ATO status (for tracking purposes)

[gbinal]

Note - this issue is for convenience of team members outside of TTS, who cannot access the infrastructure. The canonical issue for this project's ATO progress is here. This issue will be updated periodically while that one will be the most up to date.

---

• Main repository: https://github.com/18f/pulse
• Site: https://pulse.cio.gov
• Product manager: @gbinal
• System Owner: @gbinal
• Infrastructure Lead: @abisker
• ATO folder: link
• Sprint notes: link

TODOs

Phase 1: ATO Sprint prerequisites

Everything in this section needs to be completed before the project will be scheduled for an ATO Sprint.

Infrastructure Lead

• [x] Set up an ATO intro meeting with the project team.
• [x] Determine the impact level - Low (Open Data)
  • [x] Confirm with @NoahKunin
• [x] Add this issue to the Backlog of the ATO Kanban board.
• [x] Assign the appropriate labels to this issue.
• [x] Set up the project ATO folder. - link
  • [x] In the ATOs folder in Google Drive, go to 18F/OPP/PIF, then Work in progress, and create a subfolder called in the format <project> ATO - <duration> <level>. Link to it as the ATO folder at the top of this issue.
  • [x] Add Rules of Engagement (RoE) template - link
    • Search this page for "Rules of Engagement (RoE) 90-Day LATO Penetration Test TEMPLATE", even if this isn't for a 90-day LATO.
  • [x] Add System Security Plan (SSP) template - link
    • For Low systems on cloud.gov, use this template
  • [x] Add Project Plan template - link
    • Search this page for "One Year LATO Project Plan Template", even if this isn't for a one-year LATO.
• [x] Make a copy of the ATO Sprinting notes template and save it in the Sprinting Team folder with a title of ATO Sprinting Team notes - <project>. - link
  • [x] Fill out the placeholders.
  • [x] Link to it as the Sprint notes at the top of this issue.

Project team

Technical

• [x] Enable protected branches for the project repositor(ies).
  • Get admin access via #admins-github, if needed.
• [x] Ensure that a staging environment is fully set up. - link
  • This should be as production-like as possible.
• [x] Set up monitoring
  • [x] Downtime alerts
  • [x] Error & performance alerts
• [x] Perform security scans, and put the results (or a link to them) in the project's ATO folder.
  • [x] Set up static analysis service
    • [x] Add service badges to the README
    • [x] Put a point-in-time PDF of the scan results in the project's ATO folder.
  • [x] Perform dynamic vulnerability scanning
    • [x] Resolve any visible security issues, re-running the scan as needed
    • [x] Add the issue-free scan report or documentation about false positives to the project's ATO folder.
• [x] If this is a new system, add a prominent Beta label to the site.
• [x] Ensure the staging environment has sufficient capacity to withstand the testing.
  • The testing tools create very heavy usage and traffic.

Documentation

...reading and writing.

• [x] Read the LATO guide. - link
  • Search this page for "Lightweight Security Authorization Process".
• [x] Create a system diagram - link
• [ ] Fill out the Rules of Engagement (RoE) - link
  • Use staging URLs, rather than production ones.
• [ ] Fill out the Project Plan - link
• [x] Add an .about.yml for the main repository - link
• [x] Update relevant documentation, primarily the README
• [x] Fill out the System Security Plan (SSP) - link
  • Work with your Infrastructure Lead on this.
  • Totally fine for this to be a rough first pass.
  • Your Infrastructure Lead will tell you if you should do this via Compliance Masonry

Phase 2: Documentation review

1. [ ] Move this issue to the Documentation review column of the ATO Kanban board. - @[infrastructure lead]
2. [ ] Schedule a documentation review session. - @[infrastructure lead]
   • One or more follow-up sessions may be necessary.
3. [ ] Fix any documentation issues identified in the session.
4. [ ] RoE signed
   • [ ] System Owner
   • [ ] GSA IT

Phase 3: ATO Sprint

1. [ ] Sprint started.
2. [ ] Polish up the System Security Plan (SSP).
3. [ ] Penetration test complete. - @[tester]
   • [ ] Enhanced Scanning and Assessment Process (ESAP) document added to ATO folder - @[tester]
4. [ ] Put all vulnerabilities from the ESAP in the project's issue tracker.
5. [ ] Fix any Critical or High vulnerabilities from the ESAP.
   • This needs to be done before the ATO can be issued, though not necessarily before the end of the sprint.

Phase 4: Post-Sprint

1. [ ] Controls tested - @[GSA IT representative]
2. [ ] Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
3. [ ] Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
4. [ ] Remove the Beta label from the site.
5. [ ] Fix all Moderate vulnerabilities - due [30 days after ATO issued]
6. [ ] Fix all Low vulnerabilities - due [60 days after ATO issued]

---

See the Before You Ship site for more information.

/cc @18F/ato

[afeld]

You can keep the checklist in just one place if you like. Having the issue in the Infrastructure repo specifically is more important for the labels and the placement in the kanban board.

[gbinal]

Sorry for the confusion, @afeld. This is just for sharing with the site owner (who is outside of TTS and doesn't have access to the infrastructure repo).

I'll update original issue to try and be more clear.

[afeld]

Makes sense! I'm saying: feel free to remove the checklist in the Infrastructure repo and just use this one.

[gbinal]

Ah. Sorry, I see what you mean.

Thank you that's kind. I'm going to keep things as is though since I'm superstitious and messing with anything at all with this ATO.