Skip to content

Latest commit

 

History

History
34 lines (19 loc) · 1.29 KB

0025-compliance-documentation.md

File metadata and controls

34 lines (19 loc) · 1.29 KB

25. How to document compliance work

Date: 2023-02-27

Status

Accepted

Context

Compliance documentation is an essential component of working in the open while providing clear and obvious evidence of security considerations, concerns, and mitigations.

The prior decision to use OSCAL with Trestle isn’t practical given personnel considerations.

Decision

We will use spreadsheets and other documentation to track the compliance work.

We will continue to generate diagrams with PlantUML.

Considerations:

  • Lack of familiarity of team personnel with OSCAL/Trestle.
  • Reduction of technical maintenance—existing code in compliance was generating dependabot issues.
  • Concerns that OSCAL/Trestle does not fully match GSA’s ATO processes.

Consequences

  • ATO documentation will need to be tracked using documents/spreadsheets, requiring manual coordination.
  • We will remove the /compliance directory from main.

Note

Was previously ADR 0016; renamed/renumbered when PDRs and ADRs were merged.