Skip to content
This repository has been archived by the owner on Jul 26, 2021. It is now read-only.

Revamed ATO main page and background page #227

Merged
merged 2 commits into from Nov 3, 2016
Merged

Revamed ATO main page and background page #227

merged 2 commits into from Nov 3, 2016

Conversation

jezhumble
Copy link
Contributor

I am working on a rewrite of the ATO section of before you ship with two goals:

  • Bring it up-to-date with current process
  • Ensure it applies to all of TTS, not just 18F
  • Where possible, make it useful for people working at other agencies who want an overview of the risk management process and our approach to implementing it.

This PR updates the first page of the ATO and the background section.

@jezhumble jezhumble mentioned this pull request Nov 2, 2016
Closed
@NoahKunin
Copy link
Contributor

Thanks so much @jezhumble. I'm afraid of how this week is going, this will get punted by 🔥s if we do it async. Please put 20 mins on my calendar and we'll knock out this PR and any other BYS PRs.

JJediny
JJediny reviewed Nov 2, 2016
View reviewed changes
_pages/ato/background.md

The information system's owner, working with the AO, decides which controls should be implemented. NIST's encyclopedic [Special Publication 800-53](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) (currently on revision 4) is the definitive guide to security and privacy controls for federal information systems. Which controls are selected is based on the following:

* *The impact level of the system* (low, moderate or high). SP 800-53 provides a "baseline" set of controls for each level. The higher the level, the more controls are in scope. For systems running on cloud infrastructure, you should consult [FedRAMP's security control documentation](https://www.fedramp.gov/resources/documents-2016/).
Copy link
Member

@JJediny JJediny Nov 2, 2016
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"The higher the level, the more controls are in scope"
to
"The higher the level, the more controls and/or control enhancements are within scope"

JJediny
JJediny reviewed Nov 2, 2016
View reviewed changes
_pages/ato/background.md
The information system's owner, working with the AO, decides which controls should be implemented. NIST's encyclopedic [Special Publication 800-53](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) (currently on revision 4) is the definitive guide to security and privacy controls for federal information systems. Which controls are selected is based on the following:

* *The impact level of the system* (low, moderate or high). SP 800-53 provides a "baseline" set of controls for each level. The higher the level, the more controls are in scope. For systems running on cloud infrastructure, you should consult [FedRAMP's security control documentation](https://www.fedramp.gov/resources/documents-2016/).
* *Which controls are already taken care of by your infrastructure*. If you're running in the cloud, many controls are taken care of at the infrastructure or platform layer. If your provider has received a FedRAMP ATO, it will provide a document called a _customer responsibility matrix_ (CRM) listing the residual controls that are the responsibility of the applications running on the infrastructure or platform.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

residual or hybrid controls.... that are the responsibility (or for hybrid controls partial responsibility)...

mogul
mogul reviewed Nov 2, 2016
View reviewed changes
_pages/ato.md
Before a system is made publicly accessible on the Internet, it must go through either the full ATO process or a 90-Day [Lightweight Authority to Operate (LATO)](types/). Systems can be made available for use in an extremely limited capacity if they meet the [pre-authorization criteria](types/#pre-authorization).

While the ATO is the final compliance step that's required before launching an application, you will want to **start the process as soon as possible** after your project gets off the ground.
Every federal information system must go through NIST's [Risk Management Process](background/) before it can be used to process federal information. This process culminates in a signed Authority to Operate (ATO) being issued. Because the Risk Management Process is a complex, multi-step process which will constrain the design and implementation of your system, you should start thinking about how it applies to your system _before_ you begin designing and implementing it. The steps of the Risk Management Process should be executed in parallel with other project activities. Please get in touch with the TTS Infrastructure Team as soon as your project gets funding so you can discuss which category of ATO will be required for your system, and understand what will be required to gain an ATO for it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should use "Risk Management Framework" terminology consistently, as NIST RMF is widely referenced, so that people don't think "Risk Management Process" is something else.

NoahKunin
NoahKunin reviewed Nov 2, 2016
View reviewed changes
_pages/ato/background.md
navtitle: Background
---

***[This page is in need of a rewrite.](https://github.com/18F/before-you-ship/issues/89)***
One of the goals of the Federal Information Security Management Act of 2002 (FISMA) is to "provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." NIST was tasked with designing and implementing this framework: the result is NIST's Risk Management Framework (RMF). All federal information and information systems (except classified information and national security systems) are subject to NIST's RMF by law.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My general mode is regardless of context, each standalone document always spells out acronyms the first time within that document. Plz spell out NIST - thx!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove "by law". The SPs are guidance - not even psuedo-regulatory.

NoahKunin
NoahKunin reviewed Nov 2, 2016
View reviewed changes
_pages/ato/background.md

### Step 6: Monitor Security Controls

Once a system receives an ATO, it must be assessed at regular intervals to ensure the effectiveness of the control implementation. Any changes to the system or its environment should also be assessed to determine their impact.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Swap "any changes" to "Changes to the system's security boundary".

@jezhumble jezhumble mentioned this pull request Nov 3, 2016
Closed
@NoahKunin NoahKunin merged commit 46d89b6 into 18f-pages Nov 3, 2016
@NoahKunin NoahKunin deleted the ato-update branch November 3, 2016 18:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mogul mogul mogul left review comments

@NoahKunin NoahKunin NoahKunin left review comments

@JJediny JJediny JJediny left review comments

Assignees

@NoahKunin NoahKunin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jezhumble @NoahKunin @mogul @JJediny