ATO for ISDC - due Oct-ish

[its-a-lisa-at-work]

• Main repository: None, not a custom developed system
• Site: currently unknown
• Product manager: @jcastle-zz
• System Owner: @jcastle-zz @its-a-lisa-at-work
• ISSO: @
• ISSM: @rpalmer-gsa
• ATO folder: https://drive.google.com/drive/folders/1I0ew_rvUBHoazOd7owFuIJD-mY0-gj5d?usp=sharing

TODOs

If your system isn't live yet, "production" refers to the environment that will be production.

Phase 0: As early in the project as possible

Project team

• Request ISSO
• Assign the appropriate labels to this issue.
• Read the following:
  • Guidelines for GSA's Digital Presence
  • Hello, production
  • The Engineering Practices Guide, particularly:
    • Languages & Runtimes
  • Before You Ship, particularly:
    • Infrastructure
    • Lifecycle of a Launch
  • The API Standards, if you plan to have an API
• Determine the impact level (FIPS-199 categorization).
  • Confirm with @[Authorizing Official]

ISSO

• Provide SSP template
• Lay out long-term ATO path
• Ensure that common technical controls are part of the architecture
  • Code scanning
  • Dependency scanning
  • Input validation
  • Platform selection

Phase 1: Assessment prerequisites

Everything in this section needs to be completed before the project will be scheduled for an assessment.

Tech Portfolio Lead

• Set up an ATO intro meeting with the project team.
• Set up the project ATO folder.

Project team

Technical

These tasks apply to every repository/application/hostname/language that is directly involved in your project.

• Enable protected branches for the project repository.
  • Get help via #admins-github, if needed.
• Ensure that your production environment is fully set up, and matches what's described in your ATO materials.
• Set up monitoring
  • Downtime alerts
  • Error & performance alerts
  • DAP
• Log required events
• Perform security scans, and put the results (or a link to them) in the project's ATO folder.
  • Set up dependency analysis service
    • Add service badge to your README
    • Put a point-in-time PDF of the scan results in the project's ATO folder.
  • Set up static code analysis
    • If using a service, add the badge to your README.
  • Perform dynamic vulnerability scanning
    • Resolve any visible security issues, re-running the scan as needed
    • Add the issue-free scan report or documentation about false positives to the project's ATO folder.
• If this is a new system, add a prominent Beta label to the site.
• Ensure the production environment has sufficient capacity to withstand the testing.
  • The testing tools create very heavy usage and traffic.
• Architecture finalized

Documentation

...reading and writing.

• Read the Overview and the ATO section (including sub-pages) of Before You Ship.
• Read the LATO guide.
  • Search this page for "Lightweight Security Authorization Guide".
• Read the Checklist of Requirements for Federal Websites and Digital Services
• Read the Guidelines for GSA's Digital Presence
• Request a privacy threshold analysis (PTA)
• Complete a Privacy Impact Analysis (PIA) - determined if necessary by PTA
• Update relevant documentation, primarily the README.
• Fill out the System Security Plan (SSP).
  • Sections 1-12
    • Architecture diagram
  • Section 13
• Complete Digital Identity Acceptance (DIA)
• Complete ISA documentation if required
• Complete BIA
• Complete Continuity of Operations (COOP) Plan
• Complete Configuration Management Plan (CMP)
• Complete Incident Response Plan
• Complete Rules of Behavior for system
• Remediate all control comments from ISSO

ISSO

• Tailor documentation checklist above
• Review Section 13

Phase 2: Architecture review

ISSO

1. Submit sections 1-12 of SSP for Architecture Review
2. Submit section 13 to ISSM for acceptance and movement forward for assessment if no issues remain
3. Schedule a documentation review session.
   • One or more follow-up sessions may be necessary.

Program team

1. Fix any documentation issues identified in the session.
2. RoE signed
   • System Owner
   • GSA IT
3. Confirm you can access Archer

Phase 3: Environment finalization

Project team

• Environment (live system) finalized
• Fully instantiate environment for assessment
  • Your SaaS/IaaS/PaaS should be generally configured for launch
• Remediate High and Critical findings from scans
• Fill out the Rules of Engagement (RoE)

ISSO+SecOps

• Complete operating system (OS), database (DB), and/or container scanning
• Complete Web Scanning for GSA implementation site (Netsparker)
• Re-scan to ensure remediation

Phase 4: Penetration testing

The following penetration tests will be performed:

• External Interfaces
• OWASPv4.1 & PTES-TG
• Gray Box
• Authenticated

Project team

• Environment being tested is frozen (disable automated deploys to production)
• Put all found vulnerabilities in the project's issue tracker
• Fix any Critical or High vulnerabilities.
  • This needs to be done before the ATO can be issued, though not necessarily before the end of the assessment.

Testers

• Deliver Penetration Test Report

ISSO

• Request penetration test and assessment
• Penetration test complete
• Assessment scheduled

Phase 5: Assessment

Needs to start within 30 days of penetration test.

Assessors

1. Assessment kickoff meeting
2. Complete Security Assessment Plan (SAP)
3. Complete Security Assessment Report (SAR)

Project team

• Polish up the System Security Plan (SSP).

Phase 6: Post-assessment

1. Controls tested - @[GSA IT representative]
2. Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
3. Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
4. Remove the Beta label from the site.
5. Fix all Moderate vulnerabilities - due [30 days after ATO issued]
6. Fix all Low vulnerabilities - due [60 days after ATO issued]
7. Join the TTS Private Bug Bounty - due [60 days after ATO issued]
8. Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last
9. ATO letter signed
10. Cert letter signed
11. Launch

---

See the Before You Ship site for more information.

/cc @18F/tts-tech-portfolio