LATO for 10x Privacy Dashboard - due 02/01/2021

[ondrae]

This checklist is deprecated - work is being tracked now in Smartsheets

• Main repository: https://github.com/18f/all_sorns
• Site: https://all-sorns.app.cloud.gov/search
• Product manager: @peterrowland
• System Owner: @ondrae
• Infrastructure Lead: @[username]
• ATO folder: https://drive.google.com/drive/folders/1CT5xB4rGdd-Kn_oU3nNz9GtjE0sYHxAA?usp=sharing
• Sprint notes: [url]

TODOs

If your system isn't live yet, "production" refers to the environment that will be production.

Phase 1: ATO Sprint prerequisites

Everything in this section needs to be completed before the project will be scheduled for an ATO Sprint.

Infrastructure Lead

• [x] Set up an ATO intro meeting with the project team.
• [ ] Determine the impact level.
  • [ ] Confirm with @[Authorizing Official]
• [ ] Add this issue to the Backlog of the ATO Kanban board.
• [ ] Assign the appropriate labels to this issue.
• [ ] Set up the project ATO folder.
  • [ ] In the ATOs folder in Google Drive, go to 18F/OPP/PIF, then Work in progress, and create a subfolder called in the format <project> ATO - <duration> <level>. Link to it as the ATO folder at the top of this issue.
  • [ ] Add Rules of Engagement (RoE) template
  • Search this page for "Rules of Engagement (RoE) 90-Day LATO Penetration Test TEMPLATE", even if this isn't for a 90-day LATO.
  • System/network diagram tips
  • [ ] Add System Security Plan (SSP) template
  • For Low systems on cloud.gov, use this template
  • For a 90-day ATO, delete Section 13.
• [ ] Make a copy of the ATO Sprinting notes template and save it in the Sprinting Team folder with a title of ATO Sprinting Team notes - <project>.
  • [ ] Fill out the placeholders.
  • [ ] Link to it as the Sprint notes at the top of this issue.

Project team

Technical

These tasks apply to every repository/application/hostname/language that is directly involved in your project.

• [x] Enable protected branches for the project repository.
  • Get help via #admins-github, if needed.
• [ ] Ensure that your production environment is fully set up, and matches what's described in your ATO materials.
• [ ] Set up monitoring
  • [ ] Downtime alerts
  • [ ] Error & performance alerts
  • [x] DAP
• [ ] Log required events
• [ ] Perform security scans, and put the results (or a link to them) in the project's ATO folder.
  • [x] Set up dependency analysis service
  • [x] Add service badge to your README
  • [ ] Put a point-in-time PDF of the scan results in the project's ATO folder.
  • [x] Set up static code analysis
  • [x] If using a service, add the badge to your README.
  • [ ] Perform dynamic vulnerability scanning
  • [ ] Resolve any visible security issues, re-running the scan as needed
  • [ ] Add the issue-free scan report or documentation about false positives to the project's ATO folder.
• [x] If this is a new system, add a prominent Beta label to the site.
• [ ] Ensure the production environment has sufficient capacity to withstand the testing.
  • The testing tools create very heavy usage and traffic.

Documentation

...reading and writing.

• [x] Read the Overview and the ATO section (including sub-pages) of Before You Ship.
• [x] Read the LATO guide.
  • Search this page for "Lightweight Security Authorization Guide".
• [ ] Request a privacy threshold analysis (PTA)
• [ ] Fill out the Rules of Engagement (RoE)
  • Network diagram tips
• [ ] Update relevant documentation, primarily the README.
• [ ] Fill out the System Security Plan (SSP).

Phase 2: Documentation review

1. [ ] Move this issue to the Documentation review column of the ATO Kanban board. - @[infrastructure lead]
2. [ ] Schedule a documentation review session. - @[infrastructure lead]
   • One or more follow-up sessions may be necessary.
3. [ ] Fix any documentation issues identified in the session.
4. [ ] RoE signed
   • [ ] System Owner
   • [ ] GSA IT
5. [ ] Confirm you can access Archer

Phase 3: ATO Sprint

1. [ ] Sprint started.
2. [ ] Polish up the System Security Plan (SSP).
3. [ ] Penetration test complete. - @[tester]
   • [ ] Enhanced Scanning and Assessment Process (ESAP) document added to ATO folder - @[tester]
4. [ ] Put all vulnerabilities from the ESAP in the project's issue tracker.
5. [ ] Fix any Critical or High vulnerabilities from the ESAP.
   • This needs to be done before the ATO can be issued, though not necessarily before the end of the sprint.

Phase 4: Post-Sprint

1. [ ] Controls tested - @[GSA IT representative]
2. [ ] Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
3. [ ] Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
4. [ ] Remove the Beta label from the site.
5. [ ] Fix all Moderate vulnerabilities - due [30 days after ATO issued]
6. [ ] Fix all Low vulnerabilities - due [60 days after ATO issued]
7. [ ] Join the TTS Private Bug Bounty - due [60 days after ATO issued]
8. [ ] Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last

---

See the Before You Ship site for more information.

/cc @18F/tts-tech-portfolio

[afeld]

Meeting notes