Sync with Platform Security team on final Platform website PSIRR changes

[briandeconinck]

User Story

As a VFS team member, I want to know the current details of the Privacy, Security, Infrastructure Readiness Review so that I can be sure my team is prepared for it.

Assignee: Peer Reviewer:

Description

This issue consists of the remaining items from #56317 that required input from Platform Security --- specific guidance on requirements and procedures for changes to the Privacy, Security, and Infrastructure Readiness Review touchpoint.

Impacted Artifacts

• Privacy, security, and infrastructure readiness review (draft)

Tasks

• [x] Update Format per Platform Security feedback
  • Shira's note: Ideally it'll be 2 parts. One asynchronous review of the VFS teams submitted ticket in the Define phase, and then 1 synchronous meeting prior to the VFS team preparing for launch. However this should be confirmed/validated with Platform Security.
• [ ] Update Artifacts per Platform Security feedback
• [ ] Update Outcome per Platform Security feedback
• [ ] The link to the PSIRR Github ticket may change. Request updated link from Platform Security.
  • Note: the link may need to be updated at a later date. If so, leave comment within draft page.

Peer Review

To be completed by peer reviewer

• [ ] User story and acceptance criteria are met

Acceptance Criteria

• [ ] Platform Website is updated to reflect the new PSIRR process

How to prepare this issue

Refinement

• [x] Ticket has user story, description, tasks, and acceptance criteria
• [x] Ticket has additional appropriate labels, if applicable
• [x] Ticket has been sized
• [ ] Once all above items are checked, add the 'Ready' label.

  Planning

  If this ticket is picked up from the Backlog mid-sprint, connect with Shira to ensure the below items are completed correctly

• [ ] Ticket has been discussed as a team at Planning
• [x] Ticket has been assigned to appropriate initiative or quarterly epic
• [ ] Ticket has been assigned to a Sprint
• [ ] Ticket has been moved to the Planned pipeline in the Governance team board
• [ ] Ticket as an assignee and peer reviewer

[shiragoodman]

@jhouse-solvd @little-oddball FYSA

[jhouse-solvd]

@shiragoodman and I had a sync on what's next. The Platform Security team will review and respond to feedback from @briandeconinck on this page and aim to help action this ticket in one or two upcoming sprints.

[shiragoodman]

Platform Security is tracking this work through this ticket: https://github.com/department-of-veterans-affairs/platform-security/issues/294

[humancompanion-usds]

Discussed with @raywangoctova - This work is deprioritized until we get to 90% ATO compliance. Target is ~4 weeks. Thus this will go on the backlog until then. We can revisit then.

[shiragoodman]

@jhouse-solvd @raywangoctova checking in on this as it's been 1 month. Please let me know where we stand.

cc @humancompanion-usds

[kell-y]

Draft page here: https://vfs.atlassian.net/wiki/spaces/PSEC/pages/3101949968/Privacy+security+infrastructure+readiness+review+-+For+Review

Proposed solution for PSIRRs:

• We will shift the initial PSIRR touchpoint to a time earlier in the Collab Cycle process. Ideally, we would like the initial touchpoint to occur around the same time as the Design Intent.
• Note: Teams may not have all the information for Platform Security at the time of the first touchpoint if we move it to the earlier time in the Collab Cycle. That is OKAY and even expected. However, we do think that teams will have enough information at this point that we will be able to get a good grasp on the product and we will be able to help guide teams on decisions that may impact privacy and security.
• We will keep the second Platform Security touchpoint in the Collab Cycle at the same time it occurs now, right before Staging Review. Ideally, teams will have given us enough information at the time of the first touchpoint that this will be a check-in to confirm that plans have not changed and that everything still looks good from a privacy and security perspective.
• Platform Security will sign-off on the PSIRR ticket. This can occur any time between the first touchpoint and the second touchpoint.
• If Platform Security signs off on the product before the second touchpoint, the second touchpoint will not need to occur.
• We would like this to become a launch blocking item to help ensure that teams are completing the PSIRR.
• Our POs have advised that we do not need to involve them for minor or routine PSIRRs, but they would like to be informed of any significant changes or issues.
• We will create a 90-day roll-out plan so that we can announce the change to VFS teams developing on the platform.
• We believe that the current team can handle the increased workload that this change will create. If the team’s capacity seems at risk, we will revisit this change with Platform leadership.

[shiragoodman]

sounds good @kell-y - thank you for sharing! cc @humancompanion-usds

The only clarification I'd like to make (which I believe we agreed to when we met via Zoom last week) is that by "1st touchpoint" and "2nd touchpoint", you really only mean 1 touchpoint with 2 check-ins or sections. We would update the flow on this page to indicate 1 Privacy Security Infrastructure Readiness Review under the Define column, below Design Intent. The instance under Build would be removed. The reason for this is because we're cautious/concerned that adding an additional touchpoint to the Collaboration Cycle would be perceived as burdensome or overbearing, potentially causing VFS teams to lose trust and willingness to participate in the process.

In support of this effort, Governance team will make modifications to the Staging Review process to not only advocate and direct VFS teams to the PSIRR, but also block teams from scheduling Staging Review if teams have failed to complete either PSIRR check-in. We still need to define the specifics, but I will begin discussions with my team and share our ideas with you.

If you'd like to discuss in more detail, please let me know! Otherwise, the plan sounds great and Governance team is on board.

[kell-y]

Yes, I agree with the language about 1 touchpoint with 2 check-ins! Thanks for clarifying.