hannahkane
commented
6 years ago The primary hardening activity has been around ensuring that out of date dependencies are not included in builds via our continuous integration to snyk.io as well as making sure any positive responses to reports found in OWASP Zap scans are addressed prior to delivery as per the security requirements in our QASP. Additional hardening activities are briefly addressed in our appendix: https://github.com/18F/its70-fs-epermit-scale-up/blob/master/solicitation-documents/Draft-RFP.md#appendix, but are centrally focused on preparing the system for an authority to operate, while the application is hosted on cloud.gov.
Hardening activities will pertain to any code included within the two mentioned repositories and new code additions.
Question/Comment on the Forest Service RFP
Name and affiliation
Thomas Delrue, Lead Software Architect, VariQ Corporation
Section of RFP documents
Epics
Question/Comment
The SOW talks about hardening the system. VariQ possesses a dedicated cyber-security division with extensive expertise in this field including expertise in how it pertains to projects for the United States Government. Has the current system undergone any hardening at this point and, if so, what is the state or are the results thereof? In other words: does the hardening that is part of the SOW apply mostly or entirely to the newly contributed code because the existing code has undergone one or more rounds of hardening, or has the current system not undergone any hardening at all and therefore could benefit immensely from the vast experience VariQ will bring to this field?