Chart path forward for OpenForest ATO updates

[ctro]

Background OpenForest will need to connect to other systems, and maybe other changes that will affect the ATO. How hard will it be to update our ATO?

Acceptance criteria

• [x] Come to consensus and document decisions around process for OpenForest ATO updates as this work continues.

Tasks

• [x] Meet with OpenForest Security team
  • How would they like to approach updates? All at once? Iteratively?
  • We are thinking about things like API connections to FPFS, storing new info in the database.
• [ ] Validate assumption: SORN is not a Security Team concern.

Definition of done

• [ ] Meets Acceptance Criteria

[ctro]

jonathan.lerner@usda.gov is the security contact to reach out to.

[ctro]

Shadat and Matt work closely with Jonathan. I haven't been able to speak with Jonathan yet, but Shadat and Matt relay the following good news:

Yes, it will be continuous as long as we use the same platform, operations model and controls. If we are following same rules on the same set of tools/process then we should be good. Matt and I will work with Cyber for the SSP controls/boundary etc. along with our ISSO lead Jon Lerner.

The ability to continuously work on the ATO while new development on OpenForest happens will ensure that we stay compliant with security requirements and will prevent us from working very far in any non-compliant direction. It also prevents us from doing security in one big bang -- spending a lot of time (I've seen months, years) at the end of our development phase working only on security requirements.