This page offers an overview of how to effectively use Content Management within EPM.
To make the most of this system, it's crucial to understand the core entities that comprise
the content management workflow. Below are the entities encompassed by this workflow:
Entity
Description
Editable
Possible States
Standards
Are entities that represent compliance standards created by governments or Atlassian for a specific cause. Ex, FedRAMP, C5, Vulnerabilities
Yes
Enabled, Disabled
Controls
Are controls that belong to a particular standard. These entities are maintained in AGRC and are manually loaded by RM Developers.
No
N/A
Requirements
User-friendly representations of the guidance of controls. Example: Encrypt Data at REST, which can be assigned to specific components for more specific guidance.
Yes
Draft, Archived, Enforced, Published
Components
Distinct representations of usually specific technologies, people, or services. Used to apply compliance to distinct entities. Examples: micros S3, service, micros RDS, user
Yes
Draft, Archived, Published
Responsibilities
Specific action items that arise on components
Yes
Applicable, Archived
Most users visiting this page are likely looking to highlight an action item for service owners.
Therefore, the page is structured with that goal in mind.
⚠️ Important Prerequisite:
Ensure you have access to the Content Management Portal by being added to the statsig content-management-admin feature flag.
If you need assistance, please contact #help-enterprise-posture-management.
Standards
Before proceeding, determine whether you can reuse an existing standard. If you're unsure whether to create a new standard or use an existing one, first identify which compliance standard your action item applies to. Examples include FedRAMP Moderate and C5.
You can verify if the standard already exists by checking the EPM Standards Tab.
Reusing an Existing Standard
If you're certain that the standard already exists, follow these steps:
Verify the Standard is Enabled: Ensure the standard is enabled by toggling it in the content management details pane for the respective standard.
Check Associated Controls: Determine if any associated controls need adjustment. If controls are missing, they must be added. Note that managing control-to-standard relationships is not supported via the content management portal at this time. For assistance, please contact #help-enterprise-posture-management.
Creating a New Standard
If you need to create a new standard, use the "Create" button or the creation field row at the bottom of the table to instantiate a new standard. You will then need to assign controls to it.
Follow these steps, similar to managing existing standards:
Enable the Standard: Ensure the new standard is enabled.
Assign Controls: Assign the new standard to the relevant controls. For this process, assistance from #help-enterprise-posture-management will be necessary.
Controls
EPM does not directly manage controls. If a control is missing, it will need to be imported. Please contact a developer from #help-enterprise-posture-management for assistance with this process.
If you're unsure whether a control exists, you can search for it here: SCF Controls Portal.
Utilizing Existing Controls
If you're certain that the control already exists, you’re all set. No further action is needed!
Create a Requirement: Click the "Create" button, enter a name for your requirement, and press [ENTER].
Provide a Description: Add guidance that service owners will see.
Populate Necessary Details:
Components: Declare which components are in scope by using the components field. If components don't exist, create them first in the components section.
Save Components: After selection, save to render them in your pane.
Responsibilities (Optional): You can declare responsibilities for each component here (more on this in the responsibilities section).
Assign Controls: Use the controls field to align your requirement with the relevant standards by selecting related controls.
Publish the Requirement: If satisfied with the requirement, click the "Publish" button.
Archiving a Requirement
Access the Requirements Tab: Navigate to the components tab in the Content Management Portal: Components Portal.
Select the Requirement: Choose the component you wish to archive.
Press the (...) Icon In The Top right corner: Choose the "Archive" option.
Components
If you're following this guide sequentially, you've reached this step because you've either created a requirement and assigned it to an existing component, or you're building a new component to associate with existing requirements.
EPM is a platform that measures compliance by evaluating specific component instances against the responsibilities declared in this section. Configuring your components and their associated responsibilities accurately is crucial for effectively surfacing action items to service owners.
Think of a component as a blueprint that outlines what the component is and the rules that must be followed when implementing it. For instance, your component might be AWS S3, and a responsibility declared for it could be "Encrypt Data at Rest." Responsibilities are not declared directly under the component; instead, they are linked through requirements scoped to the component. Therefore, you must declare responsibilities under the corresponding requirement.
Managing Components
Existing Components
Access the Components Tab: Navigate to the components tab in the Content Management Portal: Components Portal.
Select the Component: Choose the component you wish to modify.
Update Attributes: Depending on your needs, you can change the description or add new responsibilities. Refer to the creation section for additional guidance.
Creating a New Component
Access the Components Tab: Navigate to the components tab in the Content Management Portal: Components Portal.
Create a New Component: Click the "Create" button and provide a name for the new component.
Initial State: The new component will be created in a DRAFT state.
Publish the Component: Once ready, publish the component.
Add a Description: Provide a description if needed to clarify the component's purpose.
Assign to Requirements: Navigate to the requirements pane and assign the component to the relevant requirement(s) using the components field. Ensure you save your changes.
Declare Responsibilities: You can now declare responsibilities under the requirements associated with the component.
Archiving an Existing Component
Access the Components Tab: Navigate to the components tab in the Content Management Portal: Components Portal.
Select the Component: Choose the component you wish to archive.
Press the (...) Icon In The Top right corner: Choose the "Archive" option.
Responsibilities
If you're reading this section, we assume you've already created the necessary component and requirement. Responsibilities in EPM are categorized by "Fulfillment Types," which instruct the system on how a responsibility can be met.
Understanding Fulfillment Types
EPM currently supports the following fulfillment types for responsibilities:
Instance Guidance: This type requires users to manually declare compliance with the action item.
Instance Assessment: This type involves an external system providing evidence to EPM using a specific PLAN ID.
Component Adoption: Compliance with this type requires the use of one of the specified components, selected through a form.
Understanding the appropriate fulfillment type is crucial for determining how service owners will be deemed compliant.
Managing Responsibilities
Note: When a responsibility is upserted. The system automatically runs the following process:
Resp synch (Instantiates responsibility records against the respective component instances)
Check component adoption on existing components
check assessment result in the RM assessment result table.
If the responsibility was created prior to the ingestion of the evidence or the associated component discovery.
Then, you might have to manually kick off both of those jobs.
Modifying an Existing Responsibility
Identify Your Goal: Determine whether you need to change the responsibility's name or description or fulfillment type.
Edit the Responsibility: Locate the responsibility and click the edit icon to open it in a dialog. Make the necessary changes.
Change Fulfillment Type (if needed): If your goal involves changing the fulfillment type, ensure you understand the new fulfillment requirements.
Creating a New Responsibility
Locate the Associated Component: Use the search bar or the content management component entry to find the component you wish to assign the responsibility to.
Load the Component: Once loaded, scroll down to find the related requirement.
Create Responsibility: Click the "Create Responsibility" button to open the responsibility creation dialog.
Select Fulfillment Type: Choose the appropriate fulfillment type. This is a critical step:
For Instance Assessment, provide the correct assessment plan ID when prompted.
For Component Adoption, specify a set of components. Users must adopt at least one to be deemed compliant. The system evaluates this using an OR operator.
Archiving an Existing Responsibility
Responsibilities cannot be hard deleted but can be archived, effectively hiding them from the system.
Find the Responsibility: Use the search bar or locate it via its corresponding component.
Edit the Responsibility: Click the edit icon to open the responsibility in a dialog.
Archive the Responsibility: Press the archive button within the dialog to archive it.