-
Notifications
You must be signed in to change notification settings - Fork 1
GSA LATO remediations #29
Comments
Updated the system diagram to reflect both Production and Tooling VPCs as part of the authorization boundary. Also updated section 10.1 of the SSP detailing the environment |
@mogul has anyone updated the GitHub and New Relic documentation for the L-ATO? This will need to be submitted to GSA OCISO. |
I think when we reviewed this in passing @NoahKunin said he's already written up those details, but I'm not sure... Noah? |
@clovett3 Can you please review the list above and make sure it's accurate? In particular, please call out anything that we're doing which is "above and beyond"; we have a lot of FedRAMP stuff to do already before July 21st. :) |
@mogul the list looks accurate to me. The main thing for GSA OCISO is the documentation around third party tools and the auditing of the jump boxes and if MFA is incorporated on them. The vulnerabilty scanning has been implemented with GSA ISO. |
@clovett3 So these two parts are not explicitly necessary?
|
Hi @mogul @clovett3 - sorry I'm just seeing this now. Mentions are way too overwhelming, so if I have actions I need to take, I really need to be assigned to an Issue. In any case, just let me know exactly where I should document GitHub and New Relic and what I need to say about them. Thanks! Also I updated the check list above the vuln scanning is resolved. |
@NoahKunin the Githulb Documentation is listed here https://docs.google.com/a/gsa.gov/document/d/1DujX9B_VWxzkOu4LXljwBEdSsIvPJEmIYKAgHrBj4ss/edit?usp=sharing. @mzia had a few comments listed in the doc file |
@clovett3 we also need to add pagerduty. I don't think we have any other integration |
@dlapiduz That's fine. We have pagerduty listed within the SSP and the system diagram. |
Is this still relevant? |
@afeld I think we can close it out, if we get asked again we can re open, they seem concerned about other stuff now |
What we're after: Remediation of outstanding points from GSA ISSO to ensure long-term ATO
Benefits:
Specific points to be addressed:
Audit activity of individuals accessing jump box
Migrate Bosh and Concourse into a tooling VPC
In order to have a clear boundary between staging and production for LATO Section 13 evaluation, the cloud.gov CI/CD environment (Bosh, Concourse, monitoring) should be in a separate VPC.
Document third-party service integrations
In order to ensure cloud.gov's 90-day LATO is durable, the cloud.gov team must address concerns about integrations with third-party services.
Acceptance Criteria
Specifically, GSA's ISSO said: "18F must provide write-ups for each third-party service detailing the service integration, what data is stored, how connections are secured, how it is accessed etc., for follow-on GSA review/approval."
Proactively scan for problems in deployed buildpacks
In order to reduce the time before a vulnerability is noticed and remediated, cloud.gov should scan the deployed buildpack configuration of tenant apps and alert appropriately when problems are found.
Alert, then auto-restage when outdated buildpacks are in use
In order to improve the likelihood that apps deployed on cloud.gov remain secure, tenants should be alerted when they are running an out-of-date buildpack, and apps in that state should be re-staged if more than a week passes.
The text was updated successfully, but these errors were encountered: