Merge pull request #63 from cloud-gov/peterb/fix_include

Procedure updates for breakglass, fix including TTS common to be prettier

.gitignore

@@ -1,2 +1,4 @@
 *pdf
 _tmp.md
+tmp*md
+bq_tts.md

AC-Policy.md

@@ -23,12 +23,10 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-<!-- 
-include({{TTS-Common-Control-Policy.md}}) 
---> 
-
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
 
 # Procedures
 
@@ -65,6 +63,14 @@ cloud.gov's customers gain access to the system in a similar fashion. The Client
 
 See SSP controls AC-2(9), AC-2(10), AC-21.
 
+The cloud.gov infrastructure service does have an emergency fallback
+"breakglass" account with keys that are kept in secure storage. Any
+use of the breakglass credentials generates alerts to Cloud Operations. We
+have code to rotate those credentials on-demand.
+
+See SSP controls AC-2(1)
+
+
 Within cloud.gov, both the permissions of users (whether internal or external) and the logical flow of data through the system is tightly controlled and regulated. Manual movements of data are strictly prohibited. Everything is subject to the virtual network, application, and container restrictions that are instantiated through cloud.gov's adherence to immutable "infrastructure as code."
 
 See SSP controls AC-4, AC-4(21), AC-17(3), AC-17(9), AC-19, AC-20 (2), and the CM controls.

AT-Policy.md

@@ -22,9 +22,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 If cloud.gov staff fail to comply with GSA security training requirements, their access to all GSA information systems is terminated. This includes access to cloud.gov systems.

AU-Policy.md

@@ -25,9 +25,12 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
+
 # Procedures
 
 Our audit procedures ensure we gather events to assess our security posture,

CA-Policy.md

@@ -25,9 +25,12 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
+
 # Procedures
 
 As a cloud service provider that is also part of the General Services Agency (GSA), a federal agency, GSA TTS ensures cloud.gov invests in comprehensive risk management assessments.

CM-Policy.md

@@ -23,9 +23,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 cloud.gov's specific configuration management procedures are packaged with the actual code of the cloud.gov system. Below is an overview of our procedures along with citations to controls and relevant GitHub repositories.

CP-Policy.md

@@ -28,8 +28,10 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
 ---
 # Procedures
 

IA-Policy.md

@@ -21,8 +21,10 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
 ---
 # Procedures
 

IR-Policy.md

@@ -29,8 +29,10 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
 ---
 # Procedures
 

MA-Policy.md

@@ -21,9 +21,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 Software maintenance on cloud.gov is accomplished via the procedures of [Configuration Management (CM)](https://github.com/cloud-gov/cg-compliance-docs/blob/master/CM-Policy.md) and [System and Services Acquisition (SA)](https://github.com/cloud-gov/compliance-docs/blob/master/SA-Policy.md). Please see those control families for details.

MP-Policy.md

@@ -22,9 +22,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 Not applicable.

Makefile

@@ -5,15 +5,19 @@ PDF_FILES=$(patsubst %.md, %.pdf, $(MD_FILES))
 .PHONY : all
 all: $(PDF_FILES)
 
+## bq_tts.md   : generate the intermediate blockquoted TTS commmon policy
+bq_tts.md: TTS-Common-Control-Policy.md
+	cat $< | sed -e 's/^/> /' > $@
+
 ## pdf         : generate a single PDF
-%.pdf: %.md
-	m4 -I./ $< > _tmp.md
-	pandoc -o $@ _tmp.md -V colorlinks=true -V linkcolor=blue -V urlcolor=blue -V toccolor=gray
-	rm _tmp.md
+%.pdf: %.md bq_tts.md
+	m4 -I./ $< > tmp_$<
+	cat tmp_$< | sed -e 's/<!-- x//' -e 's/x -->//' | pandoc -o $@ -V colorlinks=true -V linkcolor=blue -V urlcolor=blue -V toccolor=gray
+#	rm tmp_$<.md
 
 ## clean       : rm PDF and temp files
 clean:
-	rm *pdf *tmp.md
+	rm -f *pdf *tmp.md tmp*md bq_tts.md
 
 ## variables   : Print variables.
 .PHONY : variables

PE-Policy.md

@@ -26,10 +26,12 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
-# Procedures
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
+# PE Procedures
 
 Not applicable.
 

PL-Policy.md

@@ -23,9 +23,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 Using the most current FedRAMP SSP template, 18F developed, and GSA TTS maintains, a system security plan which includes the cloud.gov PaaS and encompasses the cloud.gov applications. The security plan is developed in accordance with NIST Special Publication 800-18 R1 Guide of Developing Federal Information System Security Plans, as well as FedRAMP guidance. The System Security Plan:

PS-Policy.md

@@ -23,9 +23,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 For personnel categorization, position risk designation is assigned by the GSA Office of Human Resources Management (OHRM), GSA TTS Talent, and GSA TTS Supervisors. We follow the methodology prescribed in the Office of Personnel Management’s (OPM) Federal Investigations Notice, No. 10-06. Risk designations are re-categorized whenever responsibilities change, the impact level of the system or the information in it changes, or at least once every three years.

RA-Policy.md

@@ -25,9 +25,10 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
 # Procedures
 
 All GSA teams, being part of a federal agency, follow the risk assessment and management process outlined in [NIST Special Publication (SP) 800-37](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf), _Guide for Applying the Risk Management Framework to Federal Information Systems_.

README.md

@@ -6,13 +6,33 @@ For cloud.gov compliance documentation, see: https://github.com/cloud-gov/cg-com
 
 This is a public repository following [18F's Open Source Policy](https://github.com/18F/open-source-policy/blob/master/policy.md). See our [LICENSE.md](LICENSE.md) and [CONTRIBUTING.md](CONTRIBUTING.md) files for additional information.
 
+## Generating PDFs for assessors
+
 To generate PDFs of all the Markdown files, install `pandoc` (e.g. 
-`brew install pandoc`), then:
+`brew install pandoc`), and `basictex` (e.g. `brew install basictex`) then:
 
 ```shell
 make all
 ```
 
+## Editing documents
+
+We've created the `...Policy.md` documents to all include the file, `TTS-Common-Control-Policy.md`. 
+As Markdown in GitHub, that's simply a linked URL. To generate PDFs, we use the `m4`
+commands `changequote` and `include` to make an intermediate tmp file, then pipe that
+through to `sed` and `pandoc` to strip the "magic" comments and generate the final
+output.
+
+In short, maintain the following snippet in the input files to include the TTS common
+controls:
+
+    <!-- x
+    changequote(`{{', `}}') 
+    include({{bq_tts.md}})
+    x -->
+
+(The `changequote` is superfluous, we could just do ``include(`bq_tts.md')``)
+
 ## Public domain
 
 This project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md):

SA-Policy.md

@@ -23,9 +23,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 The cloud.gov program uses two-week planning sprints. Before each sprint, work is prioritized, inclusive of security needs. The cloud.gov CSP is part of the Technology Transformation Service (TTS) within GSA; cloud.gov coordinates with TTS and GSA leadership to appropriately plan for cloud.gov’s budget and staffing needs.

SC-Policy.md

@@ -23,9 +23,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 Only privileged cloud.gov team roles (such as System Owner and Cloud Operations) have privileged Cloud Foundry API access, granted via User Account and Authentication (UAA) Server group membership. The cloud.gov team manages information system functionality surrounding and supporting the Cloud Foundry components via AWS, GitHub, and Concourse. Users do not get access to these facilities.

SI-Policy.md

@@ -25,9 +25,11 @@ See the **_Applicability_** section of the GSA IT Security Policy.
 
 For information on roles and responsibilities, management commitment, coordination among organizational entities, compliance, reviews, and updates please see the [Technology Transformation Service's (TTS) Common Control Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/master/TTS-Common-Control-Policy.md).
 
-<!-- changequote(`{{', `}}') -->
-include({{TTS-Common-Control-Policy.md}})
----
+<!-- x
+changequote(`{{', `}}') 
+include({{bq_tts.md}})
+x -->
+
 # Procedures
 
 The cloud.gov team identifies cloud.gov system flaws, tracks and reports them, and corrects them.

TTS-Common-Control-Policy.md

@@ -1,4 +1,3 @@
--->
 
 # TTS Common Control Policy