Add section on Rule of Engagement (ROE) process and differences between for each of the ATO processes

[JJediny]

Add section on the Penetration Testing Rules of Engagement (ROE) and document the different content requirements for:

• 90 Day LATO
• 1/3 Year LATO
• FEDRAMP

As much of the information in the ROE is redundant with content within the System Security Plan cover what information is unique to the ROE that is not otherwise available and that if redundant - for whats reasons would it be appropriate to copy over because it would add value/context/perspective:

Examples of what should/could be referenced from other documentation:

• [ ] Inventories
  • [ ] Ports
  • [ ] Networks
  • [ ] Software
  • [ ] URLs
• [ ] Architecture
• [ ] Users

Examples of what is additional or unique for ROE:

• [ ] Business Cases - what would affect/jeopardize core services/mission
• [ ] Public/Internal User use patterns on the site
• [ ] Unique Integrity/Defacement Issues
• [ ] Specific paths to APIs or URLs that trigger calls to a data/document store based on the URLs construction
• [ ] Test cases for user authorization - places where internal user permissions should be tested, can a user view/change someone else's profile/project. Places where form fields have significant input validation needs.
• [ ] How to enhance/compliment external testing like Compliance-Toolkit, Static Code analysis findings

[afeld]

Part of #303.

[afeld]

Maybe something we can cover via https://github.com/18F/tts-tech-portfolio/issues/797.