The determination of temperature has long been recognized as a problem of the greatest importance...The theory of thermometry is however as yet far from being in so satisfactory a state. - Lord Kelvin, 1848
A cool experiment in measuring FISMA compliance
DevOps can incorporate security scanning into continuous delivery in a way that improves the security review cycle and shortens time to FISMA compliance.
Build an XCCDF (checklist) for some portion of 800-53 guidance applied to NGINX.
The vm directory includes virtual machines for learning and testing GovReady.
vm/basic provides for a multiple virtual machine environment for testing GovReady.
vm/basic/vbkick-templates provides vbkick virtual machine configuration files for building VirtualBox VM's from source ISO and kick start files.
DevOpsAudit - Crowd source effort to assemble "authoritative guidance of how management and auditors should conduct audits where DevOps practices are in place"
Automate Compliance with BDD Tools - A blog post musing on incorporating a security control test from policy into a cucumber test
GovReady - Toolkit for getting open source apps ready for secure, approved government use (Friendly wrapper around OpenScap)
EasySCAP - A simple (but equivalent) format for writing SCAP tests by GovReady. Also EasySCAP Output Demo for YAML version of SCAP of SCAP-Security-Guide
OpenSCAP - Open Source NIST Certified SCAP 1.2 toolkit (on GitHub at https://github.com/OpenSCAP/openscap)
SSG SCAP Security Guide - security guidance, baselines, and associated validation mechanism; currently supporting SCAP for RHEL6, JBOSS
Aqueduct - Attempt to gather together automated changes to RHEL to meet government and Defense Department security compliance; uses bash and puppet.
NIST Checklist Program - Official NIST program to promote hardened configuration checklists for software