GSA-TTS / tts-tech-operations

TTS Technology Operations
https://handbook.tts.gsa.gov/tech-operations/
Other
6 stars 0 forks source link

ATO for GSA TTS Pages - due 3/28 #1663

Closed JJediny closed 5 months ago

JJediny commented 8 months ago

TODOs

If your system isn't live yet, "production" refers to the environment that will be production.

Phase 0: As early in the project as possible

Project team

ISSO

Phase 1: Assessment prerequisites

Everything in this section needs to be completed before the project will be scheduled for an assessment.

Tech Portfolio Lead

Project team

Technical

These tasks apply to every repository/application/hostname/language that is directly involved in your project.

Documentation

...reading and writing.

ISSO

Phase 2: Architecture review

ISSO

  1. [ ] Submit sections 1-12 of SSP for Architecture Review
  2. [ ] Submit section 13 to ISSM for acceptance and movement forward for assessment if no issues remain
  3. [ ] Schedule a documentation review session.
    • One or more follow-up sessions may be necessary.

Program team

  1. [ ] Fix any documentation issues identified in the session.
  2. [ ] RoE signed
    • [ ] System Owner
    • [ ] GSA IT
  3. [ ] Confirm you can access Archer

Phase 3: Environment finalization

Project team

ISSO+SecOps

Phase 4: Penetration testing

The following penetration tests will be performed:

Project team

Testers

ISSO

Phase 5: Assessment

Needs to start within 30 days of penetration test.

Assessors

  1. [ ] Assessment kickoff meeting
  2. [ ] Complete Security Assessment Plan (SAP)
  3. [ ] Complete Security Assessment Report (SAR)

Project team

Phase 6: Post-assessment

  1. [ ] Controls tested - @[GSA IT representative]
  2. [ ] Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
  3. [ ] Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
  4. [ ] Remove the Beta label from the site.
  5. [ ] Fix all Moderate vulnerabilities - due [30 days after ATO issued]
  6. [ ] Fix all Low vulnerabilities - due [60 days after ATO issued]
  7. [ ] Join the TTS Private Bug Bounty - due [60 days after ATO issued]
  8. [ ] Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last
  9. [ ] ATO letter signed
  10. [ ] Cert letter signed
  11. [ ] Launch
JJediny commented 5 months ago

https://handbook.tts.gsa.gov/gsa-pages