cloud-gov / product

Program-level artifacts, workflow and issues for cloud.gov
Creative Commons Zero v1.0 Universal
31 stars 15 forks source link

Deliver February 2024 ConMon results by 3/1 #2917

Closed Chiakao closed 8 months ago

Chiakao commented 9 months ago

In order for us to update the JAB on our compliance in a consistent way, we need to deliver a Continuous Monitoring report monthly (our standard due date is the 2nd of the month. If these dates fall on a weekend or federal holiday, adjust to the last business day before the date.)

For context, see our Continuous Monitoring Strategy, including the monthly reporting summary explanation.

We need to process our scan results and prepare documentation for any updated or new items, including updating the vulnerability tracker and POA&M. (Vulnerabilities that are patched within RA-05/SI-02 deadlines are not reported on the POA&M sheet).

Workstation Processing

First time setup

I keep all the conmon materials locally in ~/Documents/ConMon, and have a symlink to the few scripts that I use for parsing the conmon materials, as follows:

Monthly processing

Be sure to:

Google Drive processing

Process the Nessus and Zap _work.txt and CSV file

Manage the POA&Ms, Inventory, and ConMon Summary

Be sure you've done all the following

Depending on scan results, we sometimes also have to do these tasks:

Upload to the FedRAMP repository

Acceptance criteria

There! You've completed KHAN!-mon

Kirk's KHAN

wz-gsa commented 9 months ago

Screenshot 2024-02-29 at 11 35 46 AM

wz-gsa commented 9 months ago

Screenshot 2024-02-29 at 11 36 57 AM

Chiakao commented 8 months ago

ConMon uploaded to Max.gov on 3/1