[ ] In the ATOs folder in Google Drive, go to 18F/OPP/PIF, then Work in progress, and create a subfolder called in the format <project> ATO - <duration> <level>. Link to it as the ATO folder at the top of this issue.
[ ] Add Rules of Engagement (RoE) template
Search this page for "Rules of Engagement (RoE) 90-Day LATO Penetration Test TEMPLATE", even if this isn't for a 90-day LATO.
[ ] Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last
TODOs
If your system isn't live yet, "production" refers to the environment that will be production.
Phase 1: ATO Sprint prerequisites
Everything in this section needs to be completed before the project will be scheduled for an ATO Sprint.
Infrastructure Lead
Backlog
of the ATO Kanban board.ATOs
folder in Google Drive, go to18F
/OPP
/PIF
, thenWork in progress
, and create a subfolder called in the format<project> ATO - <duration> <level>
. Link to it as theATO folder
at the top of this issue.ATO Sprinting Team notes - <project>
.Sprint notes
at the top of this issue.Project team
Technical
These tasks apply to every repository/application/hostname/language that is directly involved in your project.
ATO folder
.ATO folder
.Beta
label to the site.Documentation
...reading and writing.
Phase 2: Documentation review
Documentation review
column of the ATO Kanban board. - @[infrastructure lead]Phase 3: ATO Sprint
Critical
orHigh
vulnerabilities from the ESAP.Phase 4: Post-Sprint
Beta
label from the site.Moderate
vulnerabilities - due [30 days after ATO issued]Low
vulnerabilities - due [60 days after ATO issued]See the Before You Ship site for more information.
/cc @18F/tts-tech-portfolio