As a user, I want to generate the summaries

[afeld]

There are a couple of documents that FedRAMP requires that are summaries of information in the System Security Plan:

• Control Implementation Summary (CIS)
• Customer Responsibility Matrix

These require painstaking updating by hand, but should be straightforward to generate (or at least get the summary information for them) through code.

[brittag]

There's also a third I have in mind:

The "Information System Security Policies and Procedures” SSP attachment includes a copy of the narratives for our -1 controls.

There’s no specific format for that document, I just made up a format with a custom-written overview and then copy-paste of the -1 controls from the SSP.

The story is that sometimes compliance reviewers want to holistically review our policies and procedures, so they want a doc that has an overall list of them (separate from the SSP).

We don't need to deliver updates to this document to our compliance reviewers very often (just at big milestones), but it's another type of document that needs to be manually updated (to match the SSP content) every time we do need to deliver it to compliance reviewers.

[brittag]

A few other things:

All of these SSP attachments require copy-and-paste of "Prepared by" and "Prepared for" information, which isn't too big a deal since it shouldn't really change, but it's a little annoying.

Some of these attachments require copy-and-paste of the "System description" from the SSP:

• Attachment 6 - Information System Contingency Plan
• Attachment 10 - FIPS-199

And the SAR (part of the FedRAMP documentation package, but maintained by our 3PAO instead of us) also requires a copy-paste of the "System description". This means we basically need to ask them copy-and-paste a fresh version (if we've updated it recently) before documentation delivery deadlines.