GSA-TTS / tts-tech-operations

TTS Technology Operations
https://handbook.tts.gsa.gov/tech-operations/
Other
6 stars 0 forks source link

ATO for Charlie #1046

Closed afeld closed 5 months ago

afeld commented 3 years ago

TODOs

If your system isn't live yet, "production" refers to the environment that will be production.

Phase 1: ATO Sprint prerequisites

Everything in this section needs to be completed before the project will be scheduled for an ATO Sprint.

Infrastructure Lead

Project team

Technical

These tasks apply to every repository/application/hostname/language that is directly involved in your project.

Documentation

...reading and writing.

Phase 2: Documentation review

  1. [ ] Move this issue to the Documentation review column of the ATO Kanban board. - @[infrastructure lead]
  2. [ ] Schedule a documentation review session. - @[infrastructure lead]
    • One or more follow-up sessions may be necessary.
  3. [ ] Fix any documentation issues identified in the session.
  4. [ ] RoE signed
    • [ ] System Owner
    • [ ] GSA IT
  5. [ ] Confirm you can access Archer

Phase 3: ATO Sprint

  1. [ ] Sprint started.
  2. [ ] Polish up the System Security Plan (SSP).
  3. [ ] Penetration test complete. - @[tester]
    • [ ] Enhanced Scanning and Assessment Process (ESAP) document added to ATO folder - @[tester]
  4. [ ] Put all vulnerabilities from the ESAP in the project's issue tracker.
  5. [ ] Fix any Critical or High vulnerabilities from the ESAP.
    • This needs to be done before the ATO can be issued, though not necessarily before the end of the sprint.

Phase 4: Post-Sprint

  1. [ ] Controls tested - @[GSA IT representative]
  2. [ ] Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
  3. [ ] Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
  4. [ ] Remove the Beta label from the site.
  5. [ ] Fix all Moderate vulnerabilities - due [30 days after ATO issued]
  6. [ ] Fix all Low vulnerabilities - due [60 days after ATO issued]
  7. [ ] Join the TTS Private Bug Bounty - due [60 days after ATO issued]
  8. [ ] Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last

See the Before You Ship site for more information.

/cc @18F/tts-tech-portfolio

afeld commented 3 years ago

Since it's purely for integration with Slack, it may make sense to roll under that ATO.

JJediny commented 5 months ago

No longer tracking ATOs here