18F · adelevie · Jan 3, 2017 · jessieay · Jan 9, 2017 · jessieay
diff --git a/Dockerfile.compliance-masonry b/Dockerfile.compliance-masonry
@@ -0,0 +1,10 @@
+FROM ubuntu:16.04
+
+RUN apt-get update
+RUN apt-get install curl git -y
+RUN curl -L https://github.com/opencontrol/compliance-masonry/releases/download/v1.1.2/compliance-masonry_1.1.2_linux_amd64.tar.gz -o compliance-masonry.tar.gz
+RUN tar -xf compliance-masonry.tar.gz
+RUN cp compliance-masonry_1.1.2_linux_amd64/compliance-masonry /usr/local/bin
+
+RUN mkdir -p /app
+WORKDIR /app
diff --git a/README.md b/README.md
@@ -50,6 +50,16 @@ local development instructions below if you don't have the app setup locally):
 Updating the ERD requires Graphiz. Installation instructions are
 [here](http://voormedia.github.io/rails-erd/install.html).
 
+### ATO Documentation
+
+As part of 18F's ATO process, you may need to update the Compliance Masonry documentation.
+
+With docker-compose, all you need to run is:
+
+```
+docker-compose run compliance-masonry compliance-masonry get
+```
+
 ## Local Development
 
 See the [local development docs](docs/local_development.md) for information on

diff --git a/compliance/component.yml b/compliance/component.yml
@@ -107,8 +107,8 @@ satisfies:
     - text: >
         In addition to the controls provided by cloud.gov, the application
         tracks components through versioned library dependencies
-        (requirements.txt), as well as a listing of relevant cloud.gov services
-        (mentioned in the README and deploy.md)
+        (Gemfile), as well as a listing of relevant cloud.gov services
+        (mentioned in the README and docs/deployment.md)
 - standard_key: NIST-800-53
   control_key: IA-2   # Identification and Authentication (Organizational
                       # Users)
@@ -139,28 +139,26 @@ satisfies:
   control_key: PL-8   # Information Security Architecture
   narrative:
     - text: >
-        In addition to cloud.gov controls, all data in the system comes from
-        Contract Officers and must be approved by a data administrator to
-        be visible to the general public.
+        In addition to cloud.gov controls, all data in the system is public.
 - standard_key: NIST-800-53
   control_key: RA-5   # Vulnerability Scanning
   narrative:
     - text: >
         In addition to cloud.gov controls, the application layer is scanned with
-        both static and dynamic tooling. Before being merged into "master", all
-        custom code is automatically analyzed by "flake8" (a linting tool to
-        catch syntactic errors), "bandit" (a security-focused static analysis
-        tool), and a handful of custom, security-centric unit
-        tests. Code which does not meet these standards is generally not
+        both static and dynamic tooling. Before being merged into "develop" and
+        "master", all custom code is automatically analyzed by Brakeman
+        (static code analysis of Rails apps for known security vulnerabilities),
+        and a handful of custom, security-centric unit tests.
+        Code which does not meet these standards is generally not
         merged. We also employ Gemnasium to track our dependencies and
         Code Climate to warn of potentially concerning style.
 
         For static analysis, we've addressed all critical issues raised by
         evaluating the application with OWASP ZAP.
   references:
-    - verification_key: flake8
-    - verification_key: bandit
+    - verification_key: hakiri
     - verification_key: gemnasium
+    - verification_key: brakeman
     - verification_key: code-climate
     - verification_key: owasp-zap
 - standard_key: NIST-800-53
@@ -169,18 +167,22 @@ satisfies:
   narrative:
     - text: >
         In addition to cloud.gov controls, the application layer is scanned with
-        both static and dynamic tooling. Before being merged into "master", all
-        custom code is automatically analyzed by "flake8" (a linting tool to
-        catch syntactic errors), "bandit" (a security-focused static analysis
-        tool), and a handful of custom, security-centric unit
-        tests. Code which does not meet these standards is generally not
+        both static and dynamic tooling. Before being merged into "develop" and
+        "master", all custom code is automatically analyzed by Brakeman
+        (static code analysis of Rails apps for known security vulnerabilities),
+        and a handful of custom, security-centric unit tests.
+        Code which does not meet these standards is generally not
         merged. We also employ Gemnasium to track our dependencies and
         Code Climate to warn of potentially concerning style.
+
+        For static analysis, we've addressed all critical issues raised by
+        evaluating the application with OWASP ZAP.
   references:
-    - verification_key: flake8
-    - verification_key: bandit
+    - verification_key: hakiri
     - verification_key: gemnasium
+    - verification_key: brakeman
     - verification_key: code-climate
+    - verification_key: owasp-zap
 - standard_key: NIST-800-53
   control_key: SA-22 (1)   # Unsupported System Components
                            # Alternative Sources for Continued Support

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -13,3 +13,8 @@ web:
       - "3000:3000"
     links:
       - db
+compliance-masonry:
+  build: .
+  volumes:
+    - .:/app
+  dockerfile: Dockerfile.compliance-masonry
diff --git a/opencontrol.yaml b/opencontrol.yaml
@@ -0,0 +1,24 @@
+schema_version: "1.0.0"
+name: Micropurchase
+metadata:
+  description: >
+    An platform for bidding and completing small IT projects for the government.
+  maintainers:
+    - [email protected]
+components:
+  - ./compliance
+certifications:
+  # paths
+standards:
+  # paths
+dependencies:
+  certifications:
+    # LATO
+    - url: https://github.com/18F/GSA-Certifications
+      revision: master
+  systems:
+    # Cloud.gov
+    - url: https://github.com/18F/cg-compliance
+      revision: master
+  standards:
+    # data
diff --git a/opencontrols/certifications/FedRAMP-low.yaml b/opencontrols/certifications/FedRAMP-low.yaml
@@ -0,0 +1,129 @@
+name: FedRAMP-low
+standards:
+
+  NIST-800-53:
+    AC-1: {}
+    AC-14: {}
+    AC-17: {}
+    AC-18: {}
+    AC-19: {}
+    AC-2: {}
+    AC-20: {}
+    AC-22: {}
+    AC-3: {}
+    AC-7: {}
+    AC-8: {}
+    AT-1: {}
+    AT-2: {}
+    AT-3: {}
+    AT-4: {}
+    AU-1: {}
+    AU-11: {}
+    AU-12: {}
+    AU-2: {}
+    AU-3: {}
+    AU-4: {}
+    AU-5: {}
+    AU-6: {}
+    AU-8: {}
+    AU-9: {}
+    CA-1: {}
+    CA-2: {}
+    CA-2 (1): {}
+    CA-3: {}
+    CA-5: {}
+    CA-6: {}
+    CA-7: {}
+    CA-9: {}
+    CM-1: {}
+    CM-10: {}
+    CM-11: {}
+    CM-2: {}
+    CM-4: {}
+    CM-6: {}
+    CM-7: {}
+    CM-8: {}
+    CP-1: {}
+    CP-10: {}
+    CP-2: {}
+    CP-3: {}
+    CP-4: {}
+    CP-9: {}
+    IA-1: {}
+    IA-2: {}
+    IA-2 (1): {}
+    IA-2 (12): {}
+    IA-4: {}
+    IA-5: {}
+    IA-5 (1): {}
+    IA-5 (11): {}
+    IA-6: {}
+    IA-7: {}
+    IA-8: {}
+    IA-8 (1): {}
+    IA-8 (2): {}
+    IA-8 (3): {}
+    IA-8 (4): {}
+    IR-1: {}
+    IR-2: {}
+    IR-4: {}
+    IR-5: {}
+    IR-6: {}
+    IR-7: {}
+    IR-8: {}
+    MA-1: {}
+    MA-2: {}
+    MA-4: {}
+    MA-5: {}
+    MP-1: {}
+    MP-2: {}
+    MP-6: {}
+    MP-7: {}
+    PE-1: {}
+    PE-12: {}
+    PE-13: {}
+    PE-14: {}
+    PE-15: {}
+    PE-16: {}
+    PE-2: {}
+    PE-3: {}
+    PE-6: {}
+    PE-8: {}
+    PL-1: {}
+    PL-2: {}
+    PL-4: {}
+    PS-1: {}
+    PS-2: {}
+    PS-3: {}
+    PS-4: {}
+    PS-5: {}
+    PS-6: {}
+    PS-7: {}
+    PS-8: {}
+    RA-1: {}
+    RA-2: {}
+    RA-3: {}
+    RA-5: {}
+    SA-1: {}
+    SA-2: {}
+    SA-3: {}
+    SA-4: {}
+    SA-4 (10): {}
+    SA-5: {}
+    SA-9: {}
+    SC-1: {}
+    SC-12: {}
+    SC-13: {}
+    SC-15: {}
+    SC-20: {}
+    SC-21: {}
+    SC-22: {}
+    SC-39: {}
+    SC-5: {}
+    SC-7: {}
+    SI-1: {}
+    SI-12: {}
+    SI-2: {}
+    SI-3: {}
+    SI-4: {}
+    SI-5: {}