +96,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The cusotmer will be responsible for retaining previous versions of
+        '//*
+        The cusotmer will be responsible for retaining previous versions of
         baseline configurations to support rollback. A successful control
         response will need to address how previous versions of baseline
         configurations will be retained in order to roll back to a previous
-        version.>'
+        version.
+        */'
 
 - control_key: CM-2 (7)
   standard_key: NIST-800-53
@@ -106,55 +123,69 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for determining the types of changes
+        '//*
+        The customer will be responsible for determining the types of changes
         to the information system that are configuration controlled. A
         successful control response will need to address how decisions are made
-        to determine configuration controlled changes.>'
+        to determine configuration controlled changes.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing proposed configuration
+        '//*
+        The customer will be responsible for reviewing proposed configuration
         controlled changes to the information system and approving or
         disapproving changes with explicit consideration for security impact
         analysis. A successful contorl response will need to address how
         decisions are made to approve configuration control changes, including
-        how the security impact of these changes is considered.>'
+        how the security impact of these changes is considered.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for documenting configuration change
+        '//*
+        The customer will be responsible for documenting configuration change
         decisions. A successful control response will need to address how
         configuration change decisions are documented. This can include, for
-        example, what tools are used and what information is documented.>'
+        example, what tools are used and what information is documented.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for implementing approved
+        '//*
+        The customer will be responsible for implementing approved
         configuration-controlled changes to the system. A successful control
         response will need to address how changes are implemented after being
         approved. This can include tools used to ensure that changes are
-        implemented after approval.>'
+        implemented after approval.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for retaining records of
+        '//*
+        The customer will be responsible for retaining records of
         configuration-controlled changes to the information system for a
         defined period. A successful control response will need to address long
         records of configuration-controlled changes are kept, and where these
-        records are maintained.>'
+        records are maintained.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for auditing and reviewing activities
+        '//*
+        The customer will be responsible for auditing and reviewing activities
         associated with configuration-controlled changes to the information
         system for a defined period. A successful control response will need
         to ensure configuration control change activities are audited and
         reviewed. This can include tools used to track these changes and when
-        these changes are reviewed.>'
+        these changes are reviewed.
+        */'
     - key: g
       text: |
-        '<The customer will be responsible for coordinating and providing
+        '//*
+        The customer will be responsible for coordinating and providing
         oversight for the configuration control activities through a central
         means of communicating major changes or developments that may affect
         services to the federal government. The means of communication must
         be approved and accepted by the JAB. A successful control response
         will outline how major changes or developments that affect government
-        services will be coordinated and overseen.>'
+        services will be coordinated and overseen.
+        */'
 
 - control_key: CM-4
   standard_key: NIST-800-53
@@ -162,11 +193,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for analyzing changes to the
+        '//*
+        The customer will be responsible for analyzing changes to the
         information system to determine potential security impacts prior to
         change implementation. A successful control response will explain the
         process used to analyze changes before their implementation. This can
-        include any analysis and testing done prior to implementation.>'
+        include any analysis and testing done prior to implementation.
+        */'
 
 - control_key: CM-5
   standard_key: NIST-800-53
@@ -174,13 +207,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for defining, documenting, approving
+        '//*
+        The customer will be responsible for defining, documenting, approving
         and enforcing physical and logical access restrictions associated with
         changes to the information system. A successful control response will
         include how logical access associated with change control is defined,
         documented, and enforced. This should include tools used to enforce
         these restrictions, such as Active Directory, and how these personnel
-        are approved for access.>'
+        are approved for access.
+        */'
 
 - control_key: CM-5 (1)
   standard_key: NIST-800-53
@@ -188,10 +223,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for enforcing access restrictions,
+        '//*
+        The customer will be responsible for enforcing access restrictions,
         and supporting auditing of the enforcement actions. A successful
         control response will explain how access restrictions are enforced, and
-        how this access is audited.>'
+        how this access is audited.
+        */'
 
 - control_key: CM-5 (3)
   standard_key: NIST-800-53
@@ -203,7 +240,7 @@ satisfies:
         packages of the operating system and OpenShift, the yum gpgcheck
         option must be enabled. This is accomplished by applying the following
         Red Hat CCEs:
-        
+
                 - CCE-26989-4: Ensure gpgcheck Enabled in Main Yum Configuration
                 - CCE-26957-1: Ensure Red Hat GPG Key Installed
                 - CCE-26876-3: Ensure gpgcheck Enabled for All Yum Package
@@ -219,19 +256,23 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for limiting privileges to change
+        '//*
+        The customer will be responsible for limiting privileges to change
         information system components and system related information within
         a production or operational environment. A successful control response
         will include how privileges to change the production/operation
         environment are limited. This can include defining who has access to
         these privileges, how they may be separated, and any gates they must
-        go through.>'
+        go through.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and reevaluating
+        '//*
+        The customer will be responsible for reviewing and reevaluating
         privileges at least quarterly. A successful control response will
         include how often reviews are performed for presonnel with privileges
-        to change the information system within the production environment.>'
+        to change the information system within the production environment.
+        */'
 
 - control_key: CM-6
   standard_key: NIST-800-53
@@ -240,36 +281,44 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing and documenting
+        '//*
+        The customer will be responsible for establishing and documenting
         configuration settings for information technology products employed
         within the information system using FedRAMP guidance that reflects
         the most restrictive mode consistent with operational requirements. A
         successful control response will include how the customer develops
         base configurations to ensure that they are as restrictive as possible
-        while still allowing the system to operate.>'
+        while still allowing the system to operate.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for implementing configuration
+        '//*
+        The customer will be responsible for implementing configuration
         settings. A successful control response will describe how mandatory
         configuration settings are implemented. This can include the process
-        or documentation followed.>'
+        or documentation followed.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for identifying, documenting, and
+        '//*
+        The customer will be responsible for identifying, documenting, and
         approving any deviations from established configuration settings for
         components based on operational requirements. A successful control
-        response will explain the process for identifying, documenting, and 
+        response will explain the process for identifying, documenting, and
         approving and deviations. This can include tools used to track any
         exceptions, and the process for identifying and approving these
-        deviations.>'
+        deviations.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for monitoring and controlling
+        '//*
+        The customer will be responsible for monitoring and controlling
         changes to the configuration settings in accordance with organization
         policies and procedures. A successful control response will describe
         how changes are controlled and monitored. This can include limitations
         to privileges, how these changes are audited, and any tools in place to
-        track and approve changes.>'
+        track and approve changes.
+        */'
 
 - control_key: CM-6 (1)
   standard_key: NIST-800-53
@@ -277,12 +326,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employing automated mechanisms
+        '//*
+        The customer will be responsible for employing automated mechanisms
         to centrally manage, apply, and verify configuration settings for
-        information system components. A successful control response will 
+        information system components. A successful control response will
         describe any automated systems in place used to manage, apply, and
         verify configuration settings. An example of this is using Active
-        Directory Group Policy Objects to manage security settings.>'
+        Directory Group Policy Objects to manage security settings.
+        */'
 
 - control_key: CM-7
   standard_key: NIST-800-53
@@ -291,19 +342,23 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for configuring the information
+        '//*
+        The customer will be responsible for configuring the information
         system to only provide essential capabilities. A successful control
         response will describe the process used to ensure that information
         systems only provide essential capabilites. This can include such things
         as using USGCB guidance to help ensure that only essential functions
-        are provided.>'
+        are provided.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for prohibiting or restricting the
+        '//*
+        The customer will be responsible for prohibiting or restricting the
         use of functions, ports, protocols, and/or services following the
         USGCB guidance. A successful control response will describe the process
         used determine functions, ports, protocols, and services to restrict
-        or prohibit, using USGCB guidance.>'
+        or prohibit, using USGCB guidance.
+        */'
 
 - control_key: CM-7 (1)
   standard_key: NIST-800-53
@@ -312,17 +367,21 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for reviewing the information system
+        '//*
+        The customer will be responsible for reviewing the information system
         at least monthly to identify unnecessary or nonsecure functions, ports,
         protocols, and services. A successful control response will describe
-        how often functions, ports, protocols, and services are reviewed.>'
+        how often functions, ports, protocols, and services are reviewed.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for disabling functions, ports, 
+        '//*
+        The customer will be responsible for disabling functions, ports,
         protocols, and services that have been deemed to be unnecessary or
         nonsecure. A successful control response will explain that these
         functions, ports, protocols, and services found during the review
-        process are disabled.>'
+        process are disabled.
+        */'
 
 - control_key: CM-7 (2)
   standard_key: NIST-800-53
@@ -330,7 +389,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for preventing program execution
+        '//*
+        The customer will be responsible for preventing program execution
         in accordance with organizational defined policies regarding software
         program usage and restrictions. A successful control response will
         explain the process used to ensure that policies followed. This can
@@ -339,7 +399,8 @@ satisfies:
 
         OpenShift utilizes trusted container registries to house white-listed
         container images. The organization should define process for managing
-        said trusted registries to satisfy this control.>'
+        said trusted registries to satisfy this control.
+        */'
 
 - control_key: CM-7 (5)
   standard_key: NIST-800-53
@@ -348,7 +409,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for identifying software programs
+        '//*
+        The customer will be responsible for identifying software programs
         authorized to execute on the information system. A successful control
         response will explain the process used to identify authorized
         software programs.
@@ -358,21 +420,26 @@ satisfies:
         Integration Guide for procedures on how to setup and maintain container
         signing:
 
-        https://access.redhat.com/articles/2750891 >'
+        https://access.redhat.com/articles/2750891 
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for employing a deny-all,
+        '//*
+        The customer will be responsible for employing a deny-all,
         permit-by-exception policy to allow the execution of authorized software
         programs on the information system. A successful control response will
         explain the process to allow the execution of software on the
-        information system.>'
+        information system.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing and updating the list
+        '//*
+        The customer will be responsible for reviewing and updating the list
         of authorized software programs at least annually or when there is a
         change. A successful control response will outline how often the
         authorized software list is reviewed and updated. This should be done at
-        least annually and when changes are made.>'
+        least annually and when changes are made.
+        */'
 
 - control_key: CM-8
   standard_key: NIST-800-53
@@ -381,21 +448,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing and documenting an
+        '//*
+        The customer will be responsible for developing and documenting an
         inventory that meets FedRAMP requirements. A successful control response
         will include a description of how the inventory is developed and
         documented. This process should ensure that the inventory accurately
         reflects the current system, includes and components, is granular enough
         to support tracking and reporting, and includes any information the
-        customer has deemed necessary to achieve effective accountability.>'
+        customer has deemed necessary to achieve effective accountability.
+        */'
     - key: b
       text: |
-        '<The customer will responsible for reviewing and updating the system
+        '//*
+        The customer will responsible for reviewing and updating the system
         inventory at least monthly. This may be performed in conjunction with
         continuous monitoring and POA&M tracking activities. A sucessful control
         response will need to address the personnel or roles responsible for
         updating the system inventory and the process for correcting gaps or
-        discrepancies found.>'
+        discrepancies found.
+        */'
 
 - control_key: CM-8 (1)
   standard_key: NIST-800-53
@@ -403,11 +474,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible updating the inventory of information
+        '//*
+        The customer will be responsible updating the inventory of information
         system components and an integral part of installations, removals, and
         information system updates. A successful control response will include
         a description of how the inventory is updated when any of the above
-        events change the inventory.>'
+        events change the inventory.
+        */'
 
 - control_key: CM-8 (3)
   standard_key: NIST-800-53
@@ -416,18 +489,22 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for employing automated mechanisms
+        '//*
+        The customer will be responsible for employing automated mechanisms
         continuously to detect the presence of unauthorized software within
         the information system. A successful control response will describe
         automated systems that are in place to detect unauthorized software
-        on the information system.>'
+        on the information system.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for actions taken when unauthorized
+        '//*
+        The customer will be responsible for actions taken when unauthorized
         software is detected. A successful control response will describe the
         actions taken when unauthorized software is detected. This can include
         notifying personnel, isolating the system, and disabling network access
-        to that system.>'
+        to that system.
+        */'
 
 - control_key: CM-8 (5)
   standard_key: NIST-800-53
@@ -435,11 +512,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for verifying all components within
+        '//*
+        The customer will be responsible for verifying all components within
         the authorization boundary of the information system are not duplicated
         in other information system inventories. A successful control response
         will describe the process used to ensure that assets are not included
-        in multiple system inventories.>'
+        in multiple system inventories.
+        */'
 
 - control_key: CM-9
   standard_key: NIST-800-53
@@ -448,37 +527,45 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         implementing a configuration management plan that addresses roles,
         responsibilities, and configuration management processes and procedures.
         A successful control response will describe how the configuration
         management plan deals with roles, responsibilities, and processes
-        and procedures.>'
+        and procedures.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for developing, documenting, and
-        implementing a configuration management plan that establishes a 
+        '//*
+        The customer will be responsible for developing, documenting, and
+        implementing a configuration management plan that establishes a
         process for identifying configuration items throughout the
         system development life cycle and for managing the configuration of
         configuration items. A successful control response will describe how
         the configuration management plan establishes a system to track and
-        manage changes to the system.>'
+        manage changes to the system.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         implementing a configuration management plan that defines the
         configuration items for the information system and places them
         under configuration management. A successful control response will
         describe how the configuration management plan defines configuration
-        items, and the process used to manage them.>'
+        items, and the process used to manage them.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         implementing a configuration management plan that protects the
         configuration management plan from unauthorized disclosure. A
         successful control response will describe how the configuration
         management plan is protected from disclosure, such as where it is
-        stored, and controls in place to prevent unauthorized access.>'
+        stored, and controls in place to prevent unauthorized access.
+        */'
 
 - control_key: CM-10
   standard_key: NIST-800-53
@@ -487,25 +574,31 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for using software and associated
+        '//*
+        The customer will be responsible for using software and associated
         documentation in accordance with contract agreements and copyright laws.
         A successful control response will include a description or reference
-        to the customers acceptable use policy.>'
+        to the customers acceptable use policy.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for tracking the use of software and
+        '//*
+        The customer will be responsible for tracking the use of software and
         associated documentation protected by quantity licenses to control
         copying and distribution. A successful control response will include
-        a description of how these licenses are tracked and protected.>'
+        a description of how these licenses are tracked and protected.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for control and documentation of the
+        '//*
+        The customer will be responsible for control and documentation of the
         use of peer-to-peer file sharing technology to ensure that this
         capability is not used for the unauthorized distribution, display,
         performance, or reproduction of copyrighted work. A successful control
         response will include any controls and documentation for peer-to-peer
         technology allowed within the system. An example of this could include
-        acceptable use policies in place.>'
+        acceptable use policies in place.
+        */'
 
 - control_key: CM-10 (1)
   standard_key: NIST-800-53
@@ -513,9 +606,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for establishing any restrictions on
+        '//*
+        The customer will be responsible for establishing any restrictions on
         the use of open source software. A successful control response will
-        describe any restrictions that the organization has in place.>'
+        describe any restrictions that the organization has in place.
+        */'
 
 - control_key: CM-11
   standard_key: NIST-800-53
@@ -524,18 +619,24 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing polocies governing
+        '//*
+        The customer will be responsible for establishing polocies governing
         the installation of software by users. A successful control response
         will describe policies in place that define the restrictions in place
-        for installation of software by users.>'
+        for installation of software by users.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for enforcing installation policies
+        '//*
+        The customer will be responsible for enforcing installation policies
         using a defined method. A successful control response will describe the
         process used to enforce installation policies. This can include
-        references to configuration control processes.>'
+        references to configuration control processes.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for monitoring compliance
+        '//*
+        The customer will be responsible for monitoring compliance
         continuously. A successful control response will describe the process
-        used to monitor compliance of installation policies.>'
+        used to monitor compliance of installation policies.
+        */'
diff --git a/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml b/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml
index 3d5c18e..cf0f9af 100644
--- a/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml
+++ b/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Contingency Planning
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Contingency Planning policy and procedures. A
         successful control response will need to address the content of the
         policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Contingency Planning policy every  years, and procedures annually.
         A successful response will need to address the review and update
         process, including the role(s) responsible for initiating the review
         process, updating the policy and procedures, and providing approval
-        of the updates.>'
+        of the updates.
+        */'
 
 - control_key: CP-2
   standard_key: NIST-800-53
@@ -33,50 +38,64 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing a contingency plan
+        '//*
+        The customer will be responsible for developing a contingency plan
         meeting the specified requirements. A successful control response will
         need to address the maintenance, recovery, and resumption of customer
         applications, as well as any reliance on infrastructure functionality
-        to perform these tasks.>'
+        to perform these tasks.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for distributing the contingency plan
+        '//*
+        The customer will be responsible for distributing the contingency plan
         to key contingency personnel. A successful control response will need
         to address identification of key personnel (by name, title, or role)
-        and the means by which the customer ensures that all key personnel 
-        receive the contingency plan.>'
+        and the means by which the customer ensures that all key personnel
+        receive the contingency plan.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for coordinating contingency planning
+        '//*
+        The customer will be responsible for coordinating contingency planning
         activities with incident handling activities. A successful control
         response will need to address the division of responsibilities between
         contingency personnel and incident response personnel, as well as the
         means by which contingency planning activities are activated in the
-        event of a security incident.>'
+        event of a security incident.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for reviewing the contingency plan
+        '//*
+        The customer will be responsible for reviewing the contingency plan
         at the required frequency. A successful control response will need to
-        outline how reviews are initiated, performed, and signed off on.>'
+        outline how reviews are initiated, performed, and signed off on.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for updating the contingency plan to
+        '//*
+        The customer will be responsible for updating the contingency plan to
         address relevant changes as well as any problems found in the
         contingency plan. A successful control response will need to discuss
-        how updates are proposed, implemented, and approved.>'
+        how updates are proposed, implemented, and approved.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for communicating changes to the
+        '//*
+        The customer will be responsible for communicating changes to the
         contingency plan to key contingency personnel. A successful control
         response will need to address the means by which the
         customer ensures that all key personnel receive the updated
-        contingency plan.>'
+        contingency plan.
+        */'
     - key: g
       text: |
-        '<The customer will be responsible for protecting the contingency plan
+        '//*
+        The customer will be responsible for protecting the contingency plan
         from unauthorized disclosure or modification. A successful control
         response will need to address policy, procedural, and technical
-        safeguards that are in place to protect the contingency plan.>'
+        safeguards that are in place to protect the contingency plan.
+        */'
 
 - control_key: CP-2 (1)
   standard_key: NIST-800-53
@@ -84,11 +103,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for coordinating development of the
+        '//*
+        The customer will be responsible for coordinating development of the
         contingency plan with related plans (such as business continuity plans,
         disaster recovery plans, etc.). A successful control response will need
         to address the coordination of initial development, as well as how
-        updates to the contingency plan affect related plans and vice versa.>'
+        updates to the contingency plan affect related plans and vice versa.
+        */'
 
 - control_key: CP-2 (2)
   standard_key: NIST-800-53
@@ -96,10 +117,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for reserving capacity for processing
+        '//*
+        The customer will be responsible for reserving capacity for processing
         in an alternative region. A successful control response will need to
         note that capacity for necessary processing has been reserved in an
-        alternate region.>'
+        alternate region.
+        */'
 
 - control_key: CP-2 (3)
   standard_key: NIST-800-53
@@ -107,11 +130,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<This control is often inherited through your platform provider,
+        '//*
+        This control is often inherited through your platform provider,
         e.g. Microsoft Azure implements this control on behalf of both PaaS
         and IaaS customers. A successful control response will indicate if this
         control is inherited through your platform provider, and if not,
-        details how mission functions will be resumed.>'
+        details how mission functions will be resumed.
+        */'
 
 - control_key: CP-2 (8)
   standard_key: NIST-800-53
@@ -119,13 +144,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for identifying critical
-        functionality for which processing capacity must be reserved in an 
+        '//*
+        The customer will be responsible for identifying critical
+        functionality for which processing capacity must be reserved in an
         alternate region. A successful control response will need to discuss
         the process by wich this determination is made. Once processing
         capacity is reserved in an alternate region for this critical
         functionality, the remainder of the control may be inherited
-        from your infrastruture provider.>'
+        from your infrastruture provider.
+        */'
 
 - control_key: CP-3
   standard_key: NIST-800-53
@@ -133,11 +160,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for initial and refresher training
+        '//*
+        The customer will be responsible for initial and refresher training
         related to contingency plan activities at the required intervals. A
         successful control response will need to outline the scope and contents
         of the training, the audience for the training, and the means by which
-        training attendance is tracked and enforced.>'
+        training attendance is tracked and enforced.
+        */'
 
 - control_key: CP-4
   standard_key: NIST-800-53
@@ -146,7 +175,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for testing of contingency plans
+        '//*
+        The customer will be responsible for testing of contingency plans
         related to the customer application at the required frequency. A
         successful control response will need to address the scenarios and
         exercises chosen for the test.
@@ -154,20 +184,26 @@ satisfies:
         Microsoft Azure has provided documentation around recovery testing for
         Azure SQL Database, which customers may use to develop their own test
         plans and procedures:
-        
-        https://azure.microsoft.com/en-us/documentation/articles/sql-database-disaster-recovery-drills/ >'
+
+        https://azure.microsoft.com/en-us/documentation/articles/
+        sql-database-disaster-recovery-drills/ 
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing the results of
+        '//*
+        The customer will be responsible for reviewing the results of
         contingency plan testing. A successful control response will need to
         discuss the roles or personnel responsible for review, as well as the
-        format and content of reporting on the results.>'
+        format and content of reporting on the results.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for initiating corrective action as
+        '//*
+        The customer will be responsible for initiating corrective action as
         a result of contingency plan testing. A successful control response will
         need to address the types of corrective actions taken and timeframes
-        for those actions.>'
+        for those actions.
+        */'
 
 - control_key: CP-4 (1)
   standard_key: NIST-800-53
@@ -175,11 +211,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for coordinating testing of the
+        '//*
+        The customer will be responsible for coordinating testing of the
         contingency plan with related plans (such as business continuity plans,
         disaster recovery plans, etc.). A successful control response will need
         to address ensuring that any test results relevant to related plans are
-        communicated so that corrective actions may be taken as needed.>'
+        communicated so that corrective actions may be taken as needed.
+        */'
 
 - control_key: CP-6
   standard_key: NIST-800-53
@@ -188,17 +226,21 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for enabling geo-replicated within
+        '//*
+        The customer will be responsible for enabling geo-replicated within
         the information system which will allow restoration from backups.
 
         If using Microsoft Azure, once geo-replicated backups are enabled, the
         customer may inherit the remainder of this control from Microsoft
-        Azure.>'
+        Azure.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible to ensure alternate storage sites
+        '//*
+        The customer will be responsible to ensure alternate storage sites
         provide information security safeguards equivalent to the primary
-        site.>'
+        site.
+        */'
 
 - control_key: CP-6 (1)
   standard_key: NIST-800-53
@@ -206,9 +248,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for identifying an alternative
+        '//*
+        The customer will be responsible for identifying an alternative
         storage site that is separated from the primary storage site to reduce
-        susceptibility to the same threats.>'
+        susceptibility to the same threats.
+        */'
 
 - control_key: CP-6 (3)
   standard_key: NIST-800-53
@@ -216,11 +260,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for identifying potential
+        '//*
+        The customer will be responsible for identifying potential
         accessibility problems to the alternate storage site in the event of
         an area-wide disruption or disaster and outlines explicit
         mitigation actions. This control is often inherited from IaaS and PaaS
-        providers.>'
+        providers.
+        */'
 
 - control_key: CP-7
   standard_key: NIST-800-53
@@ -229,22 +275,28 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for reserving capacity for processing
+        '//*
+        The customer will be responsible for reserving capacity for processing
         in an alternate region. A successful control response will need to note
         that capacity for necessary processing has been reserved in an alternate
         region, and will then indicate inheritance of capacity planning from
-        most IaaS providers.>'
+        most IaaS providers.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for ensuring that equipment and
+        '//*
+        The customer will be responsible for ensuring that equipment and
         supplies required to transfer and resume operations are available
         at the alternate processing site. This control is often inherited
-        from organizational processes.>'
+        from organizational processes.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for ensuring that the alternate
+        '//*
+        The customer will be responsible for ensuring that the alternate
         processing site provides information security safeguards equivalent
-        to that of the primary site.>'
+        to that of the primary site.
+        */'
 
 - control_key: CP-7 (1)
   standard_key: NIST-800-53
@@ -252,13 +304,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for identifying an alternate processing
+        '//*
+        The customer is responsible for identifying an alternate processing
         site that is separated from the primary processing site to reduce
         susceptibility to the same threats. Per FedRAMP guidance, the service
         provider may determine what is considered a sufficient degree of
         separation between the primary and alternate processing sites, based
         on the types of threats that are of concern. This control is often
-        inherited from organizational processes.>'
+        inherited from organizational processes.
+        */'
 
 - control_key: CP-7 (2)
   standard_key: NIST-800-53
@@ -266,11 +320,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for identifying potential
+        '//*
+        The customer will be responsible for identifying potential
         accessibility problems to the alternate processing site in the event of
         an area-wide disruption or disaster and outlines explicit mitigation
         actions. This control is often inherited from organizational
-        processes.>'
+        processes.
+        */'
 
 - control_key: CP-7 (3)
   standard_key: NIST-800-53
@@ -278,10 +334,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for developing alternate processing
+        '//*
+        The customer will be responsible for developing alternate processing
         site agreements that contain priority-of-service provisions in
         accordance with organizational availability requirements. This control
-        is often inherited from organizational, IaaS, or PaaS providers.>'
+        is often inherited from organizational, IaaS, or PaaS providers.
+        */'
 
 - control_key: CP-8
   standard_key: NIST-800-53
@@ -289,12 +347,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for establishing alternate
+        '//*
+        The customer will be responsible for establishing alternate
         telecommunication services including necessary agreements to permit
         the resumption of operations. The customer must define a time period
         to resume business operations that is consistent with the business
         impact analysis. This control is often inherited from organizational,
-        IaaS, or PaaS providers.>'
+        IaaS, or PaaS providers.
+        */'
 
 - control_key: CP-8 (1)
   standard_key: NIST-800-53
@@ -303,18 +363,22 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The custimer will be responsible for developing primary and
+        '//*
+        The custimer will be responsible for developing primary and
         alternate telecommunication service agreements that contain
         priority-of-service provisions in accordance with organiational
         availability requirements (including recovery time objectives). This
-        control is often inherited from IaaS and PaaS providers.>'
+        control is often inherited from IaaS and PaaS providers.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible to request telecommunications
+        '//*
+        The customer will be responsible to request telecommunications
         service priority for all telecommunications services used for national
         security emergency preparedness in the event that the primary and/or
         alternate telecommunications services are provided by a common carrier.
-        This control is often inherited from IaaS and PaaS providers.>'
+        This control is often inherited from IaaS and PaaS providers.
+        */'
 
 - control_key: CP-8 (2)
   standard_key: NIST-800-53
@@ -322,10 +386,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for obtaining alernate
+        '//*
+        The customer will be responsible for obtaining alernate
         telecommunications services to reduce the likelihood of sharing a
         single point of failure with primary telecommunications services. This
-        control is often inherited from IaaS and PaaS providers.>'
+        control is often inherited from IaaS and PaaS providers.
+        */'
 
 - control_key: CP-9
   standard_key: NIST-800-53
@@ -334,42 +400,51 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for conducting daily incremental and
-        weekly full backups of user-level information contained in the 
-        information system. Additional FedRAMP requirements and guidance include        maintaining at least three backup copies of user-level information (at 
-        least one of which is available online) or provides an equivalent 
-        alternative. A successful control response will detail how backups of 
-        user-level information occures, and how three backup copies are 
-        maintained.>'
+        '//*
+        The customer will be responsible for conducting daily incremental and
+        weekly full backups of user-level information contained in the
+        information system. Additional FedRAMP requirements and guidance include
+        maintaining at least three backup copies of user-level information (at
+        least one of which is available online) or provides an equivalent
+        alternative. A successful control response will detail how backups of
+        user-level information occures, and how three backup copies are
+        maintained.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for conducting daily incremental and
+        '//*
+        The customer will be responsible for conducting daily incremental and
         weekly full backups of system-level information contained in the
         information system. Additional FedRAMP requirements and guidance include
-        maintaining at least three backup copies of user-level information (at 
-        least one of which is available online) or provides an equivalent 
-        alternative. A successful control response will detail how backups of 
-        user-level information occures, and how three backup copies are 
-        maintained.>'
+        maintaining at least three backup copies of user-level information (at
+        least one of which is available online) or provides an equivalent
+        alternative. A successful control response will detail how backups of
+        user-level information occures, and how three backup copies are
+        maintained.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for conducting daily incremental and
+        '//*
+        The customer will be responsible for conducting daily incremental and
         weekly full backups of information system documentation including
         security-related documentation. Additional FedRAMP requirements and
         guidance include maintaining at least three backup copies of user-level
         information (at least one of which is available online) or provides an
         equivalent alternative. A successful control response will detail how
         backups of user-level information occures, and how three backup copies
-        are maintained.>'
+        are maintained.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for protecting the confidentiality,
+        '//*
+        The customer will be responsible for protecting the confidentiality,
         integrity, and available of backup information at storage locations.
         Additional FedRAMP requirements and guidance include determining
         what elements of the cloud environment require the Information System
         Backup control. The customer will determine how Information System
         Backup is going to be verified and appropriate periodicity of the
-        check.>'
+        check.
+        */'
 
 - control_key: CP-9 (1)
   standard_key: NIST-800-53
@@ -377,9 +452,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for testing backup information at
+        '//*
+        The customer will be responsible for testing backup information at
         least annually to verify media reliability and information
-        integrity.>'
+        integrity.
+        */'
 
 - control_key: CP-9 (3)
   standard_key: NIST-800-53
@@ -387,8 +464,10 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for enabling geo-replicated backups
-        within their subscriptions, which will allow restoration from backup.>'
+        '//*
+        The customer will be responsible for enabling geo-replicated backups
+        within their subscriptions, which will allow restoration from backup.
+        */'
 
 - control_key: CP-10
   standard_key: NIST-800-53
@@ -396,9 +475,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for providing recovery and
+        '//*
+        The customer will be responsible for providing recovery and
         reconstitution of the information system to a known state after a
-        disruption, compromise, or failure.>'
+        disruption, compromise, or failure.
+        */'
 
 - control_key: CP-10 (2)
   standard_key: NIST-800-53
@@ -406,7 +487,9 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing transaction
+        '//*
+        The customer will be responsible for implementing transaction
         recovery within the customer application. A successful control response
         will need to address how transactions are performed and what occurs in
-        the case of failed or conflicting transactions.>'
+        the case of failed or conflicting transactions.
+        */'
diff --git a/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml b/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml
index f19de83..73c4440 100644
--- a/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml
+++ b/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Identification and Authentication
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Identification and Authentication policy and procedures.
         A successful control response will need to address the content of the
-        policy (which must include purpose, scope, roles, responsibilities, 
+        policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Identification and Authentication policy every 3 years, and procedures
         annually. A successful control response will need to address the review
         and update process, including the role(s) responsible for initiating
         the review process, updating the policy and procedures, and
-        providing approval of the updates.>'
+        providing approval of the updates.
+        */'
 
 - control_key: IA-2
   standard_key: NIST-800-53
@@ -32,7 +37,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for uniquely identifying and
+        '//*
+        The customer will be responsible for uniquely identifying and
         authenticating organizational users. Microsoft Active Directory
         is commonly used for this purpose. A successful control response will
         need to address the credentials used to identify and authenticate
@@ -40,29 +46,33 @@ satisfies:
 
         Microsoft Trust Center has resources related to identity and access
         management. For example:
-        
-        - https://www.microsoft.com/en-us/TrustCenter/Security/Identity 
-        discusses the use of Azure Active Directory (AAD) and Azure Multi-Factor        Authentication to manage customer access
 
-        - https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-security-best-practices/ 
+        - https://www.microsoft.com/en-us/TrustCenter/Security/Identity
+        discusses the use of Azure Active Directory (AAD) and Azure Multi-Factor
+        Authentication to manage customer access:
+
+        - https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-security-best-practices/
         addresses the use of Multi-Factor Authentication in more detail
 
-        - https://azure.microsoft.com/en-us/documentation/articles/active-directory-hybrid-identity-design-considerations-overview/ 
-        addresses the integration of cloud-based identity management with 
+        - https://azure.microsoft.com/en-us/documentation/articles/active-directory-hybrid-identity-design-considerations-overview/
+        addresses the integration of cloud-based identity management with
         existing on-premises identity management solutions
 
         As an OpenShift Container Platform administrator, you can use groups to
         manage users, change their permissions, and enhance collaboration. Your
         organization may have already created user groups and stored them in an
         LDAP server, such as Active Directory. OpenShift Container Platform can
-        sync those LDAP records with internal OpenShift Container Platform 
-        records, enabling you to manage your groups in one place. OpenShift 
-        Container Platform currently supports group sync with LDAP servers using        three common schemas for defining group membership: RFC 2307, Active 
-        Directory, and augmented Active Directory. For additional information, 
-        refer to “Syncing Groups with LDAP” in the OpenShift Installation and 
-        Configuration guide: 
-
-        https://docs.openshift.com/container-platform/3.3/install_config/syncing_groups_with_ldap.html >'
+        sync those LDAP records with internal OpenShift Container Platform
+        records, enabling you to manage your groups in one place. OpenShift
+        Container Platform currently supports group sync with LDAP servers using
+        three common schemas for defining group membership: RFC 2307, Active
+        Directory, and augmented Active Directory. For additional information,
+        refer to “Syncing Groups with LDAP” in the OpenShift Installation and
+        Configuration guide:
+
+        https://docs.openshift.com/container-platform/3.3/install_config/
+        syncing_groups_with_ldap.html 
+        */'
 
 - control_key: IA-2 (1)
   standard_key: NIST-800-53
@@ -70,7 +80,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing multifactor
+        '//*
+        The customer will be responsible for implementing multifactor
         authentication. Microsoft AAD and MFA solutions may be used for this
         purpose. A successful control response will need to address all user
         types and the means by which multifactor authentication is enforced
@@ -85,7 +96,9 @@ satisfies:
         described in Section 12.3.8, Request Header, of the OpenShift v3.3
         Installation and Configuration Guide:
 
-        https://docs.openshift.com/container-platform/3.3/install_config/configuring_authentication.html#RequestHeaderIdentityProvider  >'
+        https://docs.openshift.com/container-platform/3.3/install_config/
+        configuring_authentication.html#RequestHeaderIdentityProvider  
+        */'
 
 - control_key: IA-2 (2)
   standard_key: NIST-800-53
@@ -93,12 +106,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing multifactor
+        '//*
+        The customer will be responsible for implementing multifactor
         authentication. Microsoft AAD and MFA solutions may be used for this
         purpose. A successful control response will need to address all user
         types and the means by which multifactor authentication is enforced
         for each. This control differs from IA-2(1) in the focus for network
-        access to non-privileged accounts.>'
+        access to non-privileged accounts.
+        */'
 
 - control_key: IA-2 (3)
   standard_key: NIST-800-53
@@ -126,14 +141,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing replay-resistant
+        '//*
+        The customer will be responsible for implementing replay-resistant
         authentication for access to privileged accounts. Microsoft AAD and MFA
         solutions may be used for this purpose. A successful control response
         will need to address all user types and the means by which
-        replay-resistant authentication is required for each. 
+        replay-resistant authentication is required for each.
 
         OpenShift can authenticate users against Microsoft Active Directory.
-        It is recommended to use Active Directory if possible.>'
+        It is recommended to use Active Directory if possible.
+        */'
 
 - control_key: IA-2 (11)
   standard_key: NIST-800-53
@@ -141,12 +158,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing multifactor
+        '//*
+        The customer will be responsible for implementing multifactor
         authentication. Microsoft AAD and MFA solutions may be used for this
         purpose. A successful control response will need to address all user
         types and the means by which multifactor authentication is enforced
         for each, as well as the strength of mechanism required by the MFA
-        solution.>'
+        solution.
+        */'
 
 - control_key: IA-2 (12)
   standard_key: NIST-800-53
@@ -154,13 +173,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Personal Identity Verification (PIV) credentials are those credentials
+        '//*
+        Personal Identity Verification (PIV) credentials are those credentials
         issued by federal agencies that conform to FIPS Publication 201 and
         supporting guidance documents. Customers will not be expected to perform
         this credential verification for government agencies. A mechanism for
         allowing government agencies to perform credential verification in a way
         that can be trusted by the customer system is through Active Directory
-        Federation Services (ADFS).>'
+        Federation Services (ADFS).
+        */'
 
 - control_key: IA-3
   standard_key: NIST-800-53
@@ -168,14 +189,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that customer-owned
+        '//*
+        The customer will be responsible for ensuring that customer-owned
         virtual machines are properly authenticated prior to establishing a
         connetion to the rest of the customer system. A successful control
         response will need to address the virtual machines or types of virtual
         machines in use and the mechanism by which each is authenticated.
 
         OpenShift nodes can be configured with x509/PKI certificates, which
-        will provide identity of the machines.>'
+        will provide identity of the machines.
+        */'
 
 - control_key: IA-4
   standard_key: NIST-800-53
@@ -184,38 +207,48 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for authorizing the assignment of
+        '//*
+        The customer will be responsible for authorizing the assignment of
         identifiers. A successful control response will need to address the
         types of identifiers in use and the roles or personnel responsible for
-        authorizing each type.>'
+        authorizing each type.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for selecting identifiers. Microsoft
+        '//*
+        The customer will be responsible for selecting identifiers. Microsoft
         AAD solution may be used for this purpose. A successful control response
-        will need to address all identifier types and the means by which 
-        uniqueness of identifier is assured.>'
+        will need to address all identifier types and the means by which
+        uniqueness of identifier is assured.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for assigning identifiers. Microsoft
+        '//*
+        The customer will be responsible for assigning identifiers. Microsoft
         AAD solution may be used for this purpose. A successful control
         response will need to address communication of the assigned identifier
-        to indivuals, groups, roles, or devices.>'
+        to indivuals, groups, roles, or devices.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for preventing the reuse of
+        '//*
+        The customer will be responsible for preventing the reuse of
         identifiers for the required timeframe. Microsoft AAD solution may be
         used for this purpose. Each account created within AAD is assigned a
         unique identifier (different from username, device name, etc.) which
         is never reused. A successful control response will need to address the
-        types of identifiers in use and the means by which reuse is 
-        prevented.>'
+        types of identifiers in use and the means by which reuse is
+        prevented.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for disabling user identifiers after
+        '//*
+        The customer will be responsible for disabling user identifiers after
         ninety days of inactivity, and other identifier types after customer-
         defined periods of inactivity. Microsoft AAD solution may be used for
         this purpose. A successful control response will need to address all
-        identifier types and the means by which disabling takes place.>'
+        identifier types and the means by which disabling takes place.
+        */'
 
 - control_key: IA-4 (4)
   standard_key: NIST-800-53
@@ -223,12 +256,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for including contractor or foreign
+        '//*
+        The customer will be responsible for including contractor or foreign
         national status as a part of individual identifiers. Microsoft AAD
         solution may be used for this purpose. A successful control response
         ill need to address how contractors and foreign nationals are
         identified by the customer and how that information is incorporated
-        into the individual identifier.>'
+        into the individual identifier.
+        */'
 
 - control_key: IA-5
   standard_key: NIST-800-53
@@ -237,79 +272,99 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for verifying the identity of an
+        '//*
+        The customer will be responsible for verifying the identity of an
         individual, group, role, or device as part of authenticator
         distribution. A successful control response will need to address all
         account types in use and the means of verifiacation for each (for
         example, verifying an individuals identity with a government-issued
-        identification card).>'
+        identification card).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for establishing initial 
+        '//*
+        The customer will be responsible for establishing initial
         authenticator content, such as initial passwords. Microsoft AAD
         solution may be used for this purpose. A successful control response
         will need to address all authenticator types and the means by which
-        initial content is established for each.>'
+        initial content is established for each.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for enforcing strength requirements
+        '//*
+        The customer will be responsible for enforcing strength requirements
         for authenticators. Microsoft AAD solution may be used for this purpose.
         A successful control response will need to address all authenticator
         types and the means by which strength of mechanism requirements are met
-        for each.>'
+        for each.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for establishing procedures for
-        authenticator distribution, redistribution, and revocation. Microsoft 
+        '//*
+        The customer will be responsible for establishing procedures for
+        authenticator distribution, redistribution, and revocation. Microsoft
         AAD solution may be used for this purpose. A successful control response
         will need to address all authenticator types and scenarios, and the
-        procedures established for each.>'
+        procedures established for each.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for changing default authenticator
+        '//*
+        The customer will be responsible for changing default authenticator
         content, such as default passwords for customer-installed software. A
         successful control response will address all situations within the
         customer application where a default authenticator may occur and the
-        process by which changing the default content is enforced.>'
+        process by which changing the default content is enforced.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for setting minimum and maximum
+        '//*
+        The customer will be responsible for setting minimum and maximum
         lifetime restrictions and reuse conditions for authenticators.
         Microsoft AAD solution may be used for this purpose. A successful
         control response will need to address all authenticator types and the
-        lifetime restrictions and reuse conditions for each.>'
+        lifetime restrictions and reuse conditions for each.
+        */'
     - key: g
       text: |
-        '<The customer will be responsible for refreshing authenticators at a
+        '//*
+        The customer will be responsible for refreshing authenticators at a
         regular cadence, to include every 60 days for passwords. Microsoft AAD
         solution may be used for this purpose. A successful control response
         will need to address all authenticator types, the refresh cadence for
-        each, and the mechanism by which this cadence is enforced.>'
+        each, and the mechanism by which this cadence is enforced.
+        */'
     - key: h
       text: |
-        '<The customer will be responsible for protecting authenticator content
+        '//*
+        The customer will be responsible for protecting authenticator content
         from unauthorized disclosure or modifiation. Microsoft AAD solution may
         be used for this purpose. A successful control response will need to
         address all authenticator types and the means used to protect each,
         as well as end user training to ensure that users do not disclose
-        authenticators to unauthorized personnel.>'
+        authenticators to unauthorized personnel.
+        */'
     - key: i
       text: |
-        '<The customer will be responsible for implementing specific security
+        '//*
+        The customer will be responsible for implementing specific security
         safeguards to protect authenticators. Microsoft AAD solution may be
         used for this purpose. A successful control response will need to
         address all authenticator types and the means used to protect each, as
         well as end user training to ensure that users do not disclose
-        authenticators to unauthorized personnel.>'
+        authenticators to unauthorized personnel.
+        */'
     - key: j
       text: |
-        '<The customer will be responsible for changing authenticators for group
-        or role accounts when membership to those groups or roles changes. 
+        '//*
+        The customer will be responsible for changing authenticators for group
+        or role accounts when membership to those groups or roles changes.
         Microsoft AAD solution may be used for this purpose. A successful
         control response will need to discuss how group/role membership change
         is detected and reported, the personnel or roles responsible for
         changing the affected authenticators and the process or mechanism used
-        to perform the change.>'
+        to perform the change.
+        */'
 
 - control_key: IA-5 (1)
   standard_key: NIST-800-53
@@ -318,43 +373,55 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for enforcing the required password
+        '//*
+        The customer will be responsible for enforcing the required password
         complexity. Microsoft AAD solution may be used for this purpose. A
         successful control response will need to address the mechanism used
-        to enforce complexity.>'
+        to enforce complexity.
+        */'
     - key: b
       text: |
-        '<The custom will be responsible for enforcing the requirement to change
+        '//*
+        The custom will be responsible for enforcing the requirement to change
         at least one character when changing passwords. Microsoft AAD solution
         may be used for this purpose. A successful control response will need
-        to address the mechanism used to enforce the required change.>'
+        to address the mechanism used to enforce the required change.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for storing and transmitting
+        '//*
+        The customer will be responsible for storing and transmitting
         cryptoraphically-protected passwords. Microsoft AAD solution may be
         used for this purpose. Passwords stored by AAD are automatically
         hashed as part of AAD functionality. A successful control response
         will need to address the mechanism used to enforce
-        cryptographic protection of passwords.>'
+        cryptographic protection of passwords.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for enforcing the required minimum
+        '//*
+        The customer will be responsible for enforcing the required minimum
         and maximum lifetime restructions. Microsoft AAD solution may be used
         for this purpose. A successful control respinse will need to address
-        the mechanism used to enforce lifetime restrictions.>'
+        the mechanism used to enforce lifetime restrictions.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for enforcing the required number of
+        '//*
+        The customer will be responsible for enforcing the required number of
         generations before password reuse. Microsoft AAD solution may be used
         for this purpose. A successful control response will need to address
-        the mechanism used to enforce the reuse requirement.>'
+        the mechanism used to enforce the reuse requirement.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for enforcing the requirement to
-        change initial/temporary passwords upon first login. Microsoft AAD 
+        '//*
+        The customer will be responsible for enforcing the requirement to
+        change initial/temporary passwords upon first login. Microsoft AAD
         solution may be used for this purpose. A successful control response
         will ned to address the mechanism used to enforce the initial password
-        change requirement.>'
+        change requirement.
+        */'
 
 - control_key: IA-5 (2)
   standard_key: NIST-800-53
@@ -363,32 +430,40 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for validating certificates used
+        '//*
+        The customer will be responsible for validating certificates used
         within the customer application. Active Directory Certificate Services
         may be used for this purpose. A successful control response will need
-        to address the mechanism used to validate certificates.>'
+        to address the mechanism used to validate certificates.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for the enforcement of authorized
+        '//*
+        The customer will be responsible for the enforcement of authorized
         access to private keys associated with certificates used within the
         customer application. Active Directory Certificate Services may be
-        used for this purpose. A successful control response will need to 
-        address the mechanism used to restrict access to private keys.>'
+        used for this purpose. A successful control response will need to
+        address the mechanism used to restrict access to private keys.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for mapping the identity
+        '//*
+        The customer will be responsible for mapping the identity
         authenticated by a certificate to the account of the individual or
         group associated with that identity. Active Directory Certificate
         Services may be used for this purpose. A successful control response
         will need to address the mechanism used to map identities between
-        certificates and accounts.>'
+        certificates and accounts.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for implementing a local (i.e. within
-        their subscription) cache of revocation data. Active Directory 
+        '//*
+        The customer will be responsible for implementing a local (i.e. within
+        their subscription) cache of revocation data. Active Directory
         Certificate Serices may be used for this purpose. A successful control
         response will need to address the mechanism used to establish and
-        populate the revocation data.>'
+        populate the revocation data.
+        */'
 
 - control_key: IA-5 (3)
   standard_key: NIST-800-53
@@ -396,12 +471,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for distributing mulifactor
+        '//*
+        The customer will be responsible for distributing mulifactor
         authenticators in person with proper authorizations in place. A
         successful control response will need to discuss the mulifactor
         authenticators in use, the personnel or roles serving as the
         registration authority, and the personnel or roles providing
-        authorization for distribution of the authenticators.>'
+        authorization for distribution of the authenticators.
+        */'
 
 - control_key: IA-5 (4)
   standard_key: NIST-800-53
@@ -409,11 +486,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employing automated tools to
-        ensure that password authenticators meet strength requirements. 
+        '//*
+        The customer will be responsible for employing automated tools to
+        ensure that password authenticators meet strength requirements.
         Microsoft AAD solution may be used for this purpose. A successful
         control response will need to address the automated mechanism used to
-        enforce password strength requirements.>'
+        enforce password strength requirements.
+        */'
 
 - control_key: IA-5 (6)
   standard_key: NIST-800-53
@@ -421,10 +500,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for protecting authenticators.
+        '//*
+        The customer will be responsible for protecting authenticators.
         Microsoft AAD solution may be used for this purpose. A successful
         control response will need to address the mechanisms, processes, or
-        tools used to protect authenticators.>'
+        tools used to protect authenticators.
+        */'
 
 - control_key: IA-5 (7)
   standard_key: NIST-800-53
@@ -432,10 +513,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that unencrypted static
+        '//*
+        The customer will be responsible for ensuring that unencrypted static
         authenticators are not embedded or stored. A successful control response
         will need to address both policy requirements and technical enforcement
-        mechanisms.>'
+        mechanisms.
+        */'
 
 - control_key: IA-5 (11)
   standard_key: NIST-800-53
@@ -443,12 +526,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employin automated tools to
+        '//*
+        The customer will be responsible for employin automated tools to
         ensure that hardware tokens meet customer-defined token quality
         requirements. A successful control response will need to discuss the
         quality requirements in place, the rational for those requirements,
         and the means by which hardware tokens are shown to meet those
-        requirements.>'
+        requirements.
+        */'
 
 - control_key: IA-6
   standard_key: NIST-800-53
@@ -456,14 +541,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for obscuring authentication feedback
+        '//*
+        The customer will be responsible for obscuring authentication feedback
         during the authentication process for any customer applications. A
         successful control response will need to address the various
         authentication scenarios that might arise and the mechanism used
         to obscure feedback diring each.
 
         OpenShift natively obscures such information. OpenShift cannot be
-        configured to be out of compliance with this requirement.>'
+        configured to be out of compliance with this requirement.
+        */'
 
 - control_key: IA-7
   standard_key: NIST-800-53
@@ -471,14 +558,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Administrative access to OpenShift nodes is performed over SSH. To
+        '//*
+        Administrative access to OpenShift nodes is performed over SSH. To
         limit SSH ciphers to those algorithms which are FIPS-approved, update
         the following line in /etc/ssh/sshd_config:
-        
+
         Ciphers aes128,aes192-ctr,aes256-ctr
 
         The OpenShift Console, which is the web interface to the system,
-        automatically converts incoming authentication requests to HTTPS.>'
+        automatically converts incoming authentication requests to HTTPS.
+        */'
 
 - control_key: IA-8
   standard_key: NIST-800-53
@@ -486,12 +575,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for identifying and authenticating
-        non-organiational users accessing the customer application. A 
+        '//*
+        The customer will be responsible for identifying and authenticating
+        non-organiational users accessing the customer application. A
         successful control response will need to adderss how non-organizational
         users are defined and the process by which identification
         and authentication takes place, including any differences from
-        identification and authentication for organizational users.>'
+        identification and authentication for organizational users.
+        */'
 
 - control_key: IA-8 (1)
   standard_key: NIST-800-53
@@ -499,13 +590,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Personal Identity Verificiation (PIV_ credentials are those
+        '//*
+        Personal Identity Verificiation (PIV_ credentials are those
         credentials issued by federal agencies that conform to FIPS Publication
         201 and supporting guidance documents. Customers will not be expected
         to perform this credential verification for government agencies. A
         mechanism for allowing government agencies to perform credential
         verification in a way that can be trusted by the customer system is
-        through Active Directory Federation Services (ADFS).>'
+        through Active Directory Federation Services (ADFS).
+        */'
 
 - control_key: IA-8 (2)
   standard_key: NIST-800-53
@@ -513,14 +606,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<FICAM approved credentials are those credentials issued by nonfederal
+        '//*
+        FICAM approved credentials are those credentials issued by nonfederal
         government entities approved by the Federal Identity, Credential, and
         Access Management (FICAM) Trust Framework Solutions Initiative.
         Customers iwill not be expected to perform credential veritification for
         government agencies. A mechanism for allowing government agencies to
         perform credential verification in a way that can be trusted by the
         customer system is through Active Directory Federation Services
-        (ADFS).>'
+        (ADFS).
+        */'
 
 - control_key: IA-8 (3)
   standard_key: NIST-800-53
@@ -528,14 +623,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<FICAM approved credentials are those credentials issued by nonfederal
+        '//*
+        FICAM approved credentials are those credentials issued by nonfederal
         government entities approved by the Federal Identity, Credential, and
         Access Management (FICAM) Trust Framework Solutions Initiative.
         Customers iwill not be expected to perform credential veritification for
         government agencies. A mechanism for allowing government agencies to
         perform credential verification in a way that can be trusted by the
         customer system is through Active Directory Federation Services
-        (ADFS).>'
+        (ADFS).
+        */'
 
 - control_key: IA-8 (4)
   standard_key: NIST-800-53
@@ -543,11 +640,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<FICAM approved credentials are those credentials issued by nonfederal
+        '//*
+        FICAM approved credentials are those credentials issued by nonfederal
         government entities approved by the Federal Identity, Credential, and
         Access Management (FICAM) Trust Framework Solutions Initiative.
         Customers iwill not be expected to perform credential veritification for
         government agencies. A mechanism for allowing government agencies to
         perform credential verification in a way that can be trusted by the
         customer system is through Active Directory Federation Services
-        (ADFS).>'
+        (ADFS).
+        */'
diff --git a/OpenShift-v3/policies/IR-Incident_Response/component.yaml b/OpenShift-v3/policies/IR-Incident_Response/component.yaml
index 98fd460..3329b22 100644
--- a/OpenShift-v3/policies/IR-Incident_Response/component.yaml
+++ b/OpenShift-v3/policies/IR-Incident_Response/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Incident Response
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Incident Response policy and procedures. A successful
         control response will need to address the content of the policy (which
         must include purpose, scope, roles, responsibilities, management
         commitment, coordination, and compliance) and procedures (which must
         facilitate the implementation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Incident Response policy every 3 years, and procedures annually. A
         successful control response will need to address the review and update
         process, including the role(s) responsible for initiating the review
         process, updating the policy and procedures, and providing approval
-        of the updates.>'
+        of the updates.
+        */'
 
 - control_key: IR-2
   standard_key: NIST-800-53
@@ -33,27 +38,33 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for initial training related to
+        '//*
+        The customer will be responsible for initial training related to
         contingency plan activities. This training will need to include
         consideration for all aspects of incident response that are the
         responsibility of the customer. A successful control response will need
         to outline the scope and contents of the training, the audience for the
         training, and the means by which training attendance is tracked and
-        enforced.>'
+        enforced.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for providing retraining related to
+        '//*
+        The customer will be responsible for providing retraining related to
         contingency plan activities as required by information system changes. A
-        successful control response will need to address identification of 
+        successful control response will need to address identification of
         changes that require retraining as well as notification to relevant
         parties that retraining is required and tracking/enforcement of that
-        attendance.>'
+        attendance.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for refresher training related to
+        '//*
+        The customer will be responsible for refresher training related to
         contingency plan activities at the required frequency. A successful
         control response will need to address the means by which refresher
-        training attendance is tracked and enforced.>'
+        training attendance is tracked and enforced.
+        */'
 
 - control_key: IR-3
   standard_key: NIST-800-53
@@ -61,7 +72,8 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for testing of incident response
+        '//*
+        The customer will be responsible for testing of incident response
         plans at the required frequency. A successful control response will
         need to address the scenarios and exercise chosen for the test, as well
         as the process for documenting and reviewing test results. Test plans
@@ -70,7 +82,8 @@ satisfies:
 
         NIST Special Publication 800-61, Rev 2, Computer Security Incident
         Handling Guide, provides guidance on the development and testing
-        of incident response plans.>'
+        of incident response plans.
+        */'
 
 - control_key: IR-3 (2)
   standard_key: NIST-800-53
@@ -78,12 +91,14 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for coordinating testing of the
+        '//*
+        The customer will be responsible for coordinating testing of the
         incident response plan with related plans (such as business continuity
         plans, contingency plans, etc.). A successful control response will
         need to address ensuring that any test results relevant to related
         plans are communicated so that corrective actions may be taken as
-        needed.>'
+        needed.
+        */'
 
 - control_key: IR-4
   standard_key: NIST-800-53
@@ -92,7 +107,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing incident response
+        '//*
+        The customer will be responsible for developing incident response
         plans and testing that includes consideration for any controls that are
         the responsibility of the customer relating to shared touch points
         included in the customers authorization boundary and any customer
@@ -102,22 +118,27 @@ satisfies:
         control response will need to address the required steps in incident
         response (preparation, detection and analysis, containment, eradication,
         and recovery), including identifying roles or individuals responsible
-        for each step.>'
+        for each step.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for incident handling activities
-        with contingency plan activities. A successful control response will 
+        '//*
+        The customer will be responsible for incident handling activities
+        with contingency plan activities. A successful control response will
         need to address communication and prioritization in the case of
         conflicts (for example, if incident analysis and containment causes
-        delays in service restoration).>'
+        delays in service restoration).
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for updating incident response plans,
+        '//*
+        The customer will be responsible for updating incident response plans,
         procedures, training and testing based on lessons learned from incident
         handling activities. A successful control response will need to address
         the personnel or roles responsible for gathering and reviewing lessons
         learned, updating plans, procedures, trianing, and testing, and
-        reviewing and signing off on changes.>'
+        reviewing and signing off on changes.
+        */'
 
 - control_key: IR-4 (1)
   standard_key: NIST-800-53
@@ -125,11 +146,13 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for using automated mechanisms
+        '//*
+        The customer will be responsible for using automated mechanisms
         (such as ticketing systems and incident tracking/reporting systems) in
         support of customer incident handling activities. A successful control
         response will need to address the automated systems involved and their
-        place within the overall incident handling process.>'
+        place within the overall incident handling process.
+        */'
 
 - control_key: IR-5
   standard_key: NIST-800-53
@@ -137,11 +160,13 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responisble for tracking and documenting
+        '//*
+        The customer will be responisble for tracking and documenting
         information system security incidents. A successful control response
         will need to address the tools and processes used for documentation,
         and relate these tools and processes to the automated mechanisms
-        used in IR-4(1).>'
+        used in IR-4(1).
+        */'
 
 - control_key: IR-6
   standard_key: NIST-800-53
@@ -150,20 +175,24 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for requiring personnel to report
+        '//*
+        The customer will be responsible for requiring personnel to report
         suspected security incidents within the required timeframes. A
         successful control response will need to address examples of events that
         personnel should report, as well as tools, mechanisms, and processes
-        used for reporting.>'
+        used for reporting.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reporting security incident
+        '//*
+        The customer will be responsible for reporting security incident
         information according to the FedRAMP Incident Communications Procedure.
         In cases where customer security incidents may affect the security
         status of Microsoft Azure as a whole, the customer will be responsible
         for notifying Microsoft Azure as well. A successful control response
         will need to address the individuals or roles responsible for such
-        notifications.>'
+        notifications.
+        */'
 
 - control_key: IR-6 (1)
   standard_key: NIST-800-53
@@ -171,11 +200,13 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for using automated mechanisms (such
+        '//*
+        The customer will be responsible for using automated mechanisms (such
         as ticketing systems and incident tracking/reporting systems) in support
         of the reporting of security incidents. A successful control response
         will need to address the automated systems involved and how they are
-        used for reporting of incidents.>'
+        used for reporting of incidents.
+        */'
 
 - control_key: IR-7
   standard_key: NIST-800-53
@@ -183,11 +214,13 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for providing incident response
+        '//*
+        The customer will be responsible for providing incident response
         resources to their users. These resources may be, for example, web
         pages, helpdesk resources, or assistanceg groups. A successful
         control response will need to outline the resources available and
-        discuss how users are notified of the existence of these resources.>'
+        discuss how users are notified of the existence of these resources.
+        */'
 
 - control_key: IR-7 (1)
   standard_key: NIST-800-53
@@ -195,11 +228,13 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responislbe for using automated mechanisms
+        '//*
+        The customer will be responislbe for using automated mechanisms
         (such as websites or email distribution lists) to increase the
-        availability of incident response support resources. A successful 
+        availability of incident response support resources. A successful
         control response will need to discuss the mechanisms used and the
-        information and support resources provided via each mechanism.>'
+        information and support resources provided via each mechanism.
+        */'
 
 - control_key: IR-7 (2)
   standard_key: NIST-800-53
@@ -208,7 +243,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing relationships
+        '//*
+        The customer will be responsible for establishing relationships
         between its incident response capability and external providers. In
         particular, it is the customers responsibility to provide accurate
         and current contact information to IaaS providers in order to receive
@@ -217,13 +253,16 @@ satisfies:
         US-CERT as a notification contact. A successful control response will
         need to address these requirements as well as relationships with any
         other relevant external providers of information system protection
-        capability.>'
+        capability.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for identifying incident response
+        '//*
+        The customer will be responsible for identifying incident response
         team members to IaaS providers and any other external providers. A
         successful control response will need to discuss the means by which
-        this identification is communicated.>'
+        this identification is communicated.
+        */'
 
 - control_key: IR-8
   standard_key: NIST-800-53
@@ -232,44 +271,56 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing an incident response
+        '//*
+        The customer will be responsible for developing an incident response
         plan that includes consideration for any controls that are the
         responsibility of the customer relating to shared touch points inclduded
         in the customers authorization boundary and any customer applications
         leveraging the providers infrastructure. A successful control response
         will need to address how the plan meets each of the specified
         requirements, and the individuals or roles responsible for ensuring that
-        the requirements are met.>'
+        the requirements are met.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for distributing the incident
+        '//*
+        The customer will be responsible for distributing the incident
         response plan to identified internal and FedRAMP personnel. A successful
         control response will need to address the criteria for inclusion in the
-        distribution list.>'
+        distribution list.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing the incident response
+        '//*
+        The customer will be responsible for reviewing the incident response
         plan at the required frequency. A successful control response will need
         to address how the review process is initiated and the roles or
-        individuals responsible for performing the review.>'
+        individuals responsible for performing the review.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for updating the incident response
+        '//*
+        The customer will be responsible for updating the incident response
         plan as appropriate. A successful control response will need to address
         the criteria for requiring an update to the incident response plan, the
         individuals or roles responsible for updating the plan, and the process
-        for approval of updates.>'
+        for approval of updates.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for communicating changes made to the
+        '//*
+        The customer will be responsible for communicating changes made to the
         incident response plan to the list of internal and FedRAMP personnel
-        identified in IR-8(b).>'
+        identified in IR-8(b).
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for protecting the incident response
+        '//*
+        The customer will be responsible for protecting the incident response
         plan from unauthorized disclosure or modification. A successful control
         response will need to address policy, procedural, and technical
-        safeguards that are in place to protect the incident response plan.>'
+        safeguards that are in place to protect the incident response plan.
+        */'
 
 - control_key: IR-9
   standard_key: NIST-800-53
@@ -278,43 +329,55 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be repsonsible for identifying the specific
+        '//*
+        The customer will be repsonsible for identifying the specific
         information involved in an information spill. A successful control
         response will need to address how spills are detected and the tools
-        or processes used to identify the specific information involved.>'
+        or processes used to identify the specific information involved.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for alerting designated personnel
+        '//*
+        The customer will be responsible for alerting designated personnel
         using a non-contaminated method of communication. A successful control
         response will need to discuss how the personnel are designated and
-        notified.>'
+        notified.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for isolating the contaminated
+        '//*
+        The customer will be responsible for isolating the contaminated
         system or component. This may involved, for example, disabling
         connections to the component or shutting it down. A successful
         contorl response will need to address the types of components that
         could potentially be contaminated and the mechanism for isolating
-        each type.>'
+        each type.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for eradicating the spilled
+        '//*
+        The customer will be responsible for eradicating the spilled
         information from the contaminated system or component. A successful
         control response will need to address the means by which
-        eradication is carried out and confirmed.>'
+        eradication is carried out and confirmed.
+        */'
     - key: e
       text: |
-        '<The customer will be repsonsible for identifying other systems or
+        '//*
+        The customer will be repsonsible for identifying other systems or
         components that may have been contaminated subsequent to the initial
         spill. A successful control response will need to outline the
-        investigative process used to make this determination.>'
+        investigative process used to make this determination.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for identifying and performing any
+        '//*
+        The customer will be responsible for identifying and performing any
         additional required actions to resolve information spills. A
         successful control response will need to address how those actions
         are identified and the roles or individuals responsible for
-        identifying and performing the actions.>'
+        identifying and performing the actions.
+        */'
 
 - control_key: IR-9 (1)
   standard_key: NIST-800-53
@@ -322,12 +385,14 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for identifying personnel or roles
+        '//*
+        The customer will be responsible for identifying personnel or roles
         with responsibility for responding to information spills. This may be
         all members of the incident response team, specific members with
         specialized knowledge, or individuals or teams completely distinct from
         the incident response team. A successful control response will need to
-        address the rationale for the selection.>'
+        address the rationale for the selection.
+        */'
 
 - control_key: IR-9 (2)
   standard_key: NIST-800-53
@@ -335,12 +400,14 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for providing information spillage
+        '//*
+        The customer will be responsible for providing information spillage
         response training on a regular basis. This may be incorporated into
         overall incident response training or may be a separate training
         course or module. A successful control response will need to outline
         the contents of the information spillage response training and address
-        the frequency at which training is provided.>'
+        the frequency at which training is provided.
+        */'
 
 - control_key: IR-9 (3)
   standard_key: NIST-800-53
@@ -348,12 +415,14 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for defining and implementing
+        '//*
+        The customer will be responsible for defining and implementing
         procedures to allow personnel affected by information spills to continue
         carrying out assigned tasks during the information spill response
         process. A successful contorl response will need to addres, for example,
         alternate means of connection to affected systems and changes to
-        processes required to employ those alternate means.>'
+        processes required to employ those alternate means.
+        */'
 
 - control_key: IR-9 (4)
   standard_key: NIST-800-53
@@ -361,10 +430,12 @@ satisfies:
   implimentation_status: Not applicable
   narrative:
     - text: |
-        '<The customer will be responsible for defining and employing additional
+        '//*
+        The customer will be responsible for defining and employing additional
         safeguards for personnel exposed to information they were not authorized
-        to access. These may include, for example, additional training, 
+        to access. These may include, for example, additional training,
         non-disclosure agreements, etc. A successful control response will need
         to address the nature of these safeguards and whether they are employed
         proactively (prior to information spillage incidents) or reactively
-        (following information spillage incidents).>'
+        (following information spillage incidents).
+        */'
diff --git a/OpenShift-v3/policies/MA-Maintenance/component.yaml b/OpenShift-v3/policies/MA-Maintenance/component.yaml
index 61067db..17e4ed7 100644
--- a/OpenShift-v3/policies/MA-Maintenance/component.yaml
+++ b/OpenShift-v3/policies/MA-Maintenance/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Maintenance
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating System Maintenance policy and procedures. A successful
         control response will need to address the content of the policy
         (which must include purpose, scope, roles, responsibilities,
         management commitments, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         System Maintenance policy every 3 years, and procedures annually. A
         successful control response will need to address the review and
         update process, including the role(s) responsible for initiating the
         review process, updating the policy and procedures, and providing
-        approval of the updates.>'
+        approval of the updates.
+        */'
 
 - control_key: MA-2
   standard_key: NIST-800-53
@@ -33,45 +38,57 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for scheduling, performing,
+        '//*
+        The customer will be responsible for scheduling, performing,
         documenting, and reviweing records of maintenance and repairs
         on information system components in accordance with vendor
         specifications and/or organizational requirements. A successful control
-        response will outline maintenance procedures.>'
+        response will outline maintenance procedures.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible to approve and monitor all
+        '//*
+        The customer will be responsible to approve and monitor all
         maintenance activities. A successful control response will outline
         oversight processes for maintenance activities. This is frequently
-        accomplished through lifecycle management tools, e.g. Remedy>'
+        accomplished through lifecycle management tools, e.g. Remedy
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for requiring that datacenter
+        '//*
+        The customer will be responsible for requiring that datacenter
         management and property asset owners explicity approve the removal
         of the information system or system components from organizational
         facilities for off-site maintenance repairs. This is frequently an
         inherited control from IaaS providers and not applicable to OpenShift
-        deployments.>'
+        deployments.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for santizing equipment to remove
+        '//*
+        The customer will be responsible for santizing equipment to remove
         all information from the associated media prior to removal from
         organizational facilities. This is frequently an inherited control
-        from IaaS providers and not applicable to OpenShift deployments.>'
+        from IaaS providers and not applicable to OpenShift deployments.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for cehcking all potentially impacted
+        '//*
+        The customer will be responsible for cehcking all potentially impacted
         security controls to verify that the controls are still functioning
-        properly following maintenance or repair actions.>'
+        properly following maintenance or repair actions.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for including the date and time of
+        '//*
+        The customer will be responsible for including the date and time of
         maintenance, name of the individual(s) performing the maintenance,
         name of escort (if applicable), a description of the maintenance
         performed, and a list of equipment removed or replaced (including
         identification numbers, if applicable) in organizational
-        maintenance records. A successful control response will outline the     
-        process for including such metadata in maintenance records.>'
+        maintenance records. A successful control response will outline the
+        process for including such metadata in maintenance records.
+        */'
 
 - control_key: MA-3
   standard_key: NIST-800-53
@@ -79,9 +96,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for approving, controlling, and
-        monitoring information system maintenance records. A successful 
-        control response will document this process.>'
+        '//*
+        The customer will be responsible for approving, controlling, and
+        monitoring information system maintenance records. A successful
+        control response will document this process.
+        */'
 
 - control_key: MA-3 (1)
   standard_key: NIST-800-53
@@ -89,10 +108,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for inspecting the maintenance
+        '//*
+        The customer will be responsible for inspecting the maintenance
         tools carried into a facility by maintenance personnel for improper
         or unauthorized modifications. A successful control response
-        will document this process.>'
+        will document this process.
+        */'
 
 - control_key: MA-3 (2)
   standard_key: NIST-800-53
@@ -100,10 +121,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for checking media containing
+        '//*
+        The customer will be responsible for checking media containing
         diagnostic and test programs for malicious code before the
         media are used in the information system. A successful control response
-        documents this process.>'
+        documents this process.
+        */'
 
 - control_key: MA-3 (3)
   standard_key: NIST-800-53
@@ -111,14 +134,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for prevengint unauthorized removal
+        '//*
+        The customer will be responsible for prevengint unauthorized removal
         of manteance equipment containing organizational information. A
         successful control response will address (a) process to verify there
         is no organizational information contained on the equipment; (b) how
         equipment is sanitized or destroyed; (c) process to retain the
         equipment within the facility; (d) process to obtain an exception
         from these processes from the information owner that explicity
-        authorizes removal of equipment from the facility>'
+        authorizes removal of equipment from the facility
+        */'
 
 - control_key: MA-4
   standard_key: NIST-800-53
@@ -127,7 +152,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for approving and monitoring
+        '//*
+        The customer will be responsible for approving and monitoring
         non-local maintenance and diagnostic activities. Because of the nature
         of a cloud system, all maintenance and diagnostic activities will be
         considered non-local. Therefore, this control can largely be
@@ -135,34 +161,43 @@ satisfies:
         and the auditing and monitoring discussions in the AU family and SI-4. A
         successful control response will need to address the personnel or roles
         who are authorized to perform maintenance and diagnostic activities,
-        and how those activities are tracked.>'
+        and how those activities are tracked.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for ensuring that non-local
+        '//*
+        The customer will be responsible for ensuring that non-local
         maintenance and diagnostic activities and tools are consistent
         with the customers policies. A successful control response will need
         to discuss ensuring that, for example, authorization, identification,
         and authentication policies are followed for all personnel and tooles
-        performing maintenance and diagnostic activities.>'
+        performing maintenance and diagnostic activities.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for ensuring that strong
+        '//*
+        The customer will be responsible for ensuring that strong
         authenticators are used to establish non-local maintenance and
         diagnostic sessions. A successful control response will need to discuss
         ensuring that authenticators are resistant to replay attacks and employ
-        multifactor authentication.>'
+        multifactor authentication.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for maintaining records of non-local
+        '//*
+        The customer will be responsible for maintaining records of non-local
         maintenance and diagnostic activities. A successful control response
         will need to address the types of activities for which records are kept
-        as well as the contents of those records.>'
+        as well as the contents of those records.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for terminating the session and
+        '//*
+        The customer will be responsible for terminating the session and
         network connections when non-local maintenance and diagnostic activities
         are completed. A successful control response will need to address
-        monitoring and enforcement of the disconnectionr requirement.>'
+        monitoring and enforcement of the disconnectionr requirement.
+        */'
 
 - control_key: MA-4 (2)
   standard_key: NIST-800-53
@@ -170,12 +205,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for documenting the policies and
+        '//*
+        The customer will be responsible for documenting the policies and
         procedures for the establishment and use of non-local maintenance
         and diagnostic connections. A successful control response will need to
         address when non-local maintenance and diagnostic connections are
         allowed, what personnel are authorized to establish and use them, and
-        udner what circumstances connections must be terminated.>'
+        udner what circumstances connections must be terminated.
+        */'
 
 - control_key: MA-5
   standard_key: NIST-800-53
@@ -184,24 +221,30 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing a process for
+        '//*
+        The customer will be responsible for establishing a process for
         maintenance personnel authorizationa and maintains a list of authorized
         maintenance organizations/personnel. A successful control response will
-        document this process and where the records are kept.>'
+        document this process and where the records are kept.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for ensuring that non-escorted
+        '//*
+        The customer will be responsible for ensuring that non-escorted
         personnel performing maintenance on the information system have
         required access authorizations. A successful control response will
         document this process, and should involve the information owner
-        signing off on this access.>'
+        signing off on this access.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for designating organizational
+        '//*
+        The customer will be responsible for designating organizational
         personnel with required access authorizations and technical
         competence to supervise the maintenance personnel. A successful
         control response will document the process for becoming an escore, and
-        how technical competence is established.>'
+        how technical competence is established.
+        */'
 
 - control_key: MA-5 (1)
   standard_key: NIST-800-53
@@ -210,7 +253,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for implementing procedures for
+        '//*
+        The customer will be responsible for implementing procedures for
         the use of maintenace personnel that lack appropriate security
         clearances or are not U.S. citizens. These procures must address
         (1) personnel who do not have needed access authorizations are escorted
@@ -218,15 +262,18 @@ satisfies:
         diagnostic activities by personnel lacking access authorizations, all
         volatile information storage components within the information system
         are santized and all nonvolatile storage media are removed or physically
-        disconnected from the system and secured.>'
+        disconnected from the system and secured.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for developing and implimenting
+        '//*
+        The customer will be responsible for developing and implimenting
         alternate security safeguards in the event an information system
         component cannot be santized, removed, or disconnected from the system.
         A successful control response will document how maintenance staff
         lacking appropriate authorizations will not be able to access
-        data residing on the informarion system.>'
+        data residing on the informarion system.
+        */'
 
 - control_key: MA-6
   standard_key: NIST-800-53
@@ -234,6 +281,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for obtaining maintenance support
+        '//*
+        The customer will be responsible for obtaining maintenance support
         and/or spare parts for critical components within a reasonable time
-        to minimize production impact.>'
+        to minimize production impact.
+        */'
diff --git a/OpenShift-v3/policies/MP-Media_Protection/component.yaml b/OpenShift-v3/policies/MP-Media_Protection/component.yaml
index c2743ef..783d766 100644
--- a/OpenShift-v3/policies/MP-Media_Protection/component.yaml
+++ b/OpenShift-v3/policies/MP-Media_Protection/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Media Protection
 schema_version: 3.0.0
@@ -9,7 +10,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-1 goes here.
+        Narrative text on how product can be configured against MP-1.
 
         This answer can be multi-line.
 
@@ -19,7 +20,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-2 goes here.
+        Narrative text on how product can be configured against MP-2.
 
         This answer can be multi-line.
 
@@ -29,7 +30,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-3 goes here.
+        Narrative text on how product can be configured against MP-3.
 
         This answer can be multi-line.
 
@@ -39,7 +40,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-4 goes here.
+        Narrative text on how product can be configured against MP-4.
 
         This answer can be multi-line.
 
@@ -49,7 +50,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-5 goes here.
+        Narrative text on how product can be configured against MP-5.
 
         This answer can be multi-line.
 
@@ -59,7 +60,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-5 (4) goes here.
+        Narrative text on how product can be configured against MP-5 (4).
 
         This answer can be multi-line.
 
@@ -69,7 +70,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-6 goes here.
+        Narrative text on how product can be configured against MP-6.
 
         This answer can be multi-line.
 
@@ -79,7 +80,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-6 (2) goes here.
+        Narrative text on how product can be configured against MP-6 (2).
 
         This answer can be multi-line.
 
@@ -89,7 +90,7 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-7 goes here.
+        Narrative text on how product can be configured against MP-7.
 
         This answer can be multi-line.
 
@@ -99,6 +100,6 @@ satisfies:
   implimentation_status: none
   narrative:
    - text: |
-        Narrative text on how product can be configured against MP-7 (1) goes here.
+        Narrative text on how product can be configured against MP-7 (1).
 
         This answer can be multi-line.
diff --git a/OpenShift-v3/policies/PE-Physical_and_Environmental_Protection/component.yaml b/OpenShift-v3/policies/PE-Physical_and_Environmental_Protection/component.yaml
index f391d07..23b1edd 100644
--- a/OpenShift-v3/policies/PE-Physical_and_Environmental_Protection/component.yaml
+++ b/OpenShift-v3/policies/PE-Physical_and_Environmental_Protection/component.yaml
@@ -1 +1,16 @@
-# Nothing here - no Physical Controls associated to OpenShift
+---
+documentation_complete: false
+name: Planning
+schema_version: 3.0.0
+satisfies:
+
+- control_key: PE-1
+  standard_key: NIST-800-53
+  covered_by: []
+  implimentation_status: none
+  narrative:
+    - key: a
+      text: |
+        '//*
+        Text goes here - testing
+        */'
diff --git a/OpenShift-v3/policies/PL-Planning/component.yaml b/OpenShift-v3/policies/PL-Planning/component.yaml
index 0e363ef..133b7ca 100644
--- a/OpenShift-v3/policies/PL-Planning/component.yaml
+++ b/OpenShift-v3/policies/PL-Planning/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Planning
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Security Planning policy and procedures. A successful
         control response will need to address the content of the policy
         (which must include purpose, scope, roles, responsibilities, management
         commitment, coordination, and compliance) and proecures (which must
         facilitate the implementation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Security Planning policy every 3 years, and procedures annually. A
         successful control response will need to address the review and
         update process, including the role(s) responsible for initiating
         the review process, updating the policy and procedures, and providing
-        approval of the updates.>'
+        approval of the updates.
+        */'
 
 - control_key: PL-2
   standard_key: NIST-800-53
@@ -33,45 +38,55 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing a system security
+        '//*
+        The customer will be responsible for developing a system security
         plan (this document) in accordance with the above requirements. A
         successful control response will need to address each of the
         requirements and how this document meets them.
 
-        The customer may with to consult NIST Special Publication 800-18, 
+        The customer may with to consult NIST Special Publication 800-18,
         Revision 1, Guide for Developing Security Plans for Federal Information
         Systems, which contains guidance on security planning. Portions of this
         system security plan will discuss controls inherited from infrastructure
         providers, such as Microsoft Azure, and will refer to the
-        infrastructure providers SSP.>'
+        infrastructure providers SSP.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for distributing the system security
+        '//*
+        The customer will be responsible for distributing the system security
         plan to relevant personnel and keeping those personnel informed of
         subsequent changes. A successful control response will need to address
         identifying personnel who should receive a copy of the system security
         plan, as well as ensuring all such personnel are notified
-        appropriately.>'
+        appropriately.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing the system security
+        '//*
+        The customer will be responsible for reviewing the system security
         plan at the required frequency. A successful control response will need
         to address the initiation of the review process and the roles or
-        individuals responsible for review.>'
+        individuals responsible for review.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for updating the system security
+        '//*
+        The customer will be responsible for updating the system security
         plan to address changes to the information system and its environment
         or any problems identified during implementation or security
         assessments. A successful control response will need to discuss the
         roles or individuals responsible for updating the plan, as well as
-        the process for approval of any updates.>'
+        the process for approval of any updates.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for protecting the security plan from
+        '//*
+        The customer will be responsible for protecting the security plan from
         unauthorized disclosure or modification. A successful control response
         will need to address policy, procedural, and technical safeguards that
-        are in place to protect the system security plan.>'
+        are in place to protect the system security plan.
+        */'
 
 - control_key: PL-2 (3)
   standard_key: NIST-800-53
@@ -79,13 +94,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for planning and coordinating
+        '//*
+        The customer will be responsible for planning and coordinating
         security-related activities so as to reduce the impact on other
         organizational entities. These activities may include security
         assessments, audits, maintenance, patch management, and contingency
         plan testing. A successful control response will need to address the
         process by which other organizational entities are notified of and
-        consulted regarding such activities.>'
+        consulted regarding such activities.
+        */'
 
 - control_key: PL-4
   standard_key: NIST-800-53
@@ -94,29 +111,37 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for defining, documenting, and
+        '//*
+        The customer will be responsible for defining, documenting, and
         distributing rules of behavior. A successful control response will need
         to outline the rules of behavior and discuss the process for making them
-        available to users requiring access to the system.>'
+        available to users requiring access to the system.
+        */'
     - key: b
       text: |
-        '<The customer will be repsonsible for obtaining signed acknowledgement
+        '//*
+        The customer will be repsonsible for obtaining signed acknowledgement
         of the rules of behavior from its users. A successful control response
         will need to address the process for withholding authorization until
-        signatures are obtained.>'
+        signatures are obtained.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing and updating the rules
+        '//*
+        The customer will be responsible for reviewing and updating the rules
         of behavior at the required frequency. A successful control response
         will need to address the process for initiating review, as well as the
         individuals or roles for carrying out the review, managing updates, and
-        approving the final version.>'
+        approving the final version.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for obtaining signed acknowledgement
+        '//*
+        The customer will be responsible for obtaining signed acknowledgement
         of the updated rules of behavior. A successful control response will
         need to address the process for removing authorization if signatures
-        are not obtained in a timely manner.>'
+        are not obtained in a timely manner.
+        */'
 
 - control_key: PL-4 (1)
   standard_key: NIST-800-53
@@ -124,11 +149,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for incorporating explicit
+        '//*
+        The customer will be responsible for incorporating explicit
         restrictions on the use of social media/networking sites and posting
         organizational information on public websites into the rules of
         behavior. A successful control response will need to outline the
-        relevant portions of the rules of behavior.>'
+        relevant portions of the rules of behavior.
+        */'
 
 - control_key: PL-8
   standard_key: NIST-800-53
@@ -137,25 +164,31 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing their information
+        '//*
+        The customer will be responsible for developing their information
         security architecture. A successful contrl response will need to
         discuss the guiding principles used to protect confidentiality,
         integrity, and availability of system information and the dependencies
         on external services (such as Microsoft Azure). Additionally, a
         description of the information security architecture should be included
-        in the introductory sections of this system security plan.>'
+        in the introductory sections of this system security plan.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         security architecture at a required frequency. A succesful control
         response will need to address the process for initiating review, as well
         as the individuals or roles responsible for carrying out the review,
-        managing updates, and approving the final version.>'
+        managing updates, and approving the final version.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for incorporating changes to the
+        '//*
+        The customer will be responsible for incorporating changes to the
         security architecture into this system security plan as well as
         related materials. A successful control response will need to address
         the process for aligning the contents of the system security plan
         with the information security architecture, including the
-        individuals or roles responsible for that alignment.>'
+        individuals or roles responsible for that alignment.
+        */'
diff --git a/OpenShift-v3/policies/PS-Personnel_Security/component.yaml b/OpenShift-v3/policies/PS-Personnel_Security/component.yaml
index 794205e..851a8d6 100644
--- a/OpenShift-v3/policies/PS-Personnel_Security/component.yaml
+++ b/OpenShift-v3/policies/PS-Personnel_Security/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Personnel Security
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Personnel Security policy and procedures. A successful
         control response will need to address the content of the policy
         (which must include purpose, scope, roles, responsibilities, management
         commitment, coordination, and compliance) and procedures (which must
         facilitate the implementation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
-        Personnel Security policy every 3 years, and procedures annually. A 
+        '//*
+        The customer will be responsible for reviewing and updating the
+        Personnel Security policy every 3 years, and procedures annually. A
         successful control response will need to address the review and update
         process, including the role(s) responsible for initiating the review
         process, updating the policy and procedures, and providing approval
-        of the updates.>'
+        of the updates.
+        */'
 
 - control_key: PS-2
   standard_key: NIST-800-53
@@ -33,26 +38,32 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for assigning risk designations to
+        '//*
+        The customer will be responsible for assigning risk designations to
         all positions of cusomer personnel using IaaS that are consistent
         with the customers internal policies and procedures. A successful
         control response will need to address the criteria used in risk
         designation assignments (for example, specific responsibilities, access
-        to certain types of data, etc.).>'
+        to certain types of data, etc.).
+        */'
     - key: b
       text: |
-        '<The customerw ill be responsible for establishing screening criteria
+        '//*
+        The customerw ill be responsible for establishing screening criteria
         for individuals filling positions with access to the information
         system. A successful control response will need to address the rationale
         for each level of screening based on the responsibilities or access
-        associated with each risk designation.>'
+        associated with each risk designation.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing and revising risk
+        '//*
+        The customer will be responsible for reviewing and revising risk
         designations at the required frequency. A successful control response
         will need to address the review process, including the role(s)
         responsible for initiating the review process, revising risk
-        designations, and providing approval of any changes.>'
+        designations, and providing approval of any changes.
+        */'
 
 - control_key: PS-3
   standard_key: NIST-800-53
@@ -61,16 +72,20 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for screening individuals prior to
+        '//*
+        The customer will be responsible for screening individuals prior to
         authorizing access. A successful control response will need to
         demonstrate alignment of the screening as performed to the screening
-        requirements established in PS-2.>'
+        requirements established in PS-2.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for rescreening individuals at the
+        '//*
+        The customer will be responsible for rescreening individuals at the
         required frequency. A successful control response will need to discuss
         the process for iniating rescreening, as well as for disabling or
-        removing access if rescreening is not completed in a timely manner.>'
+        removing access if rescreening is not completed in a timely manner.
+        */'
 
 - control_key: PS-3 (3)
   standard_key: NIST-800-53
@@ -78,12 +93,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that access to
+        '//*
+        The customer will be responsible for ensuring that access to
         information requiring special protection is contingent on additional
         screening as required by the specific nature of that information. A
         successful control response will need to address identifying such
         information and enforcing the additional screening prior to
-        authorization of access>'
+        authorization of access
+        */'
 
 - control_key: PS-4
   standard_key: NIST-800-53
@@ -92,45 +109,57 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for disabling system access for
+        '//*
+        The customer will be responsible for disabling system access for
         terminated employees on teh day of termination. A successful control
         response will need to address the process by which access disablement
         is requested, as well as the personnel responsible for initiating and
-        completing the request.>'
+        completing the request.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for terminating or revoking
+        '//*
+        The customer will be responsible for terminating or revoking
         authenticators and credentials associated with terminated individuals. A
         successful control response will need to discuss the authenticators/
         credentials to be terminated/revoked, as well as the process for
-        terminating or revoking each.>'
+        terminating or revoking each.
+        */'
     - key: c
       text: |
-        '<The customerw ill be responsible for conducting exit interviews. A
+        '//*
+        The customerw ill be responsible for conducting exit interviews. A
         successful control response will need to address the topics discussed
         during the interviews and the personnel responsible for conducting
-        the interviews.>'
+        the interviews.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for retrieving all security related,
+        '//*
+        The customer will be responsible for retrieving all security related,
         information system related, organizational property from terminated
         indviduals. A successful control response will need to address the
         prcess and personnel responsible for ensuring that all such property
-        is retrieved.>'
+        is retrieved.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for retaining access to information
+        '//*
+        The customer will be responsible for retaining access to information
         and information systems formerly controlled by terminated individuals. A
         successful control response will need to address how this retention
         occures, personnel responsible for retention, and any minimum or
-        maximum retention periods.>'
+        maximum retention periods.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for notifying relevant personnel
+        '//*
+        The customer will be responsible for notifying relevant personnel
         within a defined time period after an individual is terminated. A
         successful control response will need to define the time period and
         personnel who should be notified, as well as discussing the process
-        by which notification happens.>'
+        by which notification happens.
+        */'
 
 - control_key: PS-5
   standard_key: NIST-800-53
@@ -139,32 +168,40 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for reviewing access authorizations
+        '//*
+        The customer will be responsible for reviewing access authorizations
         for individuals when those individuals are reassigned or transferred. A
         successful control response will need to address the intiation of this
         review and individuals or roles responsible for perfoming and validating
-        the results of reviews.>'
+        the results of reviews.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for initiating reassignments or
+        '//*
+        The customer will be responsible for initiating reassignments or
         transfers within a customer-defined time period after the formal
         reaassignment or transfer. A successful control response will need to
         address the specific ations taken, personnel responsible for those
-        actions, and timeframes for initiation of those actions.>'
+        actions, and timeframes for initiation of those actions.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for modifying access authorizations
+        '//*
+        The customer will be responsible for modifying access authorizations
         based on the results of the review carried out in Part A. A successful
         control response will need to address the process by which
         authorizations are modified, personnel responsible for intiating the
-        change, and any technical means of enforcement of the change.>'
+        change, and any technical means of enforcement of the change.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for notifying relevant personnel
+        '//*
+        The customer will be responsible for notifying relevant personnel
         within the required timeframe after a formal reassignment or transfer. A
         successful control response will need to address the identification of
         interested personnel or roles as well as the means by which notification
-        occurs.>'
+        occurs.
+        */'
 
 - control_key: PS-6
   standard_key: NIST-800-53
@@ -173,26 +210,32 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing agreements for access
+        '//*
+        The customer will be responsible for developing agreements for access
         to the system. A successful control response will need to outline the
         contents of access agreements and the conditions under which they
-        are used.>'
+        are used.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating access
+        '//*
+        The customer will be responsible for reviewing and updating access
         agreements at the required frequency. A successful control response will
         need to address the initiation of the review process, the personnel or
         roles responsible for reviewing and updating the agreement, and the
-        process for approval of any changes.>'
+        process for approval of any changes.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for ensuring that individuals
+        '//*
+        The customer will be responsible for ensuring that individuals
         review and sign access agreements prior to initial access and to
         maintain access after updates. A successful control response will need
         to address the process for withholding access until after the initial
         signature is recieved, as well as for disabling or removing access if
         the access agreement changes and an individual does not re-sign it in
-        a timely manner.>'
+        a timely manner.
+        */'
 
 - control_key: PS-7
   standard_key: NIST-800-53
@@ -201,35 +244,45 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing personnel security
+        '//*
+        The customer will be responsible for establishing personnel security
         requirements for third-party providers. A successful control response
         will need to outline these requirements and address the process
-        for notifying third-party providers of the requirements.>'
+        for notifying third-party providers of the requirements.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for requiring third-party providers
+        '//*
+        The customer will be responsible for requiring third-party providers
         to comply with the requirements established in PS-7(a). A successful
         control response will need to address the process for obtaining
-        agreement to the requirements and enforcing the requirements.>'
+        agreement to the requirements and enforcing the requirements.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for documenting personnel security
+        '//*
+        The customer will be responsible for documenting personnel security
         requirements for third-party providers. A successful control response
         will need to discuss the process for creating documentation and sharing
-        it with the providers.>'
+        it with the providers.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for including nofication of
+        '//*
+        The customer will be responsible for including nofication of
         terminations and transfers within the personnel security requirements. A
         successful control response will need to discuss the specific
         notification requirements, in particular the requirement for
-        notification within the same day.>'
+        notification within the same day.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for monitoring provider compliance
+        '//*
+        The customer will be responsible for monitoring provider compliance
         with personnel security requirements. A successful control response
         will need to address personnel responsible for monitoring compliance,
-        mechanisms used for monitoring, and consequences of non-compliance.>'
+        mechanisms used for monitoring, and consequences of non-compliance.
+        */'
 
 - control_key: PS-8
   standard_key: NIST-800-53
@@ -238,15 +291,19 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing sanctions process
+        '//*
+        The customer will be responsible for establishing sanctions process
         for non-compliance with policies and procedures. A successful control
         response will need to address different forms of non-compliance and
-        specific measures that may be enforced for each.>'
+        specific measures that may be enforced for each.
+        */'
     - key: b
       text: |
-        '<The customer will ne responsible for notifying interested personnel
+        '//*
+        The customer will ne responsible for notifying interested personnel
         when the sanctions process is initiated. A successful control response
         will need to delineate the relevant personnel to be notified, the
         roles or individuals responsible for notification, and the information
         convayed as part of the notification (to include, at a minimum the
-        indivual sanctioned and the reason for the sanction).>'
+        indivual sanctioned and the reason for the sanction).
+        */'
diff --git a/OpenShift-v3/policies/RA-Risk_Assessment/component.yaml b/OpenShift-v3/policies/RA-Risk_Assessment/component.yaml
index bc14d59..3f88950 100644
--- a/OpenShift-v3/policies/RA-Risk_Assessment/component.yaml
+++ b/OpenShift-v3/policies/RA-Risk_Assessment/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Risk Assessment
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating Risk Assessment policy and procedures. A successful
         control response will need to address the content of the policy
-        (which must include purpose, scope, roles, responsibilities, 
+        (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implimentation of the policies and associated
-        controls).>'
+        controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         Risk Assessment policy every 3 years, and procedures annually. A
         successful control repsonse will need to address the reiew and update
         process, including the role(s) repsonsible for initiating the review
         process, updating the policy and procedures, and providing approval
-        of the updates.>'
+        of the updates.
+        */'
 
 - control_key: RA-2
   standard_key: NIST-800-53
@@ -33,7 +38,8 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for categorizing the customer
+        '//*
+        The customer will be responsible for categorizing the customer
         system and information contained within it. A successful control
         response will need to address the applicable Federal Laws, Executive
         Orders, directives, policies, regulations, standards, and guidance, as
@@ -42,18 +48,23 @@ satisfies:
         Resources related to information categorization include FIPS 199,
         Standards for Security Categorization of Federal Information and
         Information Systems, and NIST SP 800-61, Rev. 1, Guide for Mapping
-        Types of Information and Inforation Systems to Security Categories.>'
+        Types of Information and Inforation Systems to Security Categories.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for documenting the security
+        '//*
+        The customer will be responsible for documenting the security
         categorization. A successful response will need to address supporting
         rationale, including types of information considered, risk impact
-        analysis, and input from stakeholders and organizational officials.>'
+        analysis, and input from stakeholders and organizational officials.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for presneting the security
+        '//*
+        The customer will be responsible for presneting the security
         categorization decision to the Authorizing Official or a
-        designated representative for review and approval.>'
+        designated representative for review and approval.
+        */'
 
 - control_key: RA-3
   standard_key: NIST-800-53
@@ -62,11 +73,12 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for conducting a risk assessment,
+        '//*
+        The customer will be responsible for conducting a risk assessment,
         including a review of controls inherited from infrastruture providers,
         and for those which the customer is responsible. A successful control
         response will need to address the assessment methodology and calculation
-        of the likelihood and magnitude of harm that could result from 
+        of the likelihood and magnitude of harm that could result from
         unauthorized access, use, disclosure, disruption, or modification of
         IaaS layers, the customer application, and the information processed,
         stored, and transmitted by those systems.
@@ -76,39 +88,48 @@ satisfies:
         Information Systems and Organizations: Building Effective Assessment
         Plans both provide guidance that may be used by the customer in
         developing the risk assessment methodology and performing the risk
-        assessment.>'
+        assessment.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for documenting the results of the
+        '//*
+        The customer will be responsible for documenting the results of the
         risk assessment in a Security Assessment Report. A successful control
         response will need to address specific requirements for the report
-        (e.g., it should include controls that are considered "other than 
+        (e.g., it should include controls that are considered "other than
         satisfied," potential weaknesses in control sthat meet minimum
         requirements, recommended remediation steps, and risks associated with
         the system). The customer may with to employ a 3PAO to assist with
-        the initial risk assessment (see CA-2).>'
+        the initial risk assessment (see CA-2).
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for reviewing risk assessment results
-        at the required frequency. A successful control response will need to 
+        '//*
+        The customer will be responsible for reviewing risk assessment results
+        at the required frequency. A successful control response will need to
         address the personnel or roles responsible for reviewing results, as
-        well as any actions taken in response to risk assessment results.>'
+        well as any actions taken in response to risk assessment results.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for disseminating risk assessment
+        '//*
+        The customer will be responsible for disseminating risk assessment
         results to customer-defined stakeholders and organizational officials. A
         successful control response will need to outline the stakeholders
-        involved and the means of distribution of results.>'
+        involved and the means of distribution of results.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for updating the risk assessment
+        '//*
+        The customer will be responsible for updating the risk assessment
         at the required frequency of when a significant change occurs. (Note
         that "significant change" is defined in NIST 800-37 Rev 1, Appendix F).
         A successful control respinse will need to discuss examples of
         significant changes that might occur within the customer application,
         as well as the specific actions that will be taken when the risk
         assessment is updated (such as updating system security plans and
-        other documentation).>'
+        other documentation).
+        */'
 
 - control_key: RA-5
   standard_key: NIST-800-53
@@ -117,43 +138,53 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for scanning for vulnerabilities
+        '//*
+        The customer will be responsible for scanning for vulnerabilities
         in customer applications and databases. Additionally, IaaS customers
         using an operating system image will be responsible for scanning
         for vulnerabilities in the operating system. A successful control
         response will need to address the tools used to perform scans as well
         as the additional FedRAMP requirement for independant assessors to
-        scan the system on an annual basis.>'
+        scan the system on an annual basis.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for ensuring that vulnerability
+        '//*
+        The customer will be responsible for ensuring that vulnerability
         scanning tools use standards for enumerating components, flaws, and
         improper configurations; formatting checklists and test procedures;
         and measuring vulnerability impact. A successful control response will
         need to address how each vulnerability scanning tool in use meets these
         requirements (for example, by using Common Vulnerabilities and
-        Exposures (CVE) values).>'
+        Exposures (CVE) values).
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for analyzing scan reports and
+        '//*
+        The customer will be responsible for analyzing scan reports and
         assessment results for actionable data. A successful control response
         will need to address the roles or personnel responsible for the
-        analysis, as well as criteria used in performing the analysis.>'
+        analysis, as well as criteria used in performing the analysis.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for remediating vulnerabilities in
+        '//*
+        The customer will be responsible for remediating vulnerabilities in
         customer applications and customer-provider OS images in accordance
         with the required timeframes. A successful control response will need
         to address prioritization of remediation activities and roles or
         personnel responsible for ensuring that timeframe requirements are
-        met.>'
+        met.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for sharing vulnerability scan
+        '//*
+        The customer will be responsible for sharing vulnerability scan
         results and security assessment reports with customer-defined
         stakeholders. A successful control response will need to address the
         stakeholders involved and the types of information shared with
-        each stakeholder.>'
+        each stakeholder.
+        */'
 
 - control_key: RA-5 (1)
   standard_key: NIST-800-53
@@ -161,12 +192,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for scanning customer applications
+        '//*
+        The customer will be responsible for scanning customer applications
         and customer-deployed operating system images using compliant
         vulnerability scanning tools. A successful control response will need
         to address the specific tools used and the process required to
         update the list of information system vulnerabilities to be scanned
-        for each.>'
+        for each.
+        */'
 
 - control_key: RA-5 (2)
   standard_key: NIST-800-53
@@ -174,11 +207,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for updating the list of
+        '//*
+        The customer will be responsible for updating the list of
         vulnerabilities scanner prior to each scan. A successful control
         response will need to address the roles or personnel responsible for
         ensuring that this requirement is met, as well as the process for
-        initiating a new scan if the required update does not occur.>'
+        initiating a new scan if the required update does not occur.
+        */'
 
 - control_key: RA-5 (3)
   standard_key: NIST-800-53
@@ -186,11 +221,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that vulnerability
+        '//*
+        The customer will be responsible for ensuring that vulnerability
         scanning tools and procedures demonstrate the breadth and depth of
         coverage. A successful control response will need to address the
         specific tools in use and discuss the reason each tool is felt to
-        provide sufficient breadth and depth of coverage.>'
+        provide sufficient breadth and depth of coverage.
+        */'
 
 - control_key: RA-5 (5)
   standard_key: NIST-800-53
@@ -198,11 +235,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that scans of the
-        customer environment include privileged access authorizations. A 
+        '//*
+        The customer will be responsible for ensuring that scans of the
+        customer environment include privileged access authorizations. A
         successful control response will need to address how privileged
         access authorizations are configured, as well as how successful
-        authorization is validated during the analysis of scan results.>'
+        authorization is validated during the analysis of scan results.
+        */'
 
 - control_key: RA-5 (6)
   standard_key: NIST-800-53
@@ -210,10 +249,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for using automated mechanisms to
+        '//*
+        The customer will be responsible for using automated mechanisms to
         analyze vulnerability scan results over time to determine trends. A
         successful control response will need to discuss the mechanisms in use
-        and the metrics employed in scan result analysis.>'
+        and the metrics employed in scan result analysis.
+        */'
 
 - control_key: RA-5 (8)
   standard_key: NIST-800-53
@@ -221,8 +262,10 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for reviewing historic audit logs to
+        '//*
+        The customer will be responsible for reviewing historic audit logs to
         determine if a vulnerability identified in the information system
         has been previously exploited. A successful control response will need
         to address the criteria used in analysis of audit logs to correlate log
-        data with vulnerability scan results.>'
+        data with vulnerability scan results.
+        */'
diff --git a/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml b/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml
index 6b3c6d3..0e19cc8 100644
--- a/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml
+++ b/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: System and Services Acquisition
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating System and Services Aquisition policy and procedures. A
         successful control response will need to address the content of the
         policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and
-        associated controls).>'
+        associated controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the Audit
+        '//*
+        The customer will be responsible for reviewing and updating the Audit
         and Accountability policy every 3 years, and procedures annualy. A
         successful control response will need to address the review and update
         process, including the role(s) responsible for initiating the review
         process, updating the policy and procedures, and providing approval
-        of the updates.>'
+        of the updates.
+        */'
 
 - control_key: SA-2
   standard_key: NIST-800-53
@@ -33,24 +38,30 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for determining information security
+        '//*
+        The customer will be responsible for determining information security
         requirements during mission/business process planning. A successful
         control response will indicate how information security has been
-        integrated into mission/business planning.>'
+        integrated into mission/business planning.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for determining, documenting, and
+        '//*
+        The customer will be responsible for determining, documenting, and
         allocating the resources required to protect the information system
         as part of capital planning and investment control processes. A
         successful control response will indicate how information security
-        has been incorporated into financial planning processes.>'
+        has been incorporated into financial planning processes.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for establishing a discrete line
+        '//*
+        The customer will be responsible for establishing a discrete line
         item for information security in organizational programming and
         budgeting documentation. A successful control response will indicate
         how information security is a stand-alone practice within the
-        organization.>'
+        organization.
+        */'
 
 - control_key: SA-3
   standard_key: NIST-800-53
@@ -59,31 +70,39 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for managing the information system
+        '//*
+        The customer will be responsible for managing the information system
         using a Secure Development Lifecycle that incorporates information
         security considerations. A successful control response will indicate
         how information security requirements are part of project management
-        plans.>'
+        plans.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for defining and documenting
+        '//*
+        The customer will be responsible for defining and documenting
         information security roles and responsibilities throughout the
         system development lifecycle. A successful control response will
         indicate how information security roles are kept current during all
-        stages of the information systems lifecycle.>'
+        stages of the information systems lifecycle.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for identifying individuals
+        '//*
+        The customer will be responsible for identifying individuals
         that have information security roles and responsibilities. A successful
         control response will document these individuals, their
         responsibilities, and how the organization keeps current this
-        information.>'
+        information.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for integrating the organizational
+        '//*
+        The customer will be responsible for integrating the organizational
         information security risk management process into system lifecycle. A
         successful control response indicates how the organization follows the
-        NIST Risk Management Framework, or an agency-specific derivative.>'
+        NIST Risk Management Framework, or an agency-specific derivative.
+        */'
 
 - control_key: SA-4
   standard_key: NIST-800-53
@@ -92,61 +111,75 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for including security functional
+        '//*
+        The customer will be responsible for including security functional
         requirements in acquisition contracts. A successful control response
         will need to address consideration of applicable federal laws,
         Executive Orders, directives, policies, regulations, standards,
         guidelines, and organizational mission/business needs in the creation
-        of the contracts.>'
+        of the contracts.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for including security strength
+        '//*
+        The customer will be responsible for including security strength
         requirements in acquisition contracts. A successful control response
         will need to address consideration of applicable federal laws,
         Executive Orders, directives, policies, regulations, standards,
         guidelines, and organizational mission/business needs in the creation
-        of the contracts.>'
+        of the contracts.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for including security assurance
+        '//*
+        The customer will be responsible for including security assurance
         requirements in acquisition contracts. A successful control response
         will need to address consideration of applicable federal laws,
         Executive Orders, directives, policies, regulations, standards,
         guidelines, and organizational mission/business needs in the creation
-        of the contracts.>'
+        of the contracts.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for including security-related
+        '//*
+        The customer will be responsible for including security-related
         documentation requirements in acquistion contracts. A successful control
         response will need to address consideration of applicable laws,
         Executive Orders, directives, policies, regulations, standards,
         guidelines, and organizational mission/business needs in the creation
-        of the contracts.>'
+        of the contracts.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for including requirements for
+        '//*
+        The customer will be responsible for including requirements for
         protecting security-related documentation in acqusition contracts. A
         successful control response will need to address consideration of
         applicable laws, Executive Orders, directives, policies, regulations,
         standards, guidelines, and organizational mission/business needs in the
-        creation of the contracts.>'
+        creation of the contracts.
+        */'
     - key: f
       text: |
-        '<The customer will be responsible for including a description of the
+        '//*
+        The customer will be responsible for including a description of the
         information system development environment and in which the system
         is intended to operate in acquisition contracts. A successful control
         response will need to address consideration of applicable federal laws,
-        Executive Orders, directives, policies, regulations, standards, 
+        Executive Orders, directives, policies, regulations, standards,
         guidelines, and organizational mission/business needs in the creation
-        of the contracts.>'
+        of the contracts.
+        */'
     - key: g
       text: |
-        '<The customer will be responsible for including acceptance criteria
+        '//*
+        The customer will be responsible for including acceptance criteria
         in acquisition contracts. A successful control response will need to
         address consideration of applicable federal laws, Executive Orders,
         directives, policies, regulations, standards, guidelines, and
         organizational mission/business needs in the creation of the
-        contracts.>'
+        contracts.
+        */'
 
 - control_key: SA-4 (1)
   standard_key: NIST-800-53
@@ -154,11 +187,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for requiring the developer of
+        '//*
+        The customer will be responsible for requiring the developer of
         the information system to provide a description of the functional
         properties of the security controls to be employed. A successful
         control response will address how this requirement is built into
-        procurement language.>'
+        procurement language.
+        */'
 
 - control_key: SA-4 (2)
   standard_key: NIST-800-53
@@ -166,13 +201,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for requiring the developer of the
+        '//*
+        The customer will be responsible for requiring the developer of the
         information system to provide design and implementation information
         for the security controls to be employed that includes security-relevant
         external interfaces and high-level design. This information must be
         at a level of detail sufficient for secure deployment. A successful
         control response will indicate address how this requirement is built
-        into procurement language.>'
+        into procurement language.
+        */'
 
 - control_key: SA-4 (8)
   standard_key: NIST-800-53
@@ -180,11 +217,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for requiring the developer of
+        '//*
+        Customers are responsible for requiring the developer of
         customer-controlled software and operating systems to produce a plan
         for continuous monitoring of security control effectiveness. A
         successful control response will discuss the level of detail required
-        by the customer as part of these continuous monitoring activities.>'
+        by the customer as part of these continuous monitoring activities.
+        */'
 
 - control_key: SA-4 (9)
   standard_key: NIST-800-53
@@ -192,11 +231,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for requiring the developer of
+        '//*
+        Customers are responsible for requiring the developer of
         customer-controlled software and operating systems to identify required
         ports, protocols, services and functions early in the development
         process. A successful control response will address the process by
-        which this requirement is enforced.>'
+        which this requirement is enforced.
+        */'
 
 - control_key: SA-4 (10)
   standard_key: NIST-800-53
@@ -204,13 +245,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for employing only information
+        '//*
+        The customer is responsible for employing only information
         technology products on the FIPS 201-approved products list for
         Personal Identity Vertification (PIV) capability implemented within
         organizational information systems. A successful control response will
         indicate that all system components have been selected from this list,
         and if not, document waivers with appropriate organizational authorities
-        signature.>'
+        signature.
+        */'
 
 - control_key: SA-5
   standard_key: NIST-800-53
@@ -219,37 +262,47 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible for obtaining administrator documentation
+        '//*
+        Customers are responsible for obtaining administrator documentation
         for customer-controlled software and operating systems. A successful
         control response will address the specific content requirements
-        outlined in the control>'
+        outlined in the control
+        */'
     - key: b
       text: |
-        '<Customers are responsible for obtaining user documentation for
+        '//*
+        Customers are responsible for obtaining user documentation for
         customer-controlled software and operating systems. A successful control
         response will address the specific content requirements outlined in
-        the control.>'
+        the control.
+        */'
     - key: c
       text: |
-        '<Customers are responsible for documenting attempts to obtain
+        '//*
+        Customers are responsible for documenting attempts to obtain
         administrator and user documentation for customer-controlled software
         and operating systems if that documentation is not available. A
         successful control response will discuss the process by which attempts
         to obtain documentation are made as well as any additional actions
-        taken.>'
+        taken.
+        */'
     - key: d
       text: |
-        '<Customers are responsible for protecting administrator and user
+        '//*
+        Customers are responsible for protecting administrator and user
         documentation for customer-controlled software and operating systems.
         A successful control response will discuss how the safeguards are used
-        in accordance with the organizations risk management strategy.>'
+        in accordance with the organizations risk management strategy.
+        */'
     - key: e
       text: |
-        '<Customers are responsible for distributing documentation for
+        '//*
+        Customers are responsible for distributing documentation for
         customer-controlled software and operating systems to appropriate
         personnel. A successful control response will discuss the means
         of distribution and the process for designating appropraite personnel
-        or roles.>'
+        or roles.
+        */'
 
 - control_key: SA-8
   standard_key: NIST-800-53
@@ -257,10 +310,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for embedding secure system development
+        '//*
+        Customers are responsible for embedding secure system development
         lifecycle principles in the specification, design, development,
         implementation, and modification of the system. A successful control
-        response will discuss the processes followed.>'
+        response will discuss the processes followed.
+        */'
 
 - control_key: SA-9
   standard_key: NIST-800-53
@@ -269,26 +324,32 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible to require that external information systems
+        '//*
+        Customers are responsible to require that external information systems
         comply with organiziational security requirements and FedRAMP
         Security Controls Baseline(s) if Federal information is processed or
         stored within the external system. A successful control response will
         indicate how this is enforced, procedurally and technically, for
-        external information systems.>'
+        external information systems.
+        */'
     - key: b
       text: |
-        '<Customers are responsible for defining and documenting government
+        '//*
+        Customers are responsible for defining and documenting government
         oversight and user roles and responsibilities regarding external
         information system services. A successful contro response will address
-        the procedures for this oversight.>'
+        the procedures for this oversight.
+        */'
     - key: c
       text: |
-        '<Customers are responsible for employing Federal/FedRAMP Continuous
+        '//*
+        Customers are responsible for employing Federal/FedRAMP Continuous
         Monitoring Requirements on external systems where Federal information
         is processed or stored, and monitor security control compliance by
         external serice providers on an ongoing basis. A successful control
         response will address the procedural and technical processes used to
-        accomplish this.>'
+        accomplish this.
+        */'
 
 - control_key: SA-9 (1)
   standard_key: NIST-800-53
@@ -297,16 +358,20 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Customers are responsible for conducting organizational assessment
-        of risk prior to the acquisition or outsourcing of dedicated 
+        '//*
+        Customers are responsible for conducting organizational assessment
+        of risk prior to the acquisition or outsourcing of dedicated
         information security services. A successful control response will
-        address the process of the risk assessment and analysis of findings.>'
+        address the process of the risk assessment and analysis of findings.
+        */'
     - key: b
       text: |
-        '<Customers are responsible for ensuring that the aquisition or
+        '//*
+        Customers are responsible for ensuring that the aquisition or
         outsourcing of dedicated information security services is approved
         by organizational authorities. A successful control response will
-        address formal approval processes.>'
+        address formal approval processes.
+        */'
 
 - control_key: SA-9 (2)
   standard_key: NIST-800-53
@@ -314,11 +379,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for requiring providers of all external
+        '//*
+        Customers are responsible for requiring providers of all external
         information systems where Federal information is processed or stored
         to identify the functions, ports, protocols, and other services
         required for the use of such services. A successful control response
-        will indicate this requirement in contracting language.>'
+        will indicate this requirement in contracting language.
+        */'
 
 
 - control_key: SA-9 (4)
@@ -327,11 +394,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for employing FedRAMP security requirements
+        '//*
+        Customers are responsible for employing FedRAMP security requirements
         to ensure the interests of all external systems where Federal
         information is processed or stored is consistent with and reflect
         organizational interests. A successful control response will discuss
-        how FedRAMP security requirements are enforced in external systems.>'
+        how FedRAMP security requirements are enforced in external systems.
+        */'
 
 - control_key: SA-9 (5)
   standard_key: NIST-800-53
@@ -339,9 +408,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for restricting the location of information
+        '//*
+        Customers are responsible for restricting the location of information
         processing, information data, and information services, to
-        continental United States datacenters based on business requirements.>'
+        continental United States datacenters based on business requirements.
+        */'
 
 - control_key: SA-10
   standard_key: NIST-800-53
@@ -350,34 +421,44 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for performing configuration
+        '//*
+        The customer will be responsible for performing configuration
         management for customer-controlled operating systems and software. A
         successful control response will need to address the process and
-        mechanisms involved in configuration management.>'
+        mechanisms involved in configuration management.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for documenting, managing, and
+        '//*
+        The customer will be responsible for documenting, managing, and
         controlling the integrity of changes to customer-controlled operating
         systems and software. A successful control response will need to
-        address the processes and mechanisms involved in these activities.>'
+        address the processes and mechanisms involved in these activities.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for implementing only approved
+        '//*
+        The customer will be responsible for implementing only approved
         changes. A successful control response will need to address the
         approval process and safeguards in place to ensure only approved
-        changes are implemented.>'
+        changes are implemented.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for documenting approved changes
+        '//*
+        The customer will be responsible for documenting approved changes
         to customer-controlled operating systems and software as well as the
         potential security implications of such changes. A successful control
-        response will need to discuss the process for documentation.>'
+        response will need to discuss the process for documentation.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for tracking, resolving, and
+        '//*
+        The customer will be responsible for tracking, resolving, and
         reporting security flaws within customer-controlled operating systems
         and software. A successful control response will need to discuss the
-        process and tools used for tracking, resolution, and reporting.>'
+        process and tools used for tracking, resolution, and reporting.
+        */'
 
 - control_key: SA-10 (1)
   standard_key: NIST-800-53
@@ -385,7 +466,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for enabling integrity verification
+        '//*
+        The customer will be responsible for enabling integrity verification
         for customer-controlled operating systems and software. A successful
         control response will need to address the processes and mechanisms
         involved in integrity verification.
@@ -394,7 +476,8 @@ satisfies:
         integrity, and non-repudiation. Documentation can be found
         in the "Container Image Signing Integration Guide":
 
-        https://access.redhat.com/articles/2750891 >'
+        https://access.redhat.com/articles/2750891 
+        */'
 
 - control_key: SA-11
   standard_key: NIST-800-53
@@ -403,40 +486,50 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for ensuring that the developer
+        '//*
+        The customer will be responsible for ensuring that the developer
         of customer-controlled operating systems and software creates
         and implements a security assessment plan. A successful control
-        response will need to outline the security assessment plan.>'
+        response will need to outline the security assessment plan.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for ensuring that the developer
+        '//*
+        The customer will be responsible for ensuring that the developer
         of customer-controlled operating systems and software performs
         system testing at a customer-required depto and coverage. A
         successful control response will need to address the types of testing
-        performed and the depth required.>'
+        performed and the depth required.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for ensuring that the developer of
+        '//*
+        The customer will be responsible for ensuring that the developer of
         customer-controlled operating systems and software produces evidence
         of the execution of the security assessment plan and the
         results of the security testing/evaluation. A successful control
         response will need to address the process by which the customer
-        obtains and reviews the evidence and results of testing.>'
+        obtains and reviews the evidence and results of testing.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for ensuring that the developer of
+        '//*
+        The customer will be responsible for ensuring that the developer of
         customer-controlled operating systems and software implements a
         verifiable flaw remediation process. A successful control response
         will need to outline the means by which flaws are identified and
-        addressed.>'
+        addressed.
+        */'
     - key: e
       text: |
-        '<The customer will be responsible for ensuring that the developer of
-        customer-controlled operating systems and software corrects flaws 
+        '//*
+        The customer will be responsible for ensuring that the developer of
+        customer-controlled operating systems and software corrects flaws
         identified during security tsting. A successful control response
         will need to discuss the procedure for identifying flaws, alerting
         appropriate personnel to correct flaws, and verifying the success
-        of the correction.>'
+        of the correction.
+        */'
 
 - control_key: SA-11 (1)
   standard_key: NIST-800-53
@@ -444,11 +537,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that the developer of
+        '//*
+        The customer will be responsible for ensuring that the developer of
         customer-controlled operating systems and software employs static code
         analysis tools. A successful control response will need to discuss
         the tools in use, the means by which the tools are used to identify
-        common flaws, and the process for documenting results of testing.>'
+        common flaws, and the process for documenting results of testing.
+        */'
 
 - control_key: SA-11 (2)
   standard_key: NIST-800-53
@@ -456,13 +551,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that the developer of
+        '//*
+        The customer will be responsible for ensuring that the developer of
         customer-controlled operating systems and software performs threat and
         vulnerability analysis of testing of the as-built system or software. A
         successful control response will need to address the analysis of how
         the as-built system differs from the initial design, as well as how
         any new vulnerabilities created as a result of these differences
-        are reviewed and mitigated.>'
+        are reviewed and mitigated.
+        */'
 
 
 - control_key: SA-11 (8)
@@ -471,8 +568,10 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that the developer of
+        '//*
+        The customer will be responsible for ensuring that the developer of
         customer-controlled operating systems and software employs dynamic
         code analysis tools. A successful control response will need to discuss
         the tools in use, the means by which the tools are used to identify
-        common flaws, and the process for documenting results of testing.>'
+        common flaws, and the process for documenting results of testing.
+        */'
diff --git a/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml b/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml
index 1a93d01..36b58f0 100644
--- a/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml
+++ b/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: Systems and Communications Protection
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating System and Communications Protection policy and
         procedures. A successful control response will need to address the
         content of the policy (which must include purpose, scope, roles,
         responsibilities, management commitment, coordination, and
         compliance) and procedures (which must facilitate the implementation
-        of the policies and associated controls).>'
+        of the policies and associated controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the System
+        '//*
+        The customer will be responsible for reviewing and updating the System
         and Communications Protection policy every 3 years, and procedures
         annually. A successful control response will need to address the review
         and update process, including the role(s) responsible for initiating
         the review process, updating the policy and procedures, and providing
-        approval of the updates.>'
+        approval of the updates.
+        */'
 
 - control_key: SC-2
   standard_key: NIST-800-53
@@ -32,10 +37,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for determining the functionality and
+        '//*
+        The customer is responsible for determining the functionality and
         access to their instance of information system components. Each customer
         can determine how they want to manage and implement access to their
-        instance.>'
+        instance.
+        */'
 
 - control_key: SC-4
   standard_key: NIST-800-53
@@ -43,9 +50,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for preventing unauthorized and
+        '//*
+        The customer is responsible for preventing unauthorized and
         unintended information transfer via shared system resources. A
-        successful control response will discuss how this is prevented.>'
+        successful control response will discuss how this is prevented.
+        */'
 
 - control_key: SC-5
   standard_key: NIST-800-53
@@ -53,12 +62,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for protecting against or limiting
+        '//*
+        The customer is responsible for protecting against or limiting
         the effects of attacks on bandwidth, attacks on transactional
-        capacity, attacks on storage capacity by employing geo-replication, 
+        capacity, attacks on storage capacity by employing geo-replication,
         IP address blocking, network-based DDos protections. A successful
         control response will discuss how the information system is protected
-        from these attacks.>'
+        from these attacks.
+        */'
 
 - control_key: SC-6
   standard_key: NIST-800-53
@@ -66,10 +77,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible to protect the availability of
+        '//*
+        The customer is responsible to protect the availability of
         resources by allocating processor and memory resources by process
         priority and resource availability. A successful control response will
-        discuss how resource availability is protected.>'
+        discuss how resource availability is protected.
+        */'
 
 - control_key: SC-7
   standard_key: NIST-800-53
@@ -78,22 +91,28 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer is responsible for monitoring and controlling
+        '//*
+        The customer is responsible for monitoring and controlling
         communications at the external boundary of the system and
         at key internal boundaries within the system. A successful control
-        response will address how communications are monitored and shaped.>'
+        response will address how communications are monitored and shaped.
+        */'
     - key: b
       text: |
-        '<The customer is responsible for implementing subnetworks for
+        '//*
+        The customer is responsible for implementing subnetworks for
         publicly accessible system components that are physically and logically
         separated. A successful control response will indicate how system
-        component traffic is separated.>'
+        component traffic is separated.
+        */'
     - key: c
       text: |
-        '<The customer is responsible for connecting to networks through
+        '//*
+        The customer is responsible for connecting to networks through
         managed interfaces consisting of boundary protection devices. A
         successful control response will discuss how traffic passes through
-        managed interfaces and boundary protection devices.>'
+        managed interfaces and boundary protection devices.
+        */'
 
 - control_key: SC-7 (3)
   standard_key: NIST-800-53
@@ -101,10 +120,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for limiting the number of external
+        '//*
+        The customer is responsible for limiting the number of external
         network connetions to the information system. A successful control
         response will indicate the rate limiting procedures and technical
-        enforcement.>'
+        enforcement.
+        */'
 
 - control_key: SC-7 (4)
   standard_key: NIST-800-53
@@ -133,9 +154,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring managed interfaces deny
+        '//*
+        The customer will be responsible for ensuring managed interfaces deny
         network traffic by default and allow network communications traffic
-        by exception (i.e. deny all, permit by exception).>'
+        by exception (i.e. deny all, permit by exception).
+        */'
 
 - control_key: SC-7 (7)
   standard_key: NIST-800-53
@@ -143,9 +166,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing mechanisms to
+        '//*
+        The customer will be responsible for implementing mechanisms to
         ensure OpenShift nodes to not act as proxy or relay servers between
-        internal and external networks.>'
+        internal and external networks.
+        */'
 
 - control_key: SC-7 (12)
   standard_key: NIST-800-53
@@ -153,9 +178,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implementing host-based
+        '//*
+        The customer will be responsible for implementing host-based
         boundary protection mechanisms. This is often through configuration of
-        local firewalld and SELinux policies.>'
+        local firewalld and SELinux policies.
+        */'
 
 - control_key: SC-7 (13)
   standard_key: NIST-800-53
@@ -163,12 +190,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for ensuring that OpenShift is
+        '//*
+        The customer will be responsible for ensuring that OpenShift is
         isolated from other internal information system components by
         implementing physically separate subnetworks with managed
         interfaces to other components of the system. A successful control
         response will discuss the networking configuration to satisfy this
-        control.>'
+        control.
+        */'
 
 - control_key: SC-7 (18)
   standard_key: NIST-800-53
@@ -184,12 +213,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Customers are responsible for configuring their web browsers, mobile
+        '//*
+        Customers are responsible for configuring their web browsers, mobile
         devices, etc., to enable communications through FIPS 140-2 validated
         encryption. Customers who enforce FDCC/USGCB settings will achieve
         FIPS 140-2 encryption as part of that baseline. Strong encryption
         with FIPS-approved ciphers is still possible when hosts are not
-        operating in FIPS mode.>'
+        operating in FIPS mode.
+        */'
 
 - control_key: SC-8 (1)
   standard_key: NIST-800-53
@@ -197,11 +228,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for implimenting cryptographic
+        '//*
+        The customer will be responsible for implimenting cryptographic
         mechanisms to prevent unauthorized disclosure of information and
         detect changes to information during transmission. A successful
         control response will detail how encryption is used for all
-        network communications that carry customer data.>'
+        network communications that carry customer data.
+        */'
 
 - control_key: SC-10
   standard_key: NIST-800-53
@@ -209,10 +242,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for terminating network connections
+        '//*
+        The customer will be responsible for terminating network connections
         at the end of the session or after no longer than 30 minutes of
         inactivity. A successful control response will document the technical
-        means on how this is established.>'
+        means on how this is established.
+        */'
 
 - control_key: SC-12
   standard_key: NIST-800-53
@@ -220,7 +255,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Government user entities will ensure that personel computing devices
+        '//*
+        Government user entities will ensure that personel computing devices
         (client systems) are configured to request FIPS 140-2 encryption
         ciphers and protocols for all network sessions.
 
@@ -230,7 +266,8 @@ satisfies:
         webpage:
 
         https://www.redhat.com/en/technologies/industries/government/standards
-        >'
+        
+        */'
 
 - control_key: SC-12 (2)
   standard_key: NIST-800-53
@@ -238,12 +275,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for producing, controlling, and
+        '//*
+        The customer will be responsible for producing, controlling, and
         distributing symmetric cryptographic keys (if any are used within
         the customer application) using NIST FIPS-compliant key management
         technology and proesses. A successful control response will need to
         address the processes and tools used for key generation and discuss
-        the reasons they are considered compliant.>'
+        the reasons they are considered compliant.
+        */'
 
 - control_key: SC-12 (3)
   standard_key: NIST-800-53
@@ -251,12 +290,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for producign, controlling, and
+        '//*
+        The customer will be responsible for producign, controlling, and
         distributing asymetric cryptographic keys (if any are used within the
         customer application) using one of the specified tools or processes. A
         successful control response will need to address the process and tools
         used for key generation and discuss the reasons they are considered
-        compliant.>'
+        compliant.
+        */'
 
 - control_key: SC-13
   standard_key: NIST-800-53
@@ -264,9 +305,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<OpenShift relies on the cryptographic services of the underlying
+        '//*
+        OpenShift relies on the cryptographic services of the underlying
         operating system, Red Hat Enterprise Linux. To ensure RHEL is configured
-        in FIPS mode, follow CCE-80359-3, "Enable FIPS Mode in GRUB2".>'
+        in FIPS mode, follow CCE-80359-3, "Enable FIPS Mode in GRUB2".
+        */'
 
 - control_key: SC-15
   standard_key: NIST-800-53
@@ -275,21 +318,27 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for prohibiting remote activation
+        '//*
+        The customer will be responsible for prohibiting remote activation
         of any collaborative computing devices within or controlled from
-        the customer application.>'
+        the customer application.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for providing an explicit indication
+        '//*
+        The customer will be responsible for providing an explicit indication
         of use of any collaborative computing devices within or controlled
         from the customer application. A successful control response will
         need to address how this explicit indication is enabled, the form
-        it takes, and the means by which activation can be verified.>'
+        it takes, and the means by which activation can be verified.
+        */'
     - key: 'Req. 1'
       text: |
-        '<The customer will be responsible for providing easy to use
+        '//*
+        The customer will be responsible for providing easy to use
         functionality to disable any collaborative computing devices within
-        or controlled from the customer application.>'
+        or controlled from the customer application.
+        */'
 
 - control_key: SC-17
   standard_key: NIST-800-53
@@ -297,12 +346,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for defining and enforcing a
+        '//*
+        The customer will be responsible for defining and enforcing a
         policy for issuing public key certificates, or else to obtain
         public key certificates from an approved service provider. A successful
         control response will need to outline the policy and address the
         mechanism by which the policy is enforced, or else discuss the approved
-        service provider and the process by which certificates are obtained.>'
+        service provider and the process by which certificates are obtained.
+        */'
 
 - control_key: SC-18
   standard_key: NIST-800-53
@@ -311,19 +362,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<Mobile code is code that is downloaded and executed by the client
+        '//*
+        Mobile code is code that is downloaded and executed by the client
         machine, rather than on the remote host. The customer will be
         responsible for defining mobile code technologies as acceptable or
-        unacceptable for use within the system.>'
+        unacceptable for use within the system.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for defining usage restrictions
+        '//*
+        The customer will be responsible for defining usage restrictions
         and implementation guidance for acceptable mobile code and mobile
-        code technologies.>'
+        code technologies.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for authorizing, monitoring, and
-        controlling the use of mobile code within the system.>'
+        '//*
+        The customer will be responsible for authorizing, monitoring, and
+        controlling the use of mobile code within the system.
+        */'
 
 - control_key: SC-19
   standard_key: NIST-800-53
@@ -332,15 +389,19 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for establishing usage restrictions
+        '//*
+        The customer will be responsible for establishing usage restrictions
         and implementation guidance for the use of VoIP technologies within
         the customer application. A successful control response will need
         to address whether and how VoIP technologies are used and outline
-        the conditions under which that usage is appropriate.>'
+        the conditions under which that usage is appropriate.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for authorizing, monitoring, and
-        controlling the use of VoIP within the system.>'
+        '//*
+        The customer will be responsible for authorizing, monitoring, and
+        controlling the use of VoIP within the system.
+        */'
 
 - control_key: SC-20
   standard_key: NIST-800-53
@@ -349,18 +410,22 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<If running DNS services, the customer is responsible for providing
+        '//*
+        If running DNS services, the customer is responsible for providing
         origin authentication and integrity verification artifacts along
         with authoritative name resolution data returns in response. A
         successful control response will discuss the technical means used to
-        accomplish this.>'
+        accomplish this.
+        */'
     - key: b
       text: |
-        '<If running DNS services, the customer is responsible for
+        '//*
+        If running DNS services, the customer is responsible for
         providing means to indicate the security status of child zones and
         enable verification of a chain of trust among parent and child domains.
         A successful control response will discuss the technical means used to
-        accomplish this.>'
+        accomplish this.
+        */'
 
 - control_key: SC-21
   standard_key: NIST-800-53
@@ -368,9 +433,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for configuring DNSSEC. A successful
+        '//*
+        The customer is responsible for configuring DNSSEC. A successful
         control response will document how DNSSEC is configured on applicable
-        endpoints.>'
+        endpoints.
+        */'
 
 - control_key: SC-22
   standard_key: NIST-800-53
@@ -378,9 +445,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer, if DNS services are in use, is responsible for ensuring
+        '//*
+        The customer, if DNS services are in use, is responsible for ensuring
         services are fault-tolerant and implement internal/external role
-        separation.>'
+        separation.
+        */'
 
 - control_key: SC-23
   standard_key: NIST-800-53
@@ -388,7 +457,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for guarding against, for
+        '//*
+        The customer will be responsible for guarding against, for
         example, man in the middle or session hijacking attacks for
         connections to the customer application, for example via the
         use of TLS. A successful control response will address the
@@ -396,7 +466,8 @@ satisfies:
         mechanisms used to protect against those attacks.
 
         OpenShift uses various TLS algorithms and ciphers to protect
-        the authenticity of communications sessions.>'
+        the authenticity of communications sessions.
+        */'
 
 - control_key: SC-28
   standard_key: NIST-800-53
@@ -404,8 +475,10 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<A successful control response will need to address the means by
-        which data at rest is protected.>'
+        '//*
+        A successful control response will need to address the means by
+        which data at rest is protected.
+        */'
 
 - control_key: SC-28 (1)
   standard_key: NIST-800-53
@@ -413,7 +486,8 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for implementing cryptographic
+        '//*
+        The customer is responsible for implementing cryptographic
         mechanisms to prevent unauthorzed disclosure and modification of
         customer data. A successful control response will outline how
         cryptography is used to ensure integrity of data in rest and
@@ -422,7 +496,8 @@ satisfies:
         When running on Red Hat Enterprise Linux, full disk encryption
         is possible for data at rest on the OpenShift nodes. For data
         in transport, OpenShift uses cryptographic algorithms and ciphers to
-        protect confidentiality and integrity of data in transport.>'
+        protect confidentiality and integrity of data in transport.
+        */'
 
 - control_key: SC-39
   standard_key: NIST-800-53
diff --git a/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml b/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml
index 41fd8e7..ab35c17 100644
--- a/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml
+++ b/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml
@@ -1,3 +1,4 @@
+---
 documentation_complete: false
 name: System and Information Integrity
 schema_version: 3.0.0
@@ -10,21 +11,25 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for developing, documenting, and
+        '//*
+        The customer will be responsible for developing, documenting, and
         disseminating System and Information Integrity policy and procedures. A
         successful control response will need to address the content of the
         policy (which must include purpose, scope, roles, responsibilities,
         management commitment, coordination, and compliance) and procedures
         (which must facilitate the implementation of the policies and
-        associated controls).>'
+        associated controls).
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for reviewing and updating the
+        '//*
+        The customer will be responsible for reviewing and updating the
         System and Information Integrity policy every 3 years, and procedures
         annually. A successful control response will need to address the
         review and update process, including the role(s) responsible for
         initiating the review process, updating the policy and procedures,
-        and providing approval of the updates.>'
+        and providing approval of the updates.
+        */'
 
 - control_key: SI-2
   standard_key: NIST-800-53
@@ -33,33 +38,41 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for analyzing their applications for
+        '//*
+        The customer will be responsible for analyzing their applications for
         flaws, reporting on those flaws, and correcting them. A successful
         control response will include a discussion of the process by which
         flaws are discovered and remediated, as well as tools that are used to
-        assist in detection and remediation.>'
+        assist in detection and remediation.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for testing application updates
+        '//*
+        The customer will be responsible for testing application updates
         related to flaw remediation prior to installation. A successful control
         response will discuss the testing process (e.g. the nature of the test
         environment, the types of testing performed, the tools in testing,
-        etc.).>'
+        etc.).
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for installing security-relevant
+        '//*
+        The customer will be responsible for installing security-relevant
         software updates to their application within 30 days of the release of
         those updates. A successful control response will detail how the
         customer ensures that this update schedule can be met while still
-        performing sufficient testing.>'
+        performing sufficient testing.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for incorporating flaw remediation
+        '//*
+        The customer will be responsible for incorporating flaw remediation
         activities into their organizational configuration management process.
         A successful control response will address how flaws are categorized
         in terms of the types of changes that are subject to configuration
         management, as well as the approval process for remediation activities
-        (see the CM family of controls).>'
+        (see the CM family of controls).
+        */'
 
 
 - control_key: SI-2 (2)
@@ -68,13 +81,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be required to employ automated mechanisms on a
+        '//*
+        The customer will be required to employ automated mechanisms on a
         monthly basis to determine the stat of information system components
         with regard to flaw remediation on their information systems as required
-        by their organizations policy. A successful control response will 
-        address the customers use of automated tools such as Nessus to 
+        by their organizations policy. A successful control response will
+        address the customers use of automated tools such as Nessus to
         perform periodic and on-demand scans through their system to determine
-        the state of system components with regard to flaw remediation.>'
+        the state of system components with regard to flaw remediation.
+        */'
 
 - control_key: SI-2 (3)
   standard_key: NIST-800-53
@@ -83,19 +98,23 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer is responsible for scanning for flaws in their
+        '//*
+        The customer is responsible for scanning for flaws in their
         information systems and for measuring the time between flaw
         identification and flaw remediation. A successful control response will
         need to address the time between flaw identification and remediation
-        using timestamps and calculates the time elapsed difference.>'
+        using timestamps and calculates the time elapsed difference.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for scanning for flaws in their
+        '//*
+        The customer will be responsible for scanning for flaws in their
         information systems and for establishing benchmarks for taking
         correctie actions according to their organizational policies. A
         successful control response will need to address the use of
         benchmarks to remediate high, and moderate risk flaws within a cusotmer
-        defined period after a flaws discovery.>'
+        defined period after a flaws discovery.
+        */'
 
 - control_key: SI-3
   standard_key: NIST-800-53
@@ -104,37 +123,45 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer is responsible for ensuring that they employ malicious
+        '//*
+        The customer is responsible for ensuring that they employ malicious
         code protection at information system entry, and exit points to detect
         and eradicate malicious code. A successful control response will need
         to address use of code protection mechanisms to protect assets from
         malicious software (i.e. Viruses, malware, rootkits, worms, and
-        scripts).>'
+        scripts).
+        */'
     - key: b
       text: |
-        '<The customer is responsible for ensuring that they update their
+        '//*
+        The customer is responsible for ensuring that they update their
         malicious code protection mechanisms whenever new releases are available
         in accordance with organizational configuration management policy and
         procedures. A successful control response will need to address that
         the protection mechanisms stated in Part A of this control are updated
-        when a new version or definition release becomes available.>'
+        when a new version or definition release becomes available.
+        */'
     - key: c
       text: |
-        '<The customer is responsible for ensuring that their malicious code
+        '//*
+        The customer is responsible for ensuring that their malicious code
         protection mechanisms will perform periodic scans on a weekly basis. The
         customer will perform realtime scans of files from all external sources,
         including endpoints as the files are downloaded, opened, or executed
         in accordance with organizational security policy. The customer will
         also send alerts to an administrator or another defined security
-        personnel in response to detected malicious code.>'
+        personnel in response to detected malicious code.
+        */'
     - key: d
       text: |
-        '<The customer is responsible for addressing the receipt of false
+        '//*
+        The customer is responsible for addressing the receipt of false
         positives during malicious code detection and eradication. These false
-        positives will report potnetial impact of the availability of the 
+        positives will report potnetial impact of the availability of the
         information system. A successful control response will detail the steps
         taken when false positives are detected within the system with the
-        resulting impact of availability to the information system.>'
+        resulting impact of availability to the information system.
+        */'
 
 - control_key: SI-3 (1)
   standard_key: NIST-800-53
@@ -142,11 +169,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for ensuring that their malicious code
+        '//*
+        The customer is responsible for ensuring that their malicious code
         protection mechanisms are centrally managed. A successful control
         response will need to address that the planning, implementing,
         assessing, authorizing and monitoring of their malicious code protection
-        mechanism is centered in one location.>'
+        mechanism is centered in one location.
+        */'
 
 - control_key: SI-3 (2)
   standard_key: NIST-800-53
@@ -154,11 +183,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for ensuring that they update their
+        '//*
+        The customer is responsible for ensuring that they update their
         malicious code protection mechanisms automatically when new versions/
         definitions become available. A successful control response will need
         to address that the employed malicious code protection
-        mechanisms definitions are configured to be updated automatically.>'
+        mechanisms definitions are configured to be updated automatically.
+        */'
 
 - control_key: SI-3 (7)
   standard_key: NIST-800-53
@@ -166,13 +197,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer is responsible for ensuring that they implement a
+        '//*
+        The customer is responsible for ensuring that they implement a
         nonsignature-based malicious code detection mechanism on their
         information system. A successful control response will need to address
         a nonsignature based detection mechanism that can detect, analyze and
         describe the characteristics or behavior of malicious code and
         could provide safeguards against malicious code for which signatures
-        do not yet exist.>'
+        do not yet exist.
+        */'
 
 - control_key: SI-4
   standard_key: NIST-800-53
@@ -181,56 +214,68 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for meeting the FedRAMP-defined
+        '//*
+        The customer will be responsible for meeting the FedRAMP-defined
         monitoring objective of ensuring the proper functioning of internal
         processes and controls in furtherance of regulatory and compliance
         requirements; examine system records to confirm that the system
         is functioning in an optimal, resilient, and secure state; identify
         irregularities or anomalies that are indicators of a system malfunction
         or compromise. It is common for network service providers to impliment
-        this control on behalf of infrastructure components. A successful 
-        control response must articulate how  both technology and process is 
-        used to identify attacks and indicators of potential attacks.>'
+        this control on behalf of infrastructure components. A successful
+        control response must articulate how  both technology and process is
+        used to identify attacks and indicators of potential attacks.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for monitoring local, network, and
+        '//*
+        The customer will be responsible for monitoring local, network, and
         remote connections. In modern IT systems, it is common for all
         connection types to be classified as remote. A successful control
         response will indicate if all connections are considered remote, and if
-        not, how each category is uniquely monitored.>'
+        not, how each category is uniquely monitored.
+        */'
     - key: c
       text: |
-        '<The customer is responsible for deploying monitoring devices at
+        '//*
+        The customer is responsible for deploying monitoring devices at
         strategic and ad-hoc locations within the system. A successful control
         response will identify the locations where monitoring devices will be
         implimented. It is common for network service providers to implement
-        this control on behalf of tenants.>'
+        this control on behalf of tenants.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for protecting information obtained
+        '//*
+        The customer will be responsible for protecting information obtained
         from intrusion-monitoring tools from unauthorized access, modification,
         and deletion. A successful control response will indicate data access
         and management processes to ensure protection of the gathered data. It
         is common for network service providers to implement this control
-        on behalf of tenants.>'
+        on behalf of tenants.
+        */'
     - key: e
       text: |
-        '<The information system must be capable of heightening the level of
+        '//*
+        The information system must be capable of heightening the level of
         monitoring during times of duress. A successful control response
         will indicate increasing tiers of monitoring and analysis that is
         available should a known, or suspected, attack occur. It is common
         for network service providers to implement this control on behalf
         of tenants. For example, Microsoft Azure for Government implements
-        this control on behalf of their IaaS users.>'
+        this control on behalf of their IaaS users.
+        */'
     - key: g
       text: |
-        '<The customer will be responsible to ensure monitoring is aligned with
+        '//*
+        The customer will be responsible to ensure monitoring is aligned with
         SI-4(a), that organizationally defined personnel or roles receive
         monitoring information daily (and with capabilities for ondemand
         inquiries). A successful control response will address the reporting
         available to appropriate staff, and how on-demand reports can be
         created. It is common for network service providers to implement this
-        control on behalf of tenants.>'
+        control on behalf of tenants.
+        */'
 
 - control_key: SI-4 (1)
   standard_key: NIST-800-53
@@ -238,12 +283,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for integrating intrusion detection
+        '//*
+        The customer will be responsible for integrating intrusion detection
         tools into the OpenShift environment, and documenting how this
         capability is integrated into enterprise-wide intrusion detection
         systems when applicable. A successful control response will address
         the workflow between local and enterprise intrusion detection
-        systems.>'
+        systems.
+        */'
 
 - control_key: SI-4 (2)
   standard_key: NIST-800-53
@@ -251,14 +298,16 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for deploying automated tools to
+        '//*
+        The customer will be responsible for deploying automated tools to
         support near real-time analysis of events in their infrastructure. This
         is frequently provided by corporate services outside the informarion
         system, e.g. centralized security operation centers may host an
         enterprise logging solution. A successful control response will
         indicate who is responsible for hosting such capabilities, and what
-        technology and processes are in place to support near-realtime 
-        analysis of events.>'
+        technology and processes are in place to support near-realtime
+        analysis of events.
+        */'
 
 - control_key: SI-4 (4)
   standard_key: NIST-800-53
@@ -266,12 +315,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for identifying how and where
+        '//*
+        The customer will be responsible for identifying how and where
         network traffic is continuously monitored. Frequently this control
         is inherited from network and Infrastructure as a Service providers,
         such as Microsoft Azure. A successful control response will indicate
         if this control is inherited from infrastructure providers, and if not,
-        how network traffic is continuously monitored.>'
+        how network traffic is continuously monitored.
+        */'
 
 - control_key: SI-4 (5)
   standard_key: NIST-800-53
@@ -279,11 +330,13 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for automatic notification of 
+        '//*
+        The customer will be responsible for automatic notification of
         appropriate staff when indicators of compromise are detected. Frequently
         this is accomplished by automatic alerting to Security Operations Center
         staff. A successful control response will indicate who is notified, by
-        name or position title(s), and the mechanism of the notification.>'
+        name or position title(s), and the mechanism of the notification.
+        */'
 
 - control_key: SI-4 (14)
   standard_key: NIST-800-53
@@ -292,7 +345,8 @@ satisfies:
   narrative:
     - text: |
         'An OpenShift infrastructure does not have wireless capabilities. This
-        control is Not Applicable.>'
+        control is Not Applicable.
+        */'
 
 - control_key: SI-4 (16)
   standard_key: NIST-800-53
@@ -300,9 +354,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for aggregating and correlating
+        '//*
+        The customer will be responsible for aggregating and correlating
         information from monitoring tools, for multiple system components. This
-        is frequently accomplished with centralized audit reduction tools.>'
+        is frequently accomplished with centralized audit reduction tools.
+        */'
 
 - control_key: SI-4 (23)
   standard_key: NIST-800-53
@@ -310,9 +366,11 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for installing host-based monitoring
-        mechanisms. A successful control response will need to discuss how various
-        elements of the OpenShift infrastructure are monitored.>'
+        '//*
+        The customer will be responsible for installing host-based monitoring
+        mechanisms. A successful control response will need to discuss how
+        various elements of the OpenShift infrastructure are monitored.
+        */'
 
 - control_key: SI-5
   standard_key: NIST-800-53
@@ -321,30 +379,38 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for recieving relevant security
+        '//*
+        The customer will be responsible for recieving relevant security
         alerts, advisories and directives. A successful control response will
         need to discuss the external sources of security alerts, advisories, and
-        directives (including US-CERT as required by FedRAMP.>'
+        directives (including US-CERT as required by FedRAMP.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for generatign internal security
-        alerts, advisories and directives. A successful control response will 
+        '//*
+        The customer will be responsible for generatign internal security
+        alerts, advisories and directives. A successful control response will
         need to address the criteria used to determine what alerts, advisories,
         and directives are necessary, based on the specifics of the customer
-        mission, software, or service.>'
+        mission, software, or service.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for disseminating security alerts,
+        '//*
+        The customer will be responsible for disseminating security alerts,
         advisories and directives within the customer organization and to
-        external organizations as necessary. A successful control response will 
+        external organizations as necessary. A successful control response will
         need to address the personnel or roles within the organization who
-        require notificiation.>'
+        require notificiation.
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for implementing security directives
+        '//*
+        The customer will be responsible for implementing security directives
         within customer-controlled operating systems, software, and services. A
-        successful control response will need to address how the organization 
-        meets established time frames for implementing security directives.>'
+        successful control response will need to address how the organization
+        meets established time frames for implementing security directives.
+        */'
 
 - control_key: SI-6
   standard_key: NIST-800-53
@@ -353,32 +419,40 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for verifying the correct operation
+        '//*
+        The customer will be responsible for verifying the correct operation
         of security functions within customer-controlled operating systems and
         software. A successful control response will need to discuss the
         security functions deemed necessary to verify, as well as the means for
-        testing the correct operation and resolving any issues found.>'
+        testing the correct operation and resolving any issues found.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for performing security function
+        '//*
+        The customer will be responsible for performing security function
         verification at customer-specified frequencies and under
         customer-specified circumstances (to include the requirements stated by
         FedRAMP). A successful control response will need to address the
         rationale for selection of the specific frequency and circumstances
-        of security function verification.>'
+        of security function verification.
+        */'
     - key: c
       text: |
-        '<The customer will be responsible for notifying appropriate personnel
+        '//*
+        The customer will be responsible for notifying appropriate personnel
         of failed security verification tests. A successful control response
         will need to outline the personnel or roles selected (to include system
-        administrators and security personnel as required by FedRAMP).>'
+        administrators and security personnel as required by FedRAMP).
+        */'
     - key: d
       text: |
-        '<The customer will be responsible for performing appropriate actions
+        '//*
+        The customer will be responsible for performing appropriate actions
         in response to anomalies in security unction verifiation. A successful
         control response will need to discuss the actions taken (to include
         notification of system administrators and security personnel as required
-        by FedRAMP) as well as the rationale for selecting these actions.>'
+        by FedRAMP) as well as the rationale for selecting these actions.
+        */'
 
 - control_key: SI-7
   standard_key: NIST-800-53
@@ -386,10 +460,12 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for employing integrity verification
+        '//*
+        The customer will be responsible for employing integrity verification
         tools for customer-controlled operating systems and software. A
         successful control response will need to discuss the tools in use and
-        the integrity-checking mechanisms these tools employ.>'
+        the integrity-checking mechanisms these tools employ.
+        */'
 
 - control_key: SI-7 (1)
   standard_key: NIST-800-53
@@ -397,12 +473,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for performing integrity checks at
+        '//*
+        The customer will be responsible for performing integrity checks at
         customer-specific frequencies and under customer-specified
         circumstances (including frequencies and circumstances specified by
         FedRAMP). A successful control response will need to identify the
         criteria for performing integrity checking, as well as the rationale
-        for selecting those criteria.>'
+        for selecting those criteria.
+        */'
 
 - control_key: SI-7 (7)
   standard_key: NIST-800-53
@@ -410,12 +488,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for incorporating the detection of
+        '//*
+        The customer will be responsible for incorporating the detection of
         customer-defined security-relevant changes into the customers incident
         response capability. A successful control response will need to outline
         the process for deeming particular changes as security-relevant and the
         means by which the incident response capability is invoked when
-        needed.>'
+        needed.
+        */'
 
 - control_key: SI-8
   standard_key: NIST-800-53
@@ -451,12 +531,14 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for checking the validity of
+        '//*
+        The customer will be responsible for checking the validity of
         information inputs to customer-controlled operating systems and
         software. A successful control response will need to discuss the
         specific inputs for which the validity is checked, the rationale
         for selecting those inputs for validity checking, and the response
-        taken by the system to invalid inputs.>'
+        taken by the system to invalid inputs.
+        */'
 
 - control_key: SI-11
   standard_key: NIST-800-53
@@ -465,18 +547,22 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '<The customer will be responsible for generating error messages in
+        '//*
+        The customer will be responsible for generating error messages in
         cusomer-controlled operating systems and software that provide
         information necessary for corrective actions without revealing
         information that could be exploited by adversaries. A successful
         control response will need to discuss the process by which error
-        messages are created, analyzed, and corrected when necessary.>'
+        messages are created, analyzed, and corrected when necessary.
+        */'
     - key: b
       text: |
-        '<The customer will be responsible for revealing error messages only to
+        '//*
+        The customer will be responsible for revealing error messages only to
         authorized personnel. A successful control response will need to
         address how error messages are displayed and the means by which access
-        to error messages is controlled.>'
+        to error messages is controlled.
+        */'
 
 - control_key: SI-12
   standard_key: NIST-800-53
@@ -484,13 +570,15 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<The customer will be responsible for handling and retaining
+        '//*
+        The customer will be responsible for handling and retaining
         information within customer-enrolled  systems and software in accordance
         with applicable federal laws, Executive Orders, directives, policies,
         regulations, standards, and operational requirements. A successful
         control response will need to outline the specific requirements
         applicable to customer information handling and retention, and the
-        means by which those requirements are met.>'
+        means by which those requirements are met.
+        */'
 
 - control_key: SI-16
   standard_key: NIST-800-53
@@ -498,62 +586,64 @@ satisfies:
   implimentation_status: none
   narrative:
     - text: |
-        '<Memory and unauthorized code protection mechanisms are provided in 
-        the base operating system, Red Hat Enterprise Linux. This includes 
-        buffer overflow protection, execution of code on a process’ or 
-        thread’s stack, modification of a function return address on the 
-        process’ or threads stack to jump to previously known processor 
-        instructions, and modification of process section other than the 
-        segment that holds compile time initialized data and segment holding 
-        the mapping of all uninitialized variables. For the runtime instances 
-        of binaries, all user-provided applications and their depending 
+        '//*
+        Memory and unauthorized code protection mechanisms are provided in
+        the base operating system, Red Hat Enterprise Linux. This includes
+        buffer overflow protection, execution of code on a process’ or
+        thread’s stack, modification of a function return address on the
+        process’ or threads stack to jump to previously known processor
+        instructions, and modification of process section other than the
+        segment that holds compile time initialized data and segment holding
+        the mapping of all uninitialized variables. For the runtime instances
+        of binaries, all user-provided applications and their depending
         libraries that are compiled and linked with the following properties:
 
-        (1) presence of the ELF program header entry of PT_GNU_STACK and the 
-        absence of the PF_X bit in the p_flags ELF header flags; 
-       
-        (2) presence of the ELF program header entry of PT_GNU_RELRO with 
+        (1) presence of the ELF program header entry of PT_GNU_STACK and the
+        absence of the PF_X bit in the p_flags ELF header flags;
+
+        (2) presence of the ELF program header entry of PT_GNU_RELRO with
         memory range information covering the following ELF sections: .tdata,
-        .preinit_array, .init_array, .fini_array, .ctors, .dtors, .data.rel.ro, 
-        .dynamic, .got including .got.plt. The secure state implied with this 
-        functionality covers the following aspects where the following list 
+        .preinit_array, .init_array, .fini_array, .ctors, .dtors, .data.rel.ro,
+        .dynamic, .got including .got.plt. The secure state implied with this
+        functionality covers the following aspects where the following list
         explains the implication of each bullet above:
 
-                a) When exploiting buffer overruns of an application, the 
+                a) When exploiting buffer overruns of an application, the
                    attacker cannot feed code onto the stack and execute it.
 
-                b) When exploiting buffer overruns of an application, the 
-                   modify of the return addresses stored on a stack jump to a 
-                   previously known code segment is much harder to achieve by 
-                   an attacker. Due to the address randomization, any memory 
-                   address of code already present with the application or 
-                   loaded libraries will be different with each startup of the 
+                b) When exploiting buffer overruns of an application, the
+                   modify of the return addresses stored on a stack jump to a
+                   previously known code segment is much harder to achieve by
+                   an attacker. Due to the address randomization, any memory
+                   address of code already present with the application or
+                   loaded libraries will be different with each startup of the
                    application.
 
                 c) The ELF header sections listed above are set read-only using
                    the mprotect system call by the loaded before the application
-                   gains control. When exploiting buffer overruns, the attacker 
-                   cannot modify information in those memory sections. These 
+                   gains control. When exploiting buffer overruns, the attacker
+                   cannot modify information in those memory sections. These
                    sections store offset tables required for the dynamic linking
-                   mechanism and, if abused, allow attackers to modify the jump 
-                   addresses of object accesses. Full protection against this 
+                   mechanism and, if abused, allow attackers to modify the jump
+                   addresses of object accesses. Full protection against this
                    type of attack can only be achieved if the application and
-                   all depending shared libraries are compiled linked with full 
-                   protection enabled. When at least one shared libraroy the 
-                   application depends on or the application itself is compiled 
-                   and linked with partial protection, only partial protection 
-                   against this type of attack is available for the given 
-                   application. 
-
-        To enforce functionality in bullet a), /proc/sys/kernel/exec-shield 
+                   all depending shared libraries are compiled linked with full
+                   protection enabled. When at least one shared libraroy the
+                   application depends on or the application itself is compiled
+                   and linked with partial protection, only partial protection
+                   against this type of attack is available for the given
+                   application.
+
+        To enforce functionality in bullet a), /proc/sys/kernel/exec-shield
         must contain either a 1 or 2.
 
-        To enforce the functionality in bullet b), 
-        /proc/sys/kernel/randomize_va_space must contain a 2 (1 implies the 
+        To enforce the functionality in bullet b),
+        /proc/sys/kernel/randomize_va_space must contain a 2 (1 implies the
         address randomization is enabled except for the brk system call).
 
-        For full documentation on common criteria evaluated memory protections, 
+        For full documentation on common criteria evaluated memory protections,
         Red Hat publishes full common criteria paperwork online:
 
         https://www.redhat.com/en/technologies/industries/government/standards
-        >'
+        
+        */'

From 3bbcbda014c5db2954834bcbfc0c088577bbff19 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 01:53:25 -0400
Subject: [PATCH 6/7] removing whitespaces

---
 .../policies/AC-Access_Control/component.yaml      | 14 +++++++-------
 .../AU-Audit_and_Accountability/component.yaml     | 12 ++++++------
 .../CM-Configuration_Management/component.yaml     |  2 +-
 .../CP-Contingency_Planning/component.yaml         |  2 +-
 .../component.yaml                                 |  4 ++--
 .../component.yaml                                 |  2 +-
 .../component.yaml                                 |  2 +-
 .../component.yaml                                 |  2 +-
 8 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/OpenShift-v3/policies/AC-Access_Control/component.yaml b/OpenShift-v3/policies/AC-Access_Control/component.yaml
index 5451711..3586b36 100644
--- a/OpenShift-v3/policies/AC-Access_Control/component.yaml
+++ b/OpenShift-v3/policies/AC-Access_Control/component.yaml
@@ -11,7 +11,7 @@ satisfies:
   narrative:
     - key: a
       text: |
-        '//* 
+        '//*
         The customer will be responsible for developing, documenting, and
         disseminating Access Control policy and procedures. A successful
         control response will need to address the content of the policy
@@ -32,7 +32,7 @@ satisfies:
 
     - key: b
       text: |
-        '//* 
+        '//*
         The customer will be responsible for reviewing and updating the
         Access Control policy every 3 years, and procedures annually. A
         successful control response will need to address and review and
@@ -274,7 +274,7 @@ satisfies:
         for the management of Role Bindings can be found at:
 
         https://docs.openshift.com/container-platform/latest/admin_guide/
-        manage_authorization_policy.html#managing-role-bindings 
+        manage_authorization_policy.html#managing-role-bindings
         */'
 
     - key: b
@@ -320,7 +320,7 @@ satisfies:
         Labels in OpenShift Cluster Administration Guide:
 
         https://docs.openshift.com/container-platform/3.3/admin_guide/
-        manage_users.html#managing-users-managing-user-and-group-labels 
+        manage_users.html#managing-users-managing-user-and-group-labels
         */'
 
 - control_key: AC-2 (10)
@@ -372,7 +372,7 @@ satisfies:
         Configuration guide:
 
         https://docs.openshift.com/container-platform/3.3/install_config/
-        aggregate_logging.html 
+        aggregate_logging.html
         */'
 
     - key: b
@@ -396,7 +396,7 @@ satisfies:
         processes/configurations. Documentation can be found at:
 
         https://docs.openshift.com/container-platform/3.3/architecture/
-        additional_concepts/authorization.html 
+        additional_concepts/authorization.html
         */'
 
 - control_key: AC-4
@@ -416,7 +416,7 @@ satisfies:
         Architecture guide:
 
         https://docs.openshift.com/container-platform/3.3/architecture/
-        additional_concepts/networking.html 
+        additional_concepts/networking.html
         */'
 
 - control_key: AC-4 (21)
diff --git a/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml b/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml
index 8774093..05b5dbf 100644
--- a/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml
+++ b/OpenShift-v3/policies/AU-Audit_and_Accountability/component.yaml
@@ -80,7 +80,7 @@ satisfies:
         here:
 
         https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
-        html/Security_Guide/sec-configuring_the_audit_service.html 
+        html/Security_Guide/sec-configuring_the_audit_service.html
         */'
 
 - control_key: AU-2 (3)
@@ -247,7 +247,7 @@ satisfies:
         Configuration guide:
 
         https://docs.openshift.com/container-platform/3.3/install_config/
-        aggregate_logging.html 
+        aggregate_logging.html
         */'
 
     - key: b
@@ -259,7 +259,7 @@ satisfies:
         documents can be found publicly at:
 
         https://www.redhat.com/en/technologies/industries/government/standards
-        
+
         */'
 
 - control_key: AU-7 (1)
@@ -306,7 +306,7 @@ satisfies:
 
         https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
         7/html/System_Administrators_Guide/chap-Configuring_the_Date_and_Time.
-        html#sect-Configuring_the_Date_and_Time-timedatectl-Time_Zone 
+        html#sect-Configuring_the_Date_and_Time-timedatectl-Time_Zone
         */'
 
 - control_key: AU-8 (1)
@@ -341,7 +341,7 @@ satisfies:
         7 System Administrators guide:
 
         https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
-        7/html/System_Administrators_Guide/s1-Configure_NTP.html 
+        7/html/System_Administrators_Guide/s1-Configure_NTP.html
         */'
 
     - key: 'Req.1'
@@ -448,7 +448,7 @@ satisfies:
         <Audit rules may be added/removed through modifying the
         /etc/audit/audit.rules or applicable file under /etc/audit/rules.d/. It
         is recommended that OpenShift specific audit rules be added to
-        /etc/audit/rules.d/openshift.rules 
+        /etc/audit/rules.d/openshift.rules
         */'
     - key: c
       text: |
diff --git a/OpenShift-v3/policies/CM-Configuration_Management/component.yaml b/OpenShift-v3/policies/CM-Configuration_Management/component.yaml
index b6b7854..63869ef 100644
--- a/OpenShift-v3/policies/CM-Configuration_Management/component.yaml
+++ b/OpenShift-v3/policies/CM-Configuration_Management/component.yaml
@@ -420,7 +420,7 @@ satisfies:
         Integration Guide for procedures on how to setup and maintain container
         signing:
 
-        https://access.redhat.com/articles/2750891 
+        https://access.redhat.com/articles/2750891
         */'
     - key: b
       text: |
diff --git a/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml b/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml
index cf0f9af..aedb2a2 100644
--- a/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml
+++ b/OpenShift-v3/policies/CP-Contingency_Planning/component.yaml
@@ -186,7 +186,7 @@ satisfies:
         plans and procedures:
 
         https://azure.microsoft.com/en-us/documentation/articles/
-        sql-database-disaster-recovery-drills/ 
+        sql-database-disaster-recovery-drills/
         */'
     - key: b
       text: |
diff --git a/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml b/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml
index 73c4440..b518c2c 100644
--- a/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml
+++ b/OpenShift-v3/policies/IA-Identification_and_Authentication/component.yaml
@@ -71,7 +71,7 @@ satisfies:
         Configuration guide:
 
         https://docs.openshift.com/container-platform/3.3/install_config/
-        syncing_groups_with_ldap.html 
+        syncing_groups_with_ldap.html
         */'
 
 - control_key: IA-2 (1)
@@ -97,7 +97,7 @@ satisfies:
         Installation and Configuration Guide:
 
         https://docs.openshift.com/container-platform/3.3/install_config/
-        configuring_authentication.html#RequestHeaderIdentityProvider  
+        configuring_authentication.html#RequestHeaderIdentityProvider
         */'
 
 - control_key: IA-2 (2)
diff --git a/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml b/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml
index 0e19cc8..5688c0e 100644
--- a/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml
+++ b/OpenShift-v3/policies/SA-System_and_Services_Acquisition/component.yaml
@@ -476,7 +476,7 @@ satisfies:
         integrity, and non-repudiation. Documentation can be found
         in the "Container Image Signing Integration Guide":
 
-        https://access.redhat.com/articles/2750891 
+        https://access.redhat.com/articles/2750891
         */'
 
 - control_key: SA-11
diff --git a/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml b/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml
index 36b58f0..4e0a95e 100644
--- a/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml
+++ b/OpenShift-v3/policies/SC-Systems_and_Communications_Protection/component.yaml
@@ -266,7 +266,7 @@ satisfies:
         webpage:
 
         https://www.redhat.com/en/technologies/industries/government/standards
-        
+
         */'
 
 - control_key: SC-12 (2)
diff --git a/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml b/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml
index ab35c17..04ebd2b 100644
--- a/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml
+++ b/OpenShift-v3/policies/SI-System_and_Information_Integrity/component.yaml
@@ -645,5 +645,5 @@ satisfies:
         Red Hat publishes full common criteria paperwork online:
 
         https://www.redhat.com/en/technologies/industries/government/standards
-        
+
         */'

From c25967b3b05879e46f4d448ddca1cc00f8199167 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Fri, 12 May 2017 01:53:35 -0400
Subject: [PATCH 7/7] create make check

---
 OpenShift-v3/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/OpenShift-v3/Makefile b/OpenShift-v3/Makefile
index 753b517..df68350 100644
--- a/OpenShift-v3/Makefile
+++ b/OpenShift-v3/Makefile
@@ -22,7 +22,7 @@ clean:
 	rm -rf exports/ opencontrols/
 
 pdf: exports
-	cd exports/ && gitbook pdf ./ ./Red_Hat_Enterprise_Linux_7_Compliance.pdf
+	cd exports/ && gitbook pdf ./ ./OpenShift_v3_Compliance.pdf
 
 serve: exports
 	cd exports && gitbook serve
@@ -37,7 +37,7 @@ coverage:
 	${CM} diff FedRAMP-low
 
 fedramp: default
-	${GOPATH}/bin/fedramp-templater fill opencontrols/ FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx exports/FedRAMP-Filled-v2.1.docx
+	${GOPATH}/bin/fedramp-templater fill opencontrols/ ../FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx exports/FedRAMP-Filled-v2.1.docx
 
 fedramp-diff:
 	${GOPATH}/bin/fedramp-templater diff opencontrols/ FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx