Change Control Tracking

[JessicaMarine1]

The purpose of this story is to determine how to track changes to the system's code in order to comply with the ATO.

Talk with the developers about possible approaches to satisfy this requirement.

Talk with Security (Tri & Arpan) about what change control looks like moving forward.

• [ ] Schedule a meeting with Tri & Arpan
• [ ] Go through stories marked as Hold for Code Freeze
• [ ] Go through post-MVP stories
• [ ] Figure out how security is looped in moving forward (e.g., attend planning)

Also, this should be tracked on the program and 889 sites, as well.

[johnbeallgsa]

@johnbeallgsa We plan to address all the controls that are partially implemented and not implemented via separate user stories for each control in the SSPP.

Tri will receive an email before planning (on the Thursday before) about each user story we plan to groom for the next sprint. He will verify whether or not the stories impact security in any way. Once vetted by Tri, a security label will be added to the story indicating that work on the story may proceed.

Also, a monthly meeting with Tri/Enechi has been set up to review security questions/concerns.

[JennaySDavis]

Closing ticket. The above-stated process and other controls are in place to prevent development that would impact system security. Approved by @johnbeallgsa