Introduction
This site contains the functional and technical specifications for OpenFISMA. Functional specifications (aka business requirements) describe the function of the system: the purpose of the system, the processes that it automates, and the way that users use the system. The functional specification includes use cases, interface mockups, and details of business-related calculations. This kind of functional specification can be useful to a lot of different people: they can be used to write the user manual, to create marketing materials, or to understand the details of particular reports or calculations.
Technical specifications refer to how the system works. Typically this refers to very low level details that are only of interest to developers of the application.
Documentation is a tricky thing for software development projects. If a project doesn't have enough documentation, then the correctness of the system is impossible to verify (because there is no authoritative source that describes what the correct functioning is.) On the other hand, if a project has too much documentation, then it becomes a headache to keep it up-to-date and eventually it becomes a useless resource because it doesn't reflect how the application actually works.
To strike the right balance between these two extremes, the OpenFISMA project aims to document all of the important parts of the application concisely but without redundancy or an unnecessary level of detail.
Site Organization
OpenFISMA is constructed in a modular fashion; each module is intended to be useful as a stand-alone so that enterprises using OpenFISMA can turn off the features they don't want. (Some features, however, are so wrapped up in the other features that they cannot be turned off.)
The documentation for OpenFISMA is written in the same structure, a collection of separate modules. Each module contains functional and technical specifications. Browse through the modular structure using the navigation menu to the left. The OpenFISMA modules are briefly summarized in the table below.
Module Name | Description |
|---|---|
Administration | The Administration module contains the high-level administrative functions for OpenFISMA. Notice that each module also has its own sub-administration area that is separate from this administration module. |
Core | The Core module contains all the components that are common to the application and are used across the other modules. This includes item such as authentication, authorization, web application security, search engine, etc. |
Finding Management | The Finding Management module captures auditor findings. The module provides a complex data model for storing auditor findings as well as a flexible business process for managing the response to auditor findings. This module is designed to satisfy the FISMA requirement for POA&M capability. |
Incident Response | The Incident Response module captures security incidents across the enterprise. Like findings, incidents also have a complex data model and a flexible business process for managing the response to security incidents. This module is designed to satisfy the FISMA requirement for Incident Response capability. |
System Inventory | The System Inventory module captures the assets, products, and system boundaries that constitute the enterprise's portfolio of information systems. These system are stored in a hierarchy that the enterprise can use to model its management structure. This module is designed to satisfy the FISMA requirement for quarterly and annual reporting to OMB. |
Vulnerability Management | The Vulnerability Management module captures the output of automated vulnerability scanners and attempts to create meaningful, actionable information out of the mass of data that these automated tools typically produce. This module helps assign accountability and track aggregate risk level across the entire enterprise. |
Automated Documentation
In addition to the documentation hosted on this site, we also run a couple of builds that produce automated documentation on a nightly basis.
If either of these links are broken, it may be a temporary effect of a broken build and should be fixed automatically on the following day.