Human Centered Security and Evidence Management

The thing to store configs and run tests

Two overlapping goals:

Use plain english to ask questions about the site
- Questions can then be mapped to NIST 800-53 controls
Automate evidence collection everywhere possible
- Tag evidence with applicable control(s)

Baseline

Is SITE up?
Does SITE enforce HTTPS?
- Is SITE HSTS compliant?
Are there any non-encrypted data flows? (SC-08(01) narrative)
Does SITE build from infrastructure as code? (IaC, e.g. CloudFormation)
- CM-02(02) Baseline configuration automation
Is SITE on cloud.gov?
- Inherit many controls

Rolodex (user name, work email pulled from Login.gov authentication)
Are all users Privileged? (from System Description)
Is all authentication done via login.gov? (from System Description)
Must privileged users employ phishing resistant MFA? (Policy)
Must privileged users be identity proofed? (Policy)
Are privileged users regularly audited? (Demonstrate how)
- Can user privileges/accounts be removed/disabled quickly?
Are privileged user operations logged?

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
util		util
utils		utils
.editorconfig		.editorconfig
.env-template		.env-template
.gitignore		.gitignore
README.md		README.md
config.yml		config.yml
main.py		main.py
poetry.lock		poetry.lock
pyproject.toml		pyproject.toml
results.yml		results.yml
tests.py		tests.py
utils.py		utils.py