Towards a more secure (and automated) future.
The long-term goal of this project is to end up with an automated "compliance and risk-assessment" pipeline that does all the grunt work between Compliance Masonry and an Authorizing Official (AO), making the AO's "risk acceptance" sign-off for ATOs a very simple affair. In the meantime, we are working to make the steps to getting an ATO more clear, and enabling any number of people to handle the manual grunt work by following directions.
The ATO process is so frustrating to people that the team has seen multiple people break down as a result. Therefore, the team's motto is "no more tears".
There are several components to the initial phase of 18F's compliance toolkit:
We’d like to offer ourselves up to support your ATO efforts. If you have a question about or need help with vulnerability scanning, static code analysis, or the ATO process in general, please reach out to us. Feel free to message us in #cloud-gov-highbar or tag us in an issue on Github with @18F/ato.
TL;DR - the project team should have everything they need to successfully tee up an ATO.
Once the project teams have everything needed to manually run through the process, we will begin automating it.
We aim to: