Everything about developing and deploying software is accelerating…except for compliance. Why? Because:
maintaining written documentation is too slow,
pondering how jargon-laden control guidance applies is too hard,
there’s little reuse, and no compliance documentation supply chain.
To stop needing months to authorize systems that deploy in minutes, assessments and authorizations need to be assembled from vetted, pre-fabricated components sourced from the same software supply chain with which we assemble applications.
How GovReady-Q Accelerates Compliance¶
GovReady accelerates compliance through component-centric guidance, pre-written documentation, and collaboration.
When you use or install GovReady-Q, you gain access to a marketplace of small, self-service compliance apps written by peers and vendors that map system components to security controls and guide you step-by-step through assessments and documentation.
As you and your teammates collaboratively answer questions, the compliance apps work with GovReady-Q to store your data in a relational database and automagically generate and maintain your compliance artifacts for auditors.
GovReady-Q’s contribution to Compliance-as-Code is the data abstractions for shareable, reusable, and customizable packages—Compliance Apps—to map the relationship between a system component and a set of controls. The approach is innovative, yet familiar. Compliance Apps:
enable a hub/marketplace for community contributions;
extend inherited controls model to each system component;
enable modern, user-friendly experiences;
support agile, iterative workflows.
GovReady-Q software is “Beta” software best suited for early adopters needing faster compliance for DevSecOps.
Compliance is not security. Compliance scales security.
Compliance is a technique humans have developed for enabling trust in systems that are too large and complex for individuals to assess trustworthiness. Compliance scales participation, attestation and verification of recommended practices.
We love security and innovation and believe they enable each other.
We believe security and compliance are standard, not premium add-ons.
We view compliance as a by-product of a well-instrumented process.
We value ease-of-use to increase adoption.
We value automation to increase consistency.
We see virtualization and DevOps enabling massive gains in security and compliance.
Easy-to-use, beautiful questionnaires
Jargon-free approach to security controls and compliance
Step-by-step guidance through assessments
Compliance-as-Code approach to creating compliance documentation
Discuss questions and answers in the tool instead of in email
Support for rich, clear multi-media and multi-channel communication
RESTful Automation API to integrate with DevOps pipeline and existing agents
Innovative, reusable “Compliance Apps” model
Friendly Open Source license so you can start now
The official GovReady-Q documentation is maintained at govready-q.readthedocs.io.
Commercial support for GovReady-Q is provided by GovReady PBC. Email firstname.lastname@example.org.
Sign up for Security Notifications email list at GovReady Security Alerts.
Reporting Bugs & Issues¶
Please file bug reports on the GovReady-Q issue tracker. When reporting a bug, please include as much information as possible. This includes:
Install type: Hosted, Local, Docker, etc
Screenshot (if relevant)
License / Credits¶
This repository is licensed under the GNU GPL v3.
About GovReady PBC¶
GovReady PBC is a Public Benefit Corporation whose mission is to lower the cost of innovation in digital services to citizens. GovReady’s innovative self-service IT compliance tool GovReady-Q was developed as part of an R&D contract to automate and lower the cost of cyber security compliance from the Department of Homeland Security, Science and Technology Directorate, Cyber Security Division. GovReady PBC is based in the greater Washington, DC metro area.