Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check on legality of publishing AWS control information #6

Open
afeld opened this issue Mar 24, 2019 · 5 comments
Open

Check on legality of publishing AWS control information #6

afeld opened this issue Mar 24, 2019 · 5 comments

Comments

@afeld
Copy link
Member

afeld commented Mar 24, 2019

AWS compliance documentation is (in some cases?) protected under NDA. The content in the Control files in this repository may be in violation of that already.

While I have not dug into them myself, the AWS compliance packages likely dive into a lot of detail that is not directly needed by OpenControl users. The main use case of having a canonical set of AWS OpenControl Components is knowing what controls are fully inheritable, versus which have shared or full customer responsibility. Therefore, I would argue that it's not important that the control narrative includes any details about the implementation - it can simply say "Refer to the AWS FedRAMP package for details." Even so, I'm not sure if the list of controls implemented by AWS is considered proprietary information or not, or if they would be willing to release it in a non-restrictive way so they could be leveraged here.

Anyone have a contact at AWS to ask?
@afeld afeld mentioned this issue Mar 24, 2019
Open
@rafael5
Copy link

rafael5 commented Mar 24, 2019
edited
Loading

Great idea. I have several contacts in AWS Federal and will ask about availability and publication in public, machine processable form.

@rafael5
Copy link

rafael5 commented Mar 24, 2019
edited
Loading

I just checked the AWS Artifact repository - there are 2500 artifacts regarding all their certifications and controls - and all require an NDA - so we cannot publish.

Nevertheless, I will ask AWS if a subset of their artifacts pertaining to ATO for FedRAMP-high controls can be published machine processable form..

@afeld
Copy link
Member Author

afeld commented Mar 24, 2019

We can't publish based on those. Perhaps AWS would be willing to work with us to publish just the controls publicly, if we present them with why.

In the meantime, could provide a script to create the YAML files based on source packages that users would have to run on their own.

@rafael5
Copy link

rafael5 commented Mar 24, 2019
edited
Loading

Agree. So what is the most compelling framing of our 'ask'? To speed ATO in their Cloud? What is the best demonstration we can provide? What government agencies are already using opencontrol schemas? We need #'s and data to convince AWs.

@afeld
Copy link
Member Author

afeld commented Mar 24, 2019

what is the most compelling framing of our 'ask'? To speed ATO in their Cloud?

Exactly.

What is the best demonstration we can provide?

There's a demo video from a couple years ago - shows the basics in the first ten minutes.

What government agencies are already using opencontrol schemas?

See opencontrol/discuss#33.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@afeld @rafael5