Quick-Start Guide

1 Installation

SPARC runs on Ruby 3.4, Rails 8.1, and PostgreSQL. Choose your setup method:

Option A: Docker Compose (recommended)

# Clone the repository
git clone https://github.com/Rebel-Raiders/sparc.git
cd sparc

# Build and start all services (Rails, PostgreSQL, Redis, Sidekiq)
docker compose up --build

Docker maps PostgreSQL to port 5433 and Redis to port 6380 to avoid conflicts with local services.

Option B: Local Development

# Install dependencies
bundle install

# Create database, run migrations, and seed NIST catalogs
bin/rails db:create db:migrate db:seed

# Start the server
bin/rails server

2 Seed the Database

The default seed loads NIST SP 800-53 Rev 4 and Rev 5 control catalogs. For a full demo environment with sample documents:

# Seed with NIST catalogs only (default)
bin/rails db:seed

# Seed with full demo data (SSP, SAP, SAR, POA&M, CDEFs, Profiles, KSI validations)
SPARC_SEED_MODE=full bin/rails db:seed

# Seed only traditional RMF artifacts
SPARC_SEED_MODE=traditional bin/rails db:seed

# Seed only FedRAMP 20x artifacts (KSI validations)
SPARC_SEED_MODE=20x bin/rails db:seed

3 First Login

A default admin account is created during seeding:

You will be prompted to change this password on first login. Navigate to /login to get started.

4 Import a Control Catalog

If you ran db:seed, NIST SP 800-53 Rev 4 and Rev 5 catalogs are already loaded. To import additional catalogs:

1. Navigate to Controls → Control Catalogs
2. Click Import from File
3. Upload an OSCAL catalog file (JSON, YAML, or XML format)
4. SPARC parses all control families, controls, enhancements, and parameters automatically

SPARC supports NIST OSCAL v1.1.2 catalogs. You can also import XCCDF benchmarks (DISA STIGs) and InSpec profiles.

5 Create a Baseline Profile

1. Navigate to Controls → Baselines / Profiles
2. Click New Profile
3. Select a source catalog (e.g., NIST SP 800-53 Rev 5)
4. Choose a baseline level (LOW, MODERATE, or HIGH) or select individual controls
5. Customize parameter values for your organization (e.g., account lockout threshold, session timeout)
6. Publish the profile to make it available for SSP generation

6 Create a System Security Plan

SPARC supports two ways to create SSPs:

7 Run an Assessment

1. Navigate to Assessment → SAPs and create an Assessment Plan linked to your SSP
2. Define assessment methods per control: examine, interview, or test
3. Execute the assessment and record findings in a new SAR (Assessment → SARs)
4. Upload Evidence artifacts to support your findings
5. Track remediation items in POA&Ms with milestones and risk ratings

8 Export OSCAL Artifacts

Every document in SPARC can be exported as OSCAL-compliant JSON, YAML, or XML:

1. Open any document (SSP, SAR, CDEF, Profile, etc.)
2. Click Export OSCAL dropdown
3. Choose your format: JSON (primary), YAML, or XML
4. SPARC validates against NIST OSCAL v1.1.2 schemas before export

Exports include full OSCAL metadata (UUID, timestamps, parties, roles) and are ready for submission to FedRAMP or integration with automated compliance pipelines.

9 API Access

Generate an API token and make your first call:

# In Rails console, generate a token
token = ApiToken.generate!(user: User.first, name: "CLI Access")
puts token.plaintext_token

# Make your first API call
curl -H "Authorization: Bearer sparc_your_token" \
     http://localhost:3000/api/v1/ssp_documents

By default, SPARC_API_AUTH is set to local, which accepts locally-generated API tokens. For production deployments with Okta or another OIDC provider, consider setting SPARC_API_AUTH=hybrid to accept both local pipeline tokens and OIDC access tokens.

For the full API reference, see the API Documentation (requires login).