What You Most Need to Know About GovReady-Q

Why GovReady-Q?

Everything about developing and deploying software is accelerating…except for compliance. Why? Because:

  • maintaining written documentation is too slow,
  • pondering how jargon-laden control guidance applies is too hard,
  • there’s little reuse, and no compliance documentation supply chain.

To stop needing months to authorize systems that deploy in minutes, assessments and authorizations need to be assembled from vetted, pre-fabricated components sourced from the same software supply chain with which we assemble applications.

How GovReady-Q Accelerates Compliance

GovReady accelerates compliance through component-centric guidance, pre-written documentation, and collaboration.

When you use or install GovReady-Q, you gain access to a marketplace of small, self-service compliance apps written by peers and vendors that map system components to security controls and guide you step-by-step through assessments and documentation.

Apps map components to security/compliance controls

As you and your teammates collaboratively answer questions, the compliance apps work with GovReady-Q to store your data in a relational database and automagically generate and maintain your compliance artifacts for auditors.

GovReady-Q’s contribution to Compliance-as-Code is the data abstractions for shareable, reusable, and customizable packages—Compliance Apps—to map the relationship between a system component and a set of controls. The approach is innovative, yet familiar. Compliance Apps:

  • enable a hub/marketplace for community contributions;
  • extend inherited controls model to each system component;
  • enable modern, user-friendly experiences;
  • support agile, iterative workflows.

Attention

GovReady-Q software is “Beta” software best suited for early adopters needing faster compliance for DevSecOps.

GovReady-Q Philosophy

Compliance is not security. Compliance scales security.

Compliance is a technique humans have developed for enabling trust in systems that are too large and complex for individuals to assess trustworthiness. Compliance scales participation, attestation and verification of recommended practices.

  • We love security and innovation and believe they enable each other.
  • We believe security and compliance are standard, not premium add-ons.
  • We view compliance as a by-product of a well-instrumented process.
  • We value ease-of-use to increase adoption.
  • We value automation to increase consistency.
  • We see virtualization and DevOps enabling massive gains in security and compliance.

GovReady-Q Features

  • Easy-to-use, beautiful questionnaires
  • Jargon-free approach to security controls and compliance
  • Step-by-step guidance through assessments
  • Compliance-as-Code approach to documentation
  • Discuss questions and answers in the tool instead of in email
  • Support for rich, clear multi-media communication
  • RESTful Automation API to integrate with DevOps pipeline and existing agents
  • Innovative, reusable “Compliance Apps” model
  • Friendly Open Source license so you can start now

Using Hosted GovReady-Q

There’s nothing to install. Q.GovReady.com is the hosted, multi-tenant version of GovReady-Q.

  1. Visit Q.GovReady.com
  2. Fill out the form “About your organization” and “About you” to create your account
  3. Don’t worry about the Service Levels – everything’s available to everyone during the Beta phase
  4. We’ll contact you to help you get started

Attention

We will help you get up and running during the current Beta phase of the project while we make getting started easier.

The hosted version is an excellent solution if have one project/system you are trying to get through NIST SP 800-53 or NIST SP 800-171 compliance, or you are have just trying to pull together a few specific compliance documents like your Privacy Policy or Rules of Behavior. The hosted service is operated by GovReady PBC, the company behind GovReady-Q Compliance Server.

If you have questions about the hosted version, email info@govready.com.

System Requirements for GovReady-Q

If you prefer, you can download and install GovReady-Q on your own servers or servers under your control.

GovReady-Q is a Python 3, Django 2.0 application with a relational database back-end. GovReady-Q is compatible with operating systems and components generally supported by Django 2.0 and Python 3.

GovReady-Q has been successfully deployed on multiple Linux distros (RHEL 7, CentOS 7, Ubuntu 14 & 16), as a Docker container, as Docker container in AWS Elastic Container Service, as a Docker container on OpenShift, and as a Vagrant virtual machine.

We’ve tried to make GovReady-Q installation straightforward and complete. Our documentation includes configuring the Python uWSGI environment, installing and running testing tools, adding sources for compliance security plan apps, and setting up your admin account and initial organization.

Hardware Requirements

Minimum Hardware
Single server to host both multi-tenant GovReady-Q application and Database
Linux-compatible hardware
2GB RAM
10 GB storage (for database)
Recommended Hardware
2 servers: 1 for multi-tenant GovReady-Q application; 1 for Database Server
Linux-compatible hardware (64 bit architecture; FIPS-140-2 validated cryptographic module)
8GB RAM for each server
100 GB storage (for database server)

Software Requirements

Required Software Packages (partial list)
(GovReady-Q application)
Python 3.x
Django 2.x
Jinja 2.x
uwsgi 2.x
unzip
graphviz
pandoc
Wkhtmltopdf
Git 2.x
supervisor
Supported Databases
Postgres 9.4 (psycopg2 2.7.5 adapter)
Mysql 7.6 and higher (mysqlclient 1.3.12 adapter)
SQLite 3.x
Recommended Database
Postgres 9.4 (psycopg2 2.7.5 adapter)
SMTP Mail Server (for sending email notifications and receiving comments via email)
Any SMTP mail server (MTA) supporting STARTTLS connections.

For a more detailed list of software dependencies and requirements see:

Downloading GovReady-Q

Downloading Where
Current Release on Docker https://hub.docker.com/r/govready/govready-q/
Nightly Build on Docker https://hub.docker.com/r/govready/govready-q-nightly/
Clone the GitHub repo https://github.com/govready/govready-q

Finding Compliance Apps

Compliance Apps are GovReady-Q modular, shareable, reusable, data packages mapping the relationship between system components and security controls. See Understanding Compliance Apps for a more detailed description.

For Hosted Version

When using the Hosted Version of GovReady-Q, GovReady PBC manages the Compliance Apps available to your organization. Send email to info@govready.com to request changes.

For Local Installs

The docker and downloaded version of GovReady-Q automatically loads a small set of example Compliance Apps. Compliance Apps are published in collections known as “AppSources” (e.g., repos). Here are a few:

You can can show and hide compliance apps from the Django administration page at main.localhost:8000/admin/guidedmodules/appsource/.

Creating Your Own Compliance Apps

To get started writing your own Compliance Apps see: Creating Compliance Apps.

Documentation

The official GovReady-Q documentation is maintained at govready-q.readthedocs.io.

Support

Commercial support for GovReady-Q is provided by GovReady PBC. Email info@govready.com.

Sign up for Security Notifications email list at GovReady Security Alerts.

Reporting Bugs & Issues

Please file bug reports on our GitHub issue. When reporting a bug, please include as much information as possible. This includes:

  • Install type: Hosted, Local, Docker, etc
  • URL
  • Action taken
  • Expected result
  • Actual result
  • Screenshot (if relevant)

License / Credits

This repository is licensed under the GNU GPL v3.

About GovReady PBC

GovReady PBC is a Public Benefit Corporation whose mission is to lower the cost of innovation in digital services to citizens. GovReady’s innovative self-service IT compliance tool GovReady-Q was developed as part of an R&D contract to automate and lower the cost of cyber security compliance from the Department of Homeland Security, Science and Technology Directorate, Cyber Security Division. GovReady PBC is based in the greater Washington, DC metro area.