System Security Plan & Cybersecurity Asset Management Platform
A production-quality, on-premises Django web application for managing System Security Plans (SSPs), cybersecurity asset baselines, security control implementations, POA&M tracking, and compliance artifacts — aligned with DCSA DAAPM/DAAG, NIST SP 800-53 Rev 5, and CMMC frameworks.
- Architecture Overview
- Module Map
- Data Model Summary
- API Endpoints
- Role-Based Access Control
- Quick Start (Development)
- Production Deployment (Docker)
- Loading the NIST 800-53 Control Catalog
- SSP Export Package
- Audit Logging
- Future Enhancements
┌─────────────────────────────────────────────────────────────┐
│ Nginx (TLS) │
│ Port 443 → Gunicorn (port 8000) │
└──────────────┬──────────────────────────┬───────────────────┘
│ │
┌─────────▼──────────┐ ┌──────────▼─────────┐
│ Django (Python) │ │ Static / Media │
│ Template Views │ │ Files (local/S3) │
│ DRF REST API │ └────────────────────-┘
└─────────┬──────────┘
│
┌─────────▼──────────┐ ┌────────────────────┐
│ PostgreSQL 15 │ │ Redis 7 │
│ Primary DB │ │ Celery Broker │
│ │ │ Task Results │
└────────────────────┘ └────────────────────┘
│
┌─────────▼──────────┐
│ Celery Workers │
│ (export, tasks) │
└────────────────────┘
Stack:
- Backend: Django 4.2, Django REST Framework 3.14
- Database: PostgreSQL 15
- Task Queue: Celery 5 + Redis 7
- Frontend: Django Templates + Bootstrap 5 (dark theme) + Chart.js
- File Storage: Local filesystem or S3-compatible (MinIO)
- Deployment: Docker Compose + Gunicorn + Nginx
ssp_platform/
├── config/
│ ├── settings/
│ │ ├── base.py # Shared settings
│ │ ├── development.py # Dev overrides (DEBUG=True)
│ │ └── production.py # Production (security hardened)
│ ├── urls.py # Root URL configuration
│ ├── celery.py # Celery app configuration
│ └── wsgi.py
│
├── apps/
│ ├── core/ # Base models, mixins, middleware, context processors
│ ├── systems/ # InformationSystem registry (top-level container)
│ ├── assets/ # Hardware asset inventory & baseline tracking
│ ├── software/ # Software baseline & approval management
│ ├── users/ # SSPUser, UserSystemAccount, role management
│ ├── controls/ # NIST 800-53 catalog, per-system implementations
│ ├── poam/ # Plan of Action & Milestones tracking
│ ├── maintenance/ # Change log, baseline deviations
│ ├── artifacts/ # Evidence repository (versioned, hashed)
│ ├── exports/ # SSP export engine (JSON, DOCX, ZIP)
│ ├── audit/ # Immutable audit log + middleware
│ └── dashboard/ # Security posture metrics aggregation
│
├── frontend/
│ ├── templates/ # Django HTML templates (Bootstrap 5 dark theme)
│ └── static/
│ ├── css/ssp.css # Platform stylesheet
│ └── js/ssp.js # Platform JavaScript
│
├── deployment/
│ ├── docker/Dockerfile # Production container
│ └── nginx/ssp_platform.conf
│
├── docker-compose.yml # Full stack: Nginx + Django + Celery + PG + Redis
├── requirements.txt
├── manage.py
└── .env.template # Environment variables template
InformationSystem (1)
├── HardwareAsset (N) ← assets app
│ └── AssetSoftwareInstallation (N) ← links to SoftwareBaseline
├── SoftwareBaseline (M2M) ← software app
├── UserSystemAccount (N) ← users app (system-level accounts)
├── ControlImplementation (N) ← controls app (one per control per system)
│ └── ControlEvidenceLink ← links implementation to EvidenceArtifact
├── POAMItem (N) ← poam app
│ ├── → ControlImplementation (FK)
│ └── → HardwareAsset (M2M)
├── MaintenanceLog (N) ← maintenance app
├── EvidenceArtifact (N) ← artifacts app
│ └── ArtifactVersion (N) ← historical versions
├── ApprovalSignature (N) ← systems app
└── AuditLogEntry (N) ← audit app (system-scoped events)
| Model | App | Description |
|---|---|---|
InformationSystem |
systems | Top-level SSP container — all data belongs to one system |
HardwareAsset |
assets | Physical/virtual asset with baseline status tracking |
SoftwareBaseline |
software | Approved software with version, license, approval status |
SSPUser |
users | Custom user model (extends AbstractUser) with clearance/role |
UserSystemAccount |
users | Per-system account record for baseline tracking |
SecurityControl |
controls | NIST 800-53 catalog entry (system-agnostic) |
ControlImplementation |
controls | System-specific implementation narrative for one control |
POAMItem |
poam | Weakness tracking with severity, remediation plan, milestones |
MaintenanceLog |
maintenance | Change record with baseline deviation flag |
EvidenceArtifact |
artifacts | Uploaded file with SHA-256 hash + version history |
AuditLogEntry |
audit | Immutable event record (no update/delete permissions) |
Base path: /api/v1/
| Endpoint | Methods | Description |
|---|---|---|
systems/ |
GET, POST | List / create information systems |
systems/{id}/ |
GET, PUT, PATCH | System detail / update |
systems/{id}/dashboard_summary/ |
GET | Full posture metrics |
systems/{id}/control_status/ |
GET | Control implementation counts |
controls/catalog/ |
GET | Browse NIST 800-53 catalog |
controls/catalog/bulk_import/ |
POST | Import catalog JSON (admin only) |
controls/implementations/ |
GET, POST | Control implementations |
controls/implementations/by_system/ |
GET | Filter by system |
controls/implementations/status_summary/ |
GET | Aggregate status counts |
poam/ |
GET, POST | List / create POA&M items |
poam/{id}/approve/ |
POST | Approve POA&M (ISSM/ISSO) |
poam/{id}/comments/ |
GET, POST | POA&M comments |
poam/overdue/ |
GET | All overdue items |
artifacts/ |
GET, POST | List / upload artifacts |
artifacts/{id}/versions/ |
GET | Version history |
artifacts/{id}/new_version/ |
POST | Upload new version |
exports/generate/ |
POST | Generate SSP export ZIP |
audit/ |
GET | Audit log entries |
All API endpoints require authentication. Role-based filtering is enforced in each viewset.
| Permission | Admin | ISSM | ISSO | Engineer | Auditor | Read-Only |
|---|---|---|---|---|---|---|
| Create system | ✓ | ✓ | ||||
| Edit system | ✓ | ✓ | ✓ | |||
| Edit controls | ✓ | ✓ | ✓ | ✓ | ||
| Create POA&M | ✓ | ✓ | ✓ | ✓ | ||
| Approve POA&M | ✓ | ✓ | ✓ | |||
| Upload artifacts | ✓ | ✓ | ✓ | ✓ | ||
| Export SSP | ✓ | ✓ | ✓ | |||
| View audit log | ✓ | ✓ | ✓ | |||
| Manage users | ✓ |
- Python 3.12+
- PostgreSQL 15+
- Redis 7+
- Node.js (optional, for docx generation)
# 1. Clone and create virtual environment
git clone <repo-url> ssp_platform
cd ssp_platform
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
# 2. Install dependencies
pip install -r requirements.txt
# 3. Configure environment
cp .env.template .env
# Edit .env with your local database credentials
# 4. Set up PostgreSQL
createdb ssp_platform_dev
createuser ssp_user
psql -c "ALTER USER ssp_user WITH PASSWORD 'devpassword';"
psql -c "GRANT ALL PRIVILEGES ON DATABASE ssp_platform_dev TO ssp_user;"
# 5. Apply migrations
export DJANGO_SETTINGS_MODULE=config.settings.development
python manage.py migrate
# 6. Initialize platform (creates admin user + default groups)
python manage.py initialize_platform \
--admin-email admin@example.com \
--catalog-file /path/to/nist_800_53_rev5_catalog.json
# 7. Collect static files
python manage.py collectstatic --noinput
# 8. Start Redis (separate terminal)
redis-server
# 9. Start Celery worker (separate terminal)
celery -A config worker --loglevel=info
# 10. Start Django
python manage.py runserver 0.0.0.0:8000Access the platform at http://localhost:8000
Admin interface at http://localhost:8000/admin/
- Docker 24+
- Docker Compose v2
- TLS certificate (self-signed or CA-issued)
- Strong secrets for all environment variables
# 1. Copy and configure environment
cp .env.template .env
# Fill in ALL variables — especially DJANGO_SECRET_KEY, DB_PASSWORD, REDIS_PASSWORD
# 2. Generate a strong secret key
python -c "import secrets; print(secrets.token_hex(50))"
# 3. Place TLS certificates
mkdir -p deployment/nginx/certs
cp /path/to/fullchain.pem deployment/nginx/certs/
cp /path/to/privkey.pem deployment/nginx/certs/
# 4. Build and start
docker compose up -d --build
# 5. Initialize platform (first-time only)
docker compose exec web python manage.py initialize_platform \
--admin-email admin@yourorg.gov \
--catalog-file /app/nist_catalog.json
# 6. Check health
docker compose ps
docker compose logs webServices started:
nginx— Reverse proxy with TLS (ports 80, 443)web— Django/Gunicorn (internal port 8000)celery_worker— Background task processingcelery_beat— Scheduled tasksdb— PostgreSQL 15redis— Redis 7 (Celery broker)
git pull
docker compose build web celery_worker celery_beat
docker compose exec web python manage.py migrate --noinput
docker compose up -dDownload the OSCAL JSON catalog from NIST:
https://github.com/usnistgov/oscal-content/tree/main/nist.gov/SP800-53/rev5/json
Import:
# Via management command
python manage.py initialize_platform \
--skip-groups \
--catalog-file NIST_SP-800-53_rev5_catalog.json
# Via API (Administrator role required)
curl -X POST https://ssp.yourorg.gov/api/v1/controls/catalog/bulk_import/ \
-H "Authorization: Token <your-token>" \
-H "Content-Type: application/json" \
-d @NIST_SP-800-53_rev5_catalog.json
# Via Django admin
# Admin → Security Controls → Bulk ImportAfter import, assign control implementations to each system:
# Auto-create implementations for all catalog controls on a system
python manage.py shell
>>> from apps.systems.models import InformationSystem
>>> from apps.controls.models import SecurityControl, ControlImplementation
>>> system = InformationSystem.objects.get(acronym="YOUR-SYS")
>>> controls = SecurityControl.objects.filter(in_moderate_baseline=True)
>>> for ctrl in controls:
... ControlImplementation.objects.get_or_create(system=system, control=ctrl)POST /api/v1/exports/generate/
{
"system_id": "<uuid>",
"formats": ["json", "docx"]
}Returns a ZIP download containing:
| File | Description |
|---|---|
manifest.json |
Package index: export timestamp, system info, file checksums, counts |
ssp.json |
Full machine-readable SSP (all sections) |
ssp.docx |
Formatted Word document with all SSP sections, tables, and control narratives |
artifact_hashes.json |
SHA-256 hash manifest for all evidence artifacts |
The export is gated by the can_export_ssp permission (Administrator, ISSM, ISSO roles). All exports are recorded in the audit log.
All significant actions are recorded in AuditLogEntry (immutable — no update/delete permissions exposed):
- Authentication events (login, logout, failed logins)
- System record changes (create, update)
- Asset changes (add, update, baseline status change)
- Control implementation updates
- POA&M create, update, approve
- Artifact uploads and new versions
- Baseline changes
- SSP export events
- User account changes
The audit log is queryable at /audit/ (ISSM/Administrator/Auditor roles) and via the Django admin.
| Variable | Required | Description |
|---|---|---|
DJANGO_SECRET_KEY |
✓ | 50+ character random secret |
DJANGO_ALLOWED_HOSTS |
✓ | Comma-separated hostnames |
DB_NAME |
✓ | PostgreSQL database name |
DB_USER |
✓ | PostgreSQL username |
DB_PASSWORD |
✓ | PostgreSQL password |
DB_HOST |
✓ | PostgreSQL host |
REDIS_PASSWORD |
✓ | Redis authentication password |
USE_S3 |
true to use S3/MinIO for file storage |
|
AWS_S3_ENDPOINT_URL |
MinIO/S3-compatible endpoint | |
LDAP_ENABLED |
true to enable LDAP/AD authentication |
|
LDAP_SERVER_URI |
LDAP server URI | |
ORG_NAME |
Organization name shown in UI |
The architecture is designed for extensibility. Planned/supported extensions:
| Enhancement | Implementation Path |
|---|---|
| Vulnerability scan ingestion | New vulns app; ingest Nessus/OpenVAS XML/JSON; auto-create POA&Ms |
| Compliance scoring | Extend dashboard service with weighted scoring per family |
| Automated evidence checks | Celery tasks to verify artifact hash integrity on schedule |
| Maintenance approval workflows | Extend MaintenanceLog with approval state machine + notifications |
| Asset discovery import | CSV/XML import commands; API endpoint for CMDB integration |
| Additional frameworks | Add RMF, FedRAMP, CMMC control catalog loaders alongside NIST |
| Elasticsearch search | Enable django-elasticsearch-dsl and index controls/assets |
| Vulnerability management | Integrate with NIST NVD API for CVE enrichment on software baseline |
| Network diagram upload | Extend artifact types; add diagram viewer |
| Notification system | Django signals → email/Teams/Slack alerts for overdue POA&Ms and expiring ATOs |
- All sessions expire after 1 hour of inactivity
- CSRF protection enabled on all state-changing requests
- All file uploads are MIME-type validated and size-limited (100 MB)
- Media files are served through Django (not Nginx) to enforce authentication
- Audit log entries cannot be modified or deleted (enforced at Django permission level)
- SHA-256 hashes computed server-side on all artifact uploads
- HTTPS enforced via HSTS with 1-year max-age in production
- Non-root Docker container user (
ssp) - PostgreSQL serializable isolation level for data integrity
SSP Management Platform — Built for DCSA DAAPM / DAAG, NIST SP 800-53 Rev 5, CMMC