Closed JJediny closed 5 months ago
If your system isn't live yet, "production" refers to the environment that will be production.
Everything in this section needs to be completed before the project will be scheduled for an assessment.
These tasks apply to every repository/application/hostname/language that is directly involved in your project.
ATO folder
Beta
...reading and writing.
The following penetration tests will be performed:
Critical
High
Needs to start within 30 days of penetration test.
Moderate
Low
https://handbook.tts.gsa.gov/gsa-pages
TODOs
If your system isn't live yet, "production" refers to the environment that will be production.
Phase 0: As early in the project as possible
Project team
ISSO
Phase 1: Assessment prerequisites
Everything in this section needs to be completed before the project will be scheduled for an assessment.
Tech Portfolio Lead
Project team
Technical
These tasks apply to every repository/application/hostname/language that is directly involved in your project.
ATO folder
.ATO folder
.Beta
label to the site.Documentation
...reading and writing.
ISSO
Phase 2: Architecture review
ISSO
Program team
Phase 3: Environment finalization
Project team
ISSO+SecOps
Phase 4: Penetration testing
The following penetration tests will be performed:
Project team
Critical
orHigh
vulnerabilities.Testers
ISSO
Phase 5: Assessment
Needs to start within 30 days of penetration test.
Assessors
Project team
Phase 6: Post-assessment
Beta
label from the site.Moderate
vulnerabilities - due [30 days after ATO issued]Low
vulnerabilities - due [60 days after ATO issued]