Include CSAs on weekly CyHy reports and daily notifications for entities in their regions

[jeffkause]

💡 Summary

CISA Cyber Security Advisors (CSAs) should be copied (BCC'd) on the weekly CyHy reports and daily notifications for all entities in the CSA's region.

Motivation and context

The CSAs would like to be more informed about the stakeholders in their region. This automated process will reduce weekly requests from the CSAs for these reports.

Implementation notes

• Add regional email addresses to BCC: line.

• The regional email addresses should be treated as sensitive information and should NOT be displayed in publicly-available code.

• The list of regions and emails will be supplied to the DEV team through GWE.  

  Acceptance criteria

• [x] CISA regional CSAs receive the weekly CyHy vulnerability reports for every entity in their region by BCC.

• [x] CISA regional CSAs receive any daily CyHy notification emails for every entity in their region by BCC.

• [x] Regional email addresses are not present in the publicly-viewable code.

[dav3r]

This process will probably send the ad-hoc reports to the CSAs as well.

@jeffkause We need more than a "probably" here. Should the daily alert notification emails (which is I think what you mean by "ad-hoc reports") be sent to the CSAs or not?

[jeffkause]

Do we have the ability to only send the weekly reports and not the alert notification emails?

[jeffkause]

Please include the alert notification emails in this request.

[dav3r]

@jeffkause Can you please update the PR description above as well so that it clearly states that the CSAs should receive both the weekly reports and any daily notifications for any entities within their region?

[jeffkause]

I did update the description.

[dav3r]

@jeffkause Please take a look at the edits I made in the issue description and let me know if I stated anything incorrectly.

I wanted to distinguish between "stakeholders" and "entities" since there are many entities in CyHy that receive reports/notifications, but they are not considered to be "stakeholders" in the CyHy database (for example, child organizations may receive reports/notifications, but are not considered to be stakeholders).

[jeffkause]

@dav3r I agree with the changes.

[dav3r]

Is this work still desired? If so, we will need to be provided with the email addresses for each region, either here (if it's fine for them to be public) or via a side channel (if not). If you don't want the emails to be made public (i.e. in the cyhy-mailer code), that should be mentioned as a requirement in the issue description above.

[jeffkause]

The higher ups are still debating the email part of this ask.

---

From: dav3r @.> Sent: Wednesday, March 20, 2024 10:11 AM To: cisagov/cyhy-system @.> Cc: Kause, Jeffrey (CTR) @.>; Mention @.> Subject: Re: [cisagov/cyhy-system] Include CSAs on weekly CyHy reports and daily notifications for entities in their regions (Issue #114)

CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.

Is this work still desired? If so, we will need to be provided with the email addresses for each region, either here (if it's fine for them to be public) or via a side channel (if not). If you don't want the emails to be made public (i.e. in the cyhy-mailer code), that should be mentioned as a requirement in the issue description above.

— Reply to this email directly, view it on GitHubhttps://urldefense.us/v3/__https://github.com/cisagov/cyhy-system/issues/114*issuecomment-2009668730__;Iw!!BClRuOV5cvtbuNI!BmWfuJGK2QTOgHgZ1G3J6yrRpn030L2Z85bnwbFvPf91GEzSO4iCwR7hHdNfT605GbdBkGkHnjy7P6DCE028iOi0gs0u321n0URZZLBE-Q$, or unsubscribehttps://urldefense.us/v3/__https://github.com/notifications/unsubscribe-auth/A5QHFMVWTZ4USIRYNOM67SDYZGKJDAVCNFSM6AAAAABEFO6CBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGY3DQNZTGA__;!!BClRuOV5cvtbuNI!BmWfuJGK2QTOgHgZ1G3J6yrRpn030L2Z85bnwbFvPf91GEzSO4iCwR7hHdNfT605GbdBkGkHnjy7P6DCE028iOi0gs0u321n0UQNH_kpDA$. You are receiving this because you were mentioned.Message ID: @.***>

[velcrow12]

Is this work still desired? If so, we will need to be provided with the email addresses for each region, either here (if it's fine for them to be public) or via a side channel (if not). If you don't want the emails to be made public (i.e. in the cyhy-mailer code), that should be mentioned as a requirement in the issue description above.

@dav3r Yes still desired. Let us know if you need anything from us.

[dav3r]

@velcrow12 I think all we need to know is the email addresses that you want to use for each region and whether or not it's ok for those emails to be public (i.e. displayed in the code that we publish). Once we have that, we can work on getting this done.

[dav3r]

@jeffkause informed me via chat that you do not want the CSA email addresses to be public and he provided me with the list of email addresses to use for each region. I edited the issue description above to reflect this.

[jsf9k]

@jeffkause - Am I correct that this change should not apply to the BOD (PSHTT and Trustymail) reports?

[jeffkause]

That is correct. Just the weekly CyHy reports and ad-hoc notifications.