Connect with GSA Archer team on integrations/roadmap

[JJediny]

Background information

Long term our team is responsible for TTS System's Security Plans as our Director is the AO for TTS. GSA IT SecOps uses RSA Archer for FISMA reporting, SSP and PO&AM management, etc.

Implementation steps

• [x] Get @rocheller123 Archer access
• [x] Develop a list of user stories/requirements - https://github.com/18F/tts-tech-portfolio/issues/1538

Acceptance criteria

There is documentation that answers (or at least has placeholders for) the following:

• [ ] We understand what import/export functionality (via API and/or bulk) are available
• [ ] All Tech Portfolio members are able to access Archer - https://github.com/18F/tts-tech-portfolio/issues/1524
• [ ] Documentation about expectations for how project teams (system owners) should use it
• [ ] Understanding of if (and how) POA&Ms will be managed in Archer
• [ ] Understanding of what artifacts need to be uploaded
• [ ] Understanding of how control narratives are input

[rpalmer-gsa]

Archer team is suggesting setting it up using a push method. We'd have them commit the testing results to a Github repo and our automated job would pick them up and inject them into Archer. This would make things easy for them as they wouldn't need to work with the Archer API themselves, and it would ensure consistency with automated data input etc.

[afeld]

Last I heard (can't find the notes), the plan is to focus on getting inheritance in place for on-prem systems. Inheritance for cloud-based (AWS, cloud.gov) systems will come later.

[afeld]

Let's look to split this issue up into smaller chunks, e.g. SSPs vs. POAMs vs. import/export …

[rpalmer-gsa]

Archer team is currently working on resolving some issues as a result of a failed upgrade. Do not expect to be able to act on this prior till their issue being resolved.