search

18F / tts-buy-bug-bounty

Solicitation and acquisition documents created for the TTS Bug Bounty program that can be reused by other government agencies and organizations.
Other
19 stars 15 forks source link

FedRAMP impact level #17

Closed reedloden closed 5 years ago

reedloden commented 5 years ago

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Reed Loden Director of Security HackerOne, Inc.

Section of RFQ documents

Addendum - Commercial Contract Clauses Low Impact Software as a Service (LiSaaS) – IT Security and Privacy Requirements https://github.com/18F/tts-buy-bug-bounty/blob/c0f3f6f4ad32be445694b45933621fb78da13c9f/2018-procurement/Addendum%20-%20Commercial%20Contract%20Clauses.md#low-impact-software-as-a-service-lisaas--it-security-and-privacy-requirements

Question/Comment

Even though security vulnerability data is in-scope, only FedRAMP Tailored LI-SaaS or FedRAMP Low is required in order to meet the FedRAMP compliance requirement (within 1-year after contract date), correct? Just want to make sure we understand the impact level required for this project, as per FIPS PUB 199.

MichelleMcNellis commented 5 years ago

A GSA LISaaS 1-year ATO is required to begin use of the product, and should be completed expeditiously upon award. Within 1 year of contract date, a FedRAMP Tailored or Low authorization is required in order to continue using the product. GSA would authorize the system at a Low impact level as per FIPS PUB 199. Though the system stores security vulnerability information, researchers are not given credentialed access, and so all vulnerabilities are publicly discoverable. TTS considers these reports already publicly known or knowable, and quickly resolves any significant vulnerabilities.