Document things that we don't default to open

[brittag]

In order for our cloud.gov team to clearly understand our expectations for what we publish (and support our compliance documentation work in an organized and logical way), our 18F open source policy practices should explain 18F's "step 0" before we publish things - that we don't publish things like passwords/secrets.

I'm currently working on this here: https://docs.google.com/document/d/1BPj1S2iQJOzvBVKpztgAaAc-4piJTyhxatbNeWBh_W8/edit#

This requires coordinating with #wg-opensource, #wg-cybersec, and other people at 18F who care about our open source policy.

Acceptance criteria:

• [x] 18F has a clearly-documented, plain-language, and easy-to-find explanation of what we don't publish.

[brittag]

Noting that we currently have this partially documented at https://docs.cloud.gov/ops/procedures/ - it should be in the 18F-wide policy for better centralization and maintenance.

[brittag]

We now have a clearly-documented, plain-language, and easy-to-find explanation of what we (as 18F) don't publish: https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information