►
From YouTube: GitLab for RMF NIST800 53
Description
A demonstration of how to use GitLab for RMF and NIST-800-53 R5 management.
A
Good
afternoon
I
will
be
talking
about
rmf
compliance
using
gitlab
today.
So,
let's
begin
with
an
introduction
to
myself,
my
name
is
samir
khamani.
I
am
a
senior
solutions,
architect
supporting
the
public
sector
territory
at
get
lab
and
where
I
want
to
begin
with
is
what
is
risk
management
framework.
A
A
Essentially,
where
that
leads
to
is
a
development
process
where
developers
develop
the
applications,
maybe
they're
contractors-
maybe
they
are
employees
of
government
employees
wherever
they
are.
They
would
then
send
the
application
over
the
board
to
the
security
folks,
who
would
test
the
application
for
various
security
vulnerabilities
and
then
essentially
report
their
findings
to
a
risk
management
authority.
A
A
Well,
that's
all
wonderful
and
seems
like
it's
a
great
process
that
the
government
has
adopted
and
it
actually
works
fairly.
Well
now,
where
is
the
problem,
though?
The
problem
is
that
the
in
the
event
of
trying
to
make
a
more
secure,
more
carefully
thought
out
process,
and
some
of
it
is
organically
developed.
Some
of
it
is
very,
very
directed,
very
purposefully
developed.
A
There
are
a
lot
of
times
when
the
process
becomes
very
complex.
It
slows
down
the
process
of
authority
to
operate
confirmment
on
any
given
system.
Essentially
it's
just
it.
It
just
adds
another
layer
of
bureaucracy,
another
layer
of
red
tape
that
the
project
team
has
to
navigate
through,
and
it
really
causes
the
breakdown
of
the
the
dev
ops
architecture
that
the
development
teams
would
may
be
trying
to
implement.
A
Generally.
What
ends
up
happening
is
developers
write
their
code
and
then
it
just
doesn't
go
fast
enough
into
production.
Meanwhile,
the
developers
have
already
moved
on
and
then,
by
the
time,
security
and
the
risk
management
pieces
of
it
come
into
place
generally.
By
way
of
a
poem
structure,
it
really
does
get
to
be
a
little
bit
too
late
in
the
in
the
game.
Sometimes
those
systems
are
already
hacked
by
them.
A
If
they
somehow
did
make
it
into
production
and
most
of
the
times
those
systems
never
see
the
light
of
day,
because
perhaps
the
business
has
changed.
Perhaps
the
congress
changed
its
mind.
Perhaps
the
agency
changed
its
mind,
things
happen
and
then,
last
but
not
least,
once
it
does
go
there,
there
is
an
audit
fatigue,
meaning
every
so
often
the
system
has
to
go
through
an
authority
to
operate
structure,
and
essentially,
where
does
that
lead
to?
Is
everybody
attempts
to
do
their
own
management?
A
A
Unfortunately,
every
team
wants
to
implement
it
their
own
way
because
they
feel
that
they
are
the
only
ones
who
understand
the
risk
that
is
involved
in
their
system
and
they
want
to
apply
the
controls
that
have
to
be
applied
to
their
system.
Nothing
wrong
with
that
process.
It
just
tends
to
be
very
singular
and
non-um
collaborative,
non-transparent
lack
of
transparency.
Those
kinds
of
things
happen
now
generally.
A
There
are
systems
out
there
that,
from
that
help
the
auditors
and
the
authorizing
officials
and
the
security
of
officers
and
the
project
teams
to
manage
their
work
and
deliver
a
comprehensive
risk
management
report.
A
But
the
security
team
doesn't
either
trust
those
tools
or
doesn't
know
what
process
was
used
to
embed
those
tools
and
therefore
can't
replicate
that
same
process
or
in
general.
They
just
prefer
to
use
their
own
tools
because
they
feel
like
they
know
the
security
space
better
and
they
can
do
a
better
job
at
identifying
those
vulnerabilities
and
weaknesses
in
the
systems
before
they
go
out
and
that's
all
well
and
good.
Traditionally,
those
lead
to
different
dashboards.
So
if
you
think
about
my
example,
you've
got
a
development
team.
A
That's
got
its
own
dashboard
where
they're
managing
these
things.
They
may
have
a
ticketing
system
where
they
are
entering
their
use
cases
and
their
user
stories
and
their
requirements
and
whatnots.
A
That's
a
huge
problem
right
now,
occasionally
it's
even
less
organized
than
that
in
the
sense
that
people
are
just
using
excel
spreadsheets
and
these
excel
spreadsheets
are
stored
on
network
drives
and
or
they're
emailed
back
and
forth,
and
every
team
has
their
own
excel
spreadsheet
in
their
own
way
of
defining
what
goes
in
there
and
how
they
use
it.
While
that
provides
a
lot
of
flexibility,
it
is
not
a
standardized
process
across
the
board.
A
That
is
a
huge
problem
and
then,
last
but
not
least,
the
collaboration
style
in
all
of
this-
and
I
haven't
even
talked
about
the
operation
side
of
things.
Yet
the
collaboration
side
of
things
in
this
is
very
conscious.
Every
email
or
every
notification
is
consciously
sent
to
certain
people.
They
some
people,
some
old
teams,
opt
to
drop
people
from
their
conversations
or
include
people
from
conversation
into
conversations,
there's
no
single
source
of
truth
of
any
conversation.
It's
some
email
thread
in
somebody's
email
trail
and
the
forensics
of
it
is
crazy.
A
Those
organizations
that
have
standardized
on
risk
management
framework
tools
are
receiving
data
from
all
these
other
systems.
But
yet
again
there
is
no
traceability
across
the
board.
If
a
system
didn't
feed
the
data,
there
is
no
way
to
know
that
the
system
didn't
feed
the
data.
If
a
process
failed,
there
is
no
way
to
know
what
failure
occurred
at
the
at
a
security
authorizing
official
level.
It's
all
at
the
at
the
below
the
layers
level
and
it's
difficult
to
maintain
it's
brittle.
It's
very,
very
brittle.
A
So
gitlab
is
a
single
application
to
manage
the
entire
devsec
ops
solution.
So
that's
kind
of
one
thing
that
it
does
really
well
is:
it
goes
across
the
board
and
it
creates
a
tremendous
opportunity
for
collaboration,
visibility,
transparency,
traceability
and
just
basically
storing
information
becoming
the
single
source
of
truth.
For
this
now,
additionally,
git
lab
has
different
utilities
and
tools
in
different
areas
to
support
this
entire
process.
That
goes
across
the
board.
For
example,
gitlab
already
has
included
within
it
application
security
scanning
tools,
that's
just
part
of
gitlab.
A
So
now
you
don't
have
to
worry
about.
Well,
how
do
I
incorporate
this?
My
security
tool
into
this
pipeline,
the
pipeline's
already
there
gitlab,
has
patterns
of
integration
that
it
has
defined
with
various
tools
in
the
industry,
in
addition
to
the
tools
that
gitlab
provides
out
of
the
box,
so
there's
multiple
choices
right
there
that
that
are
become
available
for
both
the
development
teams,
the
security
teams
and
the
operations
teams
to
be
able
to
leverage
to
do
what
they
need
to
do.
A
Third
thing
that
gitlab
offers
is
the
ability
to
orchestrate
various
other
tools,
such
as,
and
these
are
just
examples
that
come
to
the
top
of
my
mind,
are
terraform
and
vault,
and
things
like
that,
where
you
can
now
suddenly
do
get
ops
right
from
get
gitlab,
you
can
do
secrets
management
from
a
very
simplistic
integrated
workflow
that
is
in
get
lab.
Pre-Built
with
vault,
for
example,
security
scans
are
already
in
there,
the
deployments
and
the
workflow
of
how
the
deployments
work
where
the
deployments
are
being
made.
A
A
So
what
we
have
here
is
a
gitlab
project
that
I've
created.
It
actually
is
in
a
group.
So
gitlab
has
this
concept
of
groups
to
manage
various
different
projects
within
it.
So
imagine
that
you
may
have
a
coding
project
in
here
somewhere
that
has
some
code
in
it.
You
may
have
other
projects
there,
where
you're
just
managing
different
activities
in
the
workflow
of
what
you're
doing
there
are
different
things
that
you're
doing
with
that
sort
of
stuff.
A
A
The
the
compliance
project
is
based
off
of
the
nist
853
issue.
So
if
I
open
up
the
publication,
the
special
publication,
essentially
all
the
different
items
that
are
listed
in
here-
are
down
below.
A
So,
for
example,
if
I
pick
a
control,
if
I
pick
a
control,
ac
16,
for
example,
which
is
a
security
and
privacy
attributes,
so
the
control
is
defined
over
here
and
with
that
there's
a
discussion
of
how
somebody
would
go,
implement
it,
what
they
should
do,
what
they
need
to
do
and
then
there
are
related
controls
that
are
defined
within
it.
So,
similarly,
within
git
lab
what
what
has
been
done
is
to
create
the
same
sort
of
control.
So,
let's
go
to,
for
example,
ac
scene.
A
It
will
pull
up.
That's
the
same
exact
write-up,
so
this
right
up
here
defines
exactly
what's
going
on
in
the
control.
The
discussion
is
placed
right
over
here
and
then,
if
there
are
any
related
controls,
then
those
are
also
defined
over
here.
So
you
can
actually
hyperlink
through
into
the
other
control,
to
see
what
that
particular
control
might
mean.
So
these
kinds
of
tools
and
tricks
are
available
within
get
lab
to
associate
different
things.
A
Now
you
might
notice
that
in
this
case
the
provide
the
means
to
associate,
and
then
there
is
a
selection
that
somebody
has
to
do
to
define
the
control
parameters
that
is
really
simply
fixed
by
actually
editing
the
issue
going
to
that
particular
line
and
then
essentially
modifying
it
to
be
whatever
you
want
it
to
be,
and
so
you
kind
of
go
through
this
structure
and
do
that
and
essentially,
when
you
save
the
changes,
it
will
actually
save
the
changes
over
here
and
show
that
the
other
thing
that
gitlab
does
really
well
with
regards
to
this
is
there
are
labels
that
you
can
associate
to
these
issues.
A
So
what
we
have
done
is
we
have
labeled
something
called
ac,
which
is
essentially
the
access
control
label
and
then
ac
16,
which
is
sort
of
gives
you
the
ability
to
manage
the
control
family.
So,
for
example,
if
I
go
to
ac
16,
it's
going
to
actually
sort
by
ac16
and
show
me
the
entire
ac
16
family
of
controls.
A
A
A
A
A
A
Anywho,
so
we
have
the
ability
to
do
to
do
that
sort
of
search.
The
other
thing
I
can
do
is
also.
I
can
look
at
the
access
control
family
of
controls.
So
now
I
can
go
a
little
bit
higher
and
look
at
all
my
ac
controls
and
only
ac
controls.
As
you
can
see,
I
do
have
seven
pages
of
them,
but
at
least
I'm
able
to
sort
of
navigate
through
very
quickly
and
do
different
things.
A
That
is
sort
of
correct,
to
the
extent
that
when
you
look
at
the
issue
itself,
it's
just
giving
you
information
about
what
that
issue
is
and
what
that
means.
However,
because
git
lab
has
adjacency
to
the
ci
pipeline
right
over
here,
I
can
actually
define
a
specific
kind
of
workflow.
So
here
what
I've
done
as
an
example
in
this
branch
is
I've
incorporated
oscapscan,
so
oscap
is
openscap
scan
and
I
know
that
it
maps
to
ac6
control.
So
if
I
go
back
to
my
security
controls
and
go
to
ac6,
for
example,
it
is
not.
A
A
So,
for
example,
I
have
cm6,
which
is
an
open
scap
which
actually
calls
out
running
of
the
openscap
tool
to
identify.
If
there
are
things
there
are
many
ways
of
doing
that,
I
just
happen
to
choose
oscap
as
my
way
to
do
it
and
essentially
in
this
structure.
What
I've
done
here
is.
I
have
defined
a
ci
yaml
file,
which
is
how
I
normally
would
define
the
job
in
gitlab
or
a
pipeline
in
gitlab,
and
I
pull
down
the
openscap
tools
into
a
particular
image.
A
So
I
have
an
oracle
linux
image
over
here,
I'm
pulling
it
down.
I
am
then
installing
openscap
inside
that
I'm
running
the
stig
workflow
within
there
and
then
I'm
essentially
taking
the
report
and
doing
something
with
the
report
and
in
my
case
what
I'm
doing
essentially
is
I'm
checking
to
see
if
openscap
failed
or
not.
If
it
failed,
then
I
want
that
to
notify
something
that
that
had
failed
and
essentially,
in
my
case
I
am
notifying
cm6.
A
A
Then
what
I
will
see
in
there
is
that
it,
the
label,
needs
essenti
needs.
A
Attention
has
been
added
and
then
down
below
here
I
have
a
bot
that
actually
has
reported
that
openscap
was
performed
and
you
know
to
look
at
the
job
artifacts.
So
essentially,
I
know
that
something
failed
by
the
fact
that
there's
a
needs
attention
label
on
it
and
then
I
can
go
look
at
the
job
artifacts.
A
In
my
case,
I
want
to
review
the
html
of
it
and,
as
I
scroll
through
it,
I
see
that
yes,
indeed,
there
were
a
lot
of
different
things
that
have
failed.
So
I
know
that
my
cm6
has
failed
at
a
high
level.
There
may
be
other
controls
that
may
be
tied
to
these
specific
things
that
have
failed.
That's,
okay,
that's
a
separate
level
of
integration
that
that
we
can
look
at.
A
But
at
the
very
least
I
am
able
to
tell
that
because
I
failed
cm6,
I'm
not
ready
to
move
forward,
or
perhaps
I
am
ready
to
move
forward,
but
I
need
to
accept
the
risk
on
it.
So
at
this
point
we
can
have
the
authorizing
official,
essentially
remove
the
labels.
So
when
that,
when
I
remove
the
label
here,
let's,
let's
assume
I'm
the
authorizing
official-
I
remove
the
label
and
say
needs
attention
and
then
I
may
add
a
different
label
instead
and
I
may
say,
approved
or
something
of
that.
A
A
Or
I
may
mark
it
as
an
operational
task
of
some
sort,
or
I
may
mark
some
different
things
within
the
label
structure.
Once
I
do
that,
then
I
can
write
a
comment
about
why
I
did
what
I
did
here
and
I
can
move
forward
or
I
can
take
this
and
essentially
assign
it
to
an
another
individual.
So
perhaps
I
want
to
assign
it
to
the
tech
lead
that
is
managing
the
project.
The
said
project
that
was
just
scanned
and
the
tech
lead
can
then
take
a
look
at
the
same
results.
A
So
essentially,
as
was
when
I
assigned
this
to
the
tech
lead,
the
tech
lead
would
get
an
email,
tech
lead,
would
open
up
git
lab
and
they
would
be
able
to
see
the
same
job
artifact
that
the
security
individuals
saw.
So
they
are
looking
at
the
same
data
at
the
same
time
based
on
the
same
details
and
they
know
exactly
which
version
of
the
code
was
used.
A
What
the
pipeline
process
was,
because
everything
is
documented
right
within
gitlab
by
way
of
the
config
file
that
I
just
showed
you
a
little
bit
earlier
and
within
that
now
you
have
the
the
developer
or
the
team
lead,
or
project
manager
or
technical
architect.
Whoever
it
is,
can
look
at
this
and
say
yeah.
We
need
to
set
the
maximum
age
or
password
maximum
age
on
that
particular
image.
A
So
now
they
can
go
run
the
the
appropriate
script
to
manage
that
and
then
push
that
container
through
to
then
have
this
be
rerun
again
to
see
what's
going
on,
so
there
are
a
lot
of
different
aspects
that
that
kind
of
happen
within
this
workflow.
But,
as
you
can
see,
everything
is
managed
right
here
at
the
issue
level
now,
the
second,
so
this
was
showing
you
a
control
that
is
managed
automatically
by
way
of
some
pipeline
that
got
created.
A
Occasionally,
people
will
ask
me:
well
there's
this
policy
and
procedures
things,
for
example
ac
one,
and
in
this
case
it
is
basically
talking
about
something
that
is
documented
in
some
sort
of
security
system
or
some
sort
of
privacy
plan
or
something
well.
That's
easy
enough
to
do
right,
because
there
are
multiple
places
that
can
be
stored.
A
The
first
thing
that
that
a
security
official,
a
product
manager
project
manager
can
do
is
create
a
merge
request
right
from
here
and
that
merge
request
then
allows
them
to
create
markdown
documents
that
they
can
store
in
this
repository
that
become
artifacts
that
live
through
the
life.
There
are
multiple
benefits
of
making
a
markdown
document
that
goes
in
gitlab
because,
as
you
might
be
aware,
you
can
use
gitlab
to
manage
text
files
and
any
kind
of
changes
into
those
checks.
A
Text
files
can
be
protected
so
once
that
document
becomes
part
of
an
accepted
plan,
let's
say,
then
you
protect
that
branch.
That
is
your
main
branch
where
you
put
that
document
and
then
as
changes
need
to
be
made,
because
maybe
you're
adjusting
some
policies
or
your
or
some
new
regulation
or
directive
has
come
down,
and
you
need
to
add
that
into
that
document
you
can
continue
to
create
new,
merge
requests
and
continue
to
add
more
information
into
that
particular
document
and
thereby
making
it
a
living
document.
A
Multiple
benefits
in
that
one.
You
know
the
source
of
that
change.
It
may
have
come
through
wherever
it
may
have
come
through.
Gitlab
can
help
you
track.
That
second
thing,
you
know
who
made
that
change.
You
know
who
approved
that
change.
You
know
when
that
change
was
made
and
you
can
see
what
it
looked
like
prior
to
making
the
change
and
what
it
looked
like
after
the
change
was
made,
so
it
then
becomes
a
living
document
that
becomes
accessible
to
various
people
across
the
board.
A
A
A
Gitlab
offers
a
wiki
which
is
also
stored
as
a
git
repository
and
therefore
now
you
can
track
the
changes
in
the
wiki
itself.
Some
people
say
wiki
is
not
good
enough.
It
is
not
sophisticated
enough
for
me
to
be
able
to
do
different
kinds
of
document,
controls
and
different
kinds
of
linkages,
and
things
like
that
absolutely
correct.
A
A
You
can
extend
this
to
this
is
sticks
or
cc
ccnsis
whatever
it
is
that
you
want
to
do.
You
can
actually
kind
of
just
tweak
the
particular
issues
that
you
have
and
manage
them.