It would be very nice to be able to encrypt answers in the database. Perhaps all answers are encrypted. Or perhaps only some answers (and conversations) are optionally encrypted in the database.

Need to support checkbox answer type. Support checkbox with requirement of check only one option, check multiple, or check a specified number of options.

Is it necessary to have "Someone is editing this module" and then on a second line the name of the editor, or should we simply display the text "This module is being edited by Josh. You cannot make changes to it" in the pink notification section?

When a user is invited to a question or invited to edit a module, should the new user have to fill out user profile module before being brought to the question and/or module?

Or should the user answer question and then on next login be sent to the profile module?

Github uses a subtly different color in the header part of each comment if the comment was your own.

It's like Bootstrap, but for forms.

Just an invite, not to work on a module or join a discussion.

Although the Submit button is grayed out to indicate inactive, the cursor is still being placed inside the answer box on question type text when visiting a question as a guest. See: https://q.govready.com/tasks/2/animal-compliance?q=q1#discussion

Does it make sense for cursor to be kept out of the answer box when you are not an editor? Should there be a message if you try to answer question?

As a FISMA (emerging) expert and the point person for compliance on a project, I am likely to want to lead my colleagues through a module together while on a conference call. That way I can fill out the form while my colleagues collaborate in realtime. I want my colleagues to be able to follow along as I fill out the module having their screens update as answer questions.

This is an interesting example of a potential module. This doc, "Guide for Security-Focused Configuration Management of Information Systems" has worksheet in Appendix I, page I-5, I-6 "Attachment 1 Security Impact Worksheet".

These are questions team should be asking itself, according to NIST, when it looks at making changes. The questions are organized by Security family. How could this be made into a module? Should it be made into more than one module?

There are also flow diagrams toward end of publication.
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf

SC-7 has good examples for modules. SC-7 (9)

The information system:
SC-7 (9)(a)
Detects and denies outgoing communications traffic posing a threat to external information systems; and
SC-7 (9)(b)
Audits the identity of internal users associated with denied communications.

@JoshData If you are editor answering questions and start a conversation, the first comment you make is not saved or displayed until the page is reloaded. The page is not refreshed from the ajax. Refreshing the page displays comment. After page reloaded adding comments are displayed as expected.

Tested in Safari.

It would make sense for a project admin/editor to delete a completed or in progress module.
If a module with open invites is deleted, a "module/task" deleted page needs to be shown to other editor(s).

Change the project page to a simpler list of projects. Clicking on a project takes user to project page from which modules can be started.

We can then distinguish between "Project Home Page" and "User Home Page."

AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

Supplemental Guidance: Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password).

I got rid of that when I moved questions into the database. Need to re-implement.

add an instance_name field in the YAML which is a Jinja2 template that is used to update Task.titles as users enter answers

Recreate issue.

1. Login as user A on laptop and invite user B to a module.
2. Accept invite as new user B on mobile device. (Looks good on mobile.)
3. As user B on mobile device, invite new user C to take over module.
4. Accept invite to user C in same browser as logged into Q as user A.
5. Error: User A is assigned to be editor of module even though invite was sent to user C.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/Input

date, time, number, tel, url

As a user, I want to be notified of relevant updates to the modules and questions I am doing or am contributing.

Two types of notifications:

• stored notifications like GitHub notifications that I can visit when I log in and see what has been happening
• realtime desktop notifications that tell me X just happened

Temporarily assigned an A record on DigitalOcean for mg.govready.com resolving to 107.170.66.210 (the q.govready.com server at time of this ticket) in order for Josh's Mail-in-a-Box to accept mail from GovReady's use of mailgun service.

Need to correct this record at some point.

as an admin, I want to see who I've invited and who is a member

as a member, I want to see who the other members are

as a member, I want to see that I am a member of the project team

Like github.

Pull in user gravatar thumbnails based on email address in profile.

Now that we render variables in output templates more nicely (e.g. no answers of yesno questions are rendered as No), the variables work differently in the templates than in the impute conditions (where the variable would just be no). That's confusing.

Is it possible to reference to reference {{project}} within questions, too? (I'm guessing yes.)
Is it possible to reference something like {{project.notes}}? (I'm guessing, not yet.)

(But not to render choices I hope?)

It would be very nice to optionally include help text for every answer type (such as yesno and text). It would also be nice to optionally render a help that might describe the question in more details (or even link to something...)

Eventually, some modules can only be completed once and not have multiple instances. The module can be "reset" to empty and started again, but the module that can only have one instance per system can only have one instance per Information System.

Like the module question type, but where the answer is an array of tasks that complete that module, rather than a single one.

e.g. a Points of Contact submodule that answers Who are all of your points of contact?

• unit tests for question logic
• functional tests for site operations

It would be clearer to display the prompt of the question instead of the question title when listing questions in which you are participating.

If the prompt is long, only the first 50 or 75 characters can be shown.

After we have gravatars working, we could add default user thumbnails and also upload of user thumbnail images.

Is there any reason not to support two (or more) document templates per module? Each would show up with its own tab at completion of module.

The reason to support two or more templates is to continue to have the simple question and answer document while also generating official text using proper terms of art that even has imputed statements.

Josh says: Not being able to skip pushes us to think about the question design. If the user gets to a confusing question, it means we didn't ask the right questions before hand. Like a pre-question that's yes/no about whether they are the right person to ask the next question.

Greg says: But we can't anticipate, and we will make mistakes in our question design, and so we have to handle the use case where a user really doesn't known.

• Answering with some sort of null/NA.
• Mark a question as not-sure.
• Skipping a question.
• Going back to a previous question and answering it differently.
• Skip but you only get three passes. That's nice for forcing modules to not be that bad. Also makes sure users are really trying.
• Having a way to pass is a way to prevent users from putting bad data into form fields like "I don't know."

Need to specify how integration might work.

Some ideas:

• report when a module is started/stopped
• invite people via messages in slack instead of email
• link a question to slack easily.
  • select a channel and push a question into slack where question is displayed in slack
  • question is displayed as a sidebar in slack?
  • linking to a question from slack displays the question itself in slack

Perhaps it would make sense to lis the name of the person who started/created/owns each project?

• the YAML schema (e.g. when is help permitted in a question)
• how to write a template (for document output, question prompts, and eventually the dynamic task titles)
• how to access variables in templates ({{x}}, {{x.text}})
• how to write an impute condition (http://jinja.pocoo.org/docs/dev/templates/#expressions)

Problem

The application will crash if a module question is changed or removed, or a module is removed, when answers for previous version of module/question exist in database.

We need to be able to develop modules iteratively. It is also likely that a module could change over time.

During the development and testing stage of the app, we want the ability to rapidly evolve modules. So crashing the application is a bad thing.

Consideration

Of course, changing a module after answers to that module have been stored in the database raises a number of issues:

• Shouldn't answers be considered relatively permanent?
• Are users suppose to update answers to updated modules?
• Do we need to handle versioning of modules?

Proposed Solution

Copy current module YAML into a database table for storing instances of the module YAML in text field and permanently link the answers to the instance/version of YAML in the database instead of the module YAML on the file system.

!. Add a x.x.x version number parameter to each module's YAML
2. Have a policy of using semantic versioning for tracking extent of modification of module
3. Create a table for instances of module YAML. Fields would be module.unique_id, module.version, module.yaml, create_date.
4. When a module is started, check to see if current version of module YAML exists in YAML instance table. Link newly started task instance of that module to the YAML in the database table and always use the YAML of the module stored in the database for processing the task instances.
5. If the current version of the module YAML does not exist in the YAML instance table, create a record for that version of the module YAML and link the newly created module task to that instance.

so that questions get skipped but don't have a value.

As an author of modules, I want to be able to incorporate the name of the project (e.g., name of application) inside the questions to make the question more clear.