Skip to main content


The Vendors and Operators below have, unofficially and without any legally-binding commitment, endorsed the principles of Continuous Authorization, and have agreed to collaborate on the development of the OpenControl schema, tools and best practices.


Centers for Medicare & Medicaid Services (CMS)

The Centers for Medicare & Medicaid Services (CMS) is actively leveraging OpenControl in its work to improve cloud services and offerings for the agency! Happy to provide more details if helpful.


CivicActions is using OpenControl schema files to drive the ATO process for three Federal clients. We were using some home grown scripts and then switched to (which we like) and plan to check out compliance masonry again (as it’s been a while and the file formats should be compatible) to see what’s new in that arena.

GovReady BPC

We use OpenControl content within our innovative “compliance apps” that are reusable data packages that map a system component to the security controls in a compliance framework. These compliance apps link together in our open source compliance server software to form a complete picture of the IT system, the steps needed to reach an Authority to Operate, and automatically generate compliance artifacts.


The Compliance Masonry command-line tool is required to generate SSP documentation based on the pre-written Docker EE narratives in this repository. You can either download and run the Compliance Masonry tool directly from your local workstation or run it with Docker.

This data adheres to the OpenControl schema for building compliance documentation and can be used to support your own authority to operate (ATO) review process. The system security plan (SSP) documentation that can be generated from this content can be used to assist your organization in authorizing Docker Enterprise Edition on both on-premises/private cloud infrastructures and in public cloud providers.


ssCurrent plan is to incrementally go through the Red Hat product portfolio over the next year, releasing OpenControl-based SSPs for FISMA High across our platform, middleware, storage, identity management, and middleware portfolios.

Are you using OpenControl? submit a pull request to this document and add yourself.