Update SSB's SSP to cover recent changes

[mogul]

User Story

In order to satisfy assessment and authorization needs, data.gov's GSA ISSM wants the SSB SSP to accurately reflect recent changes to the EKS broker.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• [ ] GIVEN I look at the most recent version of the SSB SSPP \ WHEN I look for any changes that we have implemented recently \ THEN I find that they are all covered in the SSPP
• [ ] WHEN I look at the most recent version of the data.gov SSPP \ THEN I find that our implementation of cg-egress-proxy is documented in SC-7 AND our system diagrams in section 10 includes cg-egress-proxy and the public_egress spaces \ AND our diagram and description of the backup-manager data flow is accurate.

Background

For reference, this is the companion data.gov SSPP

Security Considerations (required)

This documentation update is required by the NIST RMF process. It's done as a separate, individually-tracked effort because we don't yet have a way to do this continuously as part of our technical implementation.

Sketch

New "SSPP" form document

Known-needed topics:

• Removal of Fargate, inclusion of Managed Node Groups
  • Anything narrative/control that relied on Fargate describes the equivalent control for MNGs
  • Addition of AWS Inspector, and description of EC2 and ECR scanning
  • Use of GSA-provided AMIs that are CIS-hardened
• Addition of persistent volumes
• Switching from ALB to NLB for load-balancer
• Egress control for EKS workloads
• Egress control for cloud.gov workloads

[hkdctol]

@albionzeglin-gsa this ticket has the links to google docs of the SSPPs

[hkdctol]

I have reviewed the front sections of the Data.gov SSPP at https://docs.google.com/document/d/11le1yfXjGlk6pOpXryVH4TSJNsSBgp9X/edit?usp=sharing&ouid=113511966954817069922&rtpof=true&sd=true there are only very minimal changes on this one, so just need someone to look at the few places where I commented to either confirm no changes needed or make the applicable updates re references to Solr. I will take a first pass at the SSB SSPP as well.

[hkdctol]

Took a pass at SSB SSPP. Changes needed in front section are minimal. https://docs.google.com/document/d/1SzqVjIDowxtfjWljXDUM8xzO8zzoQPq1/edit?usp=sharing&ouid=113511966954817069922&rtpof=true&sd=true

[jbrown-xentity]

@hkdctol reviewed both docs, and all comments are addressed. Please let me know if you have anything additional.

[hkdctol]

@albionzeglin-gsa I think what you could do now is given that the problems/remaining issues are described in https://docs.google.com/document/d/1_2GroL3kkzgWePPcNhzRD6SFDc-5Kt0ic8DiZln_TAs/edit?usp=sharing you can start to look at the control sections of SSB SSPP and Data.gov SSPP and start commenting on which sections may need an update once we've finally settled on Solr questions.

[hkdctol]

@albionzeglin-gsa as you're looking at the control sections, can you confirm that the docs are following the current template and if there are any format/template/numbering changes, go ahead and start making those?

[hkdctol]

Reviewed again in light of Solr leader-follower, there are 1-2 changes only in the SSB document (front sections not controls)

[hkdctol]

just making one more change to diagram, before migration

[mogul]

Here's the PR to update the diagram... Once this is approved/merged, I'll copypasta into the Google Doc. https://github.com/GSA/datagov-compliance/pull/32

[hkdctol]

Since we have handled the front section of the SSPP's, will mark this one as done and create a new ticket for the continuing work on controls.

[hkdctol]

This was completed