chelsgr
commented
1 year ago This ticket is intended to track a subset of work for the ATO renewal, tracked in: https://github.com/cisagov/cool-system-internal/issues/129
Open chelsgr opened 1 year ago
chelsgr
commented
1 year ago This ticket is intended to track a subset of work for the ATO renewal, tracked in: https://github.com/cisagov/cool-system-internal/issues/129
Summary
When the CyHy system was established, there were heavy time drivers which did not allow for a full review to ensure all applicable security controls were fully implemented.
Motivation and context
A review should be conducted to ensure the appropriate security controls apply, e.g. in the areas of Identity Management, Access Control, Authentication, centralized logging, etc. The system should adhere to the same controls established for the COOL meeting our Authority to Operate (ATO) requirements. These requirements are defined in DHS 4300A and NIST 800-53.
There was also interest in supporting contextual information to justify a shared (COOL/CyHy) ATO and detail regarding shared controls applicable to CyHy. More specifically, that administrative access controls for the CyHy system match the ATO requirements previously established for the COOL. The recommendation provided was for users requiring access to the data to coordinate with enterprise service providers for authentication via their solutions.
Acceptance criteria