Closed reedloden closed 5 years ago
A GSA LISaaS 1-year ATO is required to begin use of the product, and should be completed expeditiously upon award. Within 1 year of contract date, a FedRAMP Tailored or Low authorization is required in order to continue using the product. GSA would authorize the system at a Low impact level as per FIPS PUB 199. Though the system stores security vulnerability information, researchers are not given credentialed access, and so all vulnerabilities are publicly discoverable. TTS considers these reports already publicly known or knowable, and quickly resolves any significant vulnerabilities.
Question/Comment on TTS Bug Bounty RFQ
Name and affiliation
Reed Loden Director of Security HackerOne, Inc.
Section of RFQ documents
Addendum - Commercial Contract Clauses Low Impact Software as a Service (LiSaaS) – IT Security and Privacy Requirements https://github.com/18F/tts-buy-bug-bounty/blob/c0f3f6f4ad32be445694b45933621fb78da13c9f/2018-procurement/Addendum%20-%20Commercial%20Contract%20Clauses.md#low-impact-software-as-a-service-lisaas--it-security-and-privacy-requirements
Question/Comment
Even though security vulnerability data is in-scope, only FedRAMP Tailored LI-SaaS or FedRAMP Low is required in order to meet the FedRAMP compliance requirement (within 1-year after contract date), correct? Just want to make sure we understand the impact level required for this project, as per FIPS PUB 199.