name | about | title | labels | assignees |
---|---|---|---|---|
ATO |
Checklist for an Authority to Operate |
ATO for [system] - due [date] |
g: accepted, i: software assurance |
- Main repository: [url]
- Site: [url]
- Product manager: @[username]
- System Owner: @[username of technical point of contact who will be the project representative for the ATO]
- ISSO: @[username]
- ISSM: @rpalmer-gsa
- ATO folder: [url]
If your system isn't live yet, "production" refers to the environment that will be production.
- Request ISSO
- Assign the appropriate labels to this issue.
- Read the following:
- Guidelines for GSA's Digital Presence
- Hello, production
- The Engineering Practices Guide, particularly:
- Before You Ship, particularly:
- The API Standards, if you plan to have an API
- Determine the impact level (FIPS-199 categorization).
- Confirm with @[Authorizing Official]
- Provide SSP template
- Lay out long-term ATO path
- Ensure that common technical controls are part of the architecture
- Code scanning
- Dependency scanning
- Input validation
- Platform selection
Everything in this section needs to be completed before the project will be scheduled for an assessment.
- Set up an ATO intro meeting with the project team.
- Set up the project ATO folder.
These tasks apply to every repository/application/hostname/language that is directly involved in your project.
- Enable protected branches for the project repository.
- Get help via #admins-github, if needed.
- Ensure that your production environment is fully set up, and matches what's described in your ATO materials.
- Set up monitoring
- Log required events
- Perform security scans, and put the results (or a link to them) in the project's
ATO folder
.- Set up dependency analysis service
- Add service badge to your README
- Put a point-in-time PDF of the scan results in the project's
ATO folder
.
- Set up static code analysis
- If using a service, add the badge to your README.
- Perform dynamic vulnerability scanning
- Resolve any visible security issues, re-running the scan as needed
- Add the issue-free scan report or documentation about false positives to the project's ATO folder.
- Set up dependency analysis service
- If this is a new system, add a prominent
Beta
label to the site. - Ensure the production environment has sufficient capacity to withstand the testing.
- The testing tools create very heavy usage and traffic.
- Architecture finalized
...reading and writing.
- Read the Overview and the ATO section (including sub-pages) of Before You Ship.
- Read the LATO guide.
- Search this page for "Lightweight Security Authorization Guide".
- Read the Checklist of Requirements for Federal Websites and Digital Services
- Read the Guidelines for GSA's Digital Presence
- Request a privacy threshold analysis (PTA)
- Complete a Privacy Impact Analysis (PIA) - determined if necessary by PTA
- Update relevant documentation, primarily the README.
- Fill out the System Security Plan (SSP).
- Sections 1-12
- Section 13
- Complete Digital Identity Acceptance (DIA)
- Complete ISA documentation if required
- Complete BIA
- Complete Continuity of Operations (COOP) Plan
- Complete Configuration Management Plan (CMP)
- Complete Incident Response Plan
- Complete Rules of Behavior for system
- Remediate all control comments from ISSO
- Tailor documentation checklist above
- Review Section 13
- Submit sections 1-12 of SSP for Architecture Review
- Submit section 13 to ISSM for acceptance and movement forward for assessment if no issues remain
- Schedule a documentation review session.
- One or more follow-up sessions may be necessary.
- Fix any documentation issues identified in the session.
- RoE signed
- System Owner
- GSA IT
- Confirm you can access Archer
- Environment (live system) finalized
- Fully instantiate environment for assessment
- Your SaaS/IaaS/PaaS should be generally configured for launch
- Remediate High and Critical findings from scans
- Fill out the Rules of Engagement (RoE)
- Complete operating system (OS), database (DB), and/or container scanning
- Complete Web Scanning for GSA implementation site (Netsparker)
- Re-scan to ensure remediation
The following penetration tests will be performed:
- External Interfaces
- OWASPv4.1 & PTES-TG
- Gray Box
- Authenticated
- Environment being tested is frozen (disable automated deploys to production)
- Put all found vulnerabilities in the project's issue tracker
- Fix any
Critical
orHigh
vulnerabilities.- This needs to be done before the ATO can be issued, though not necessarily before the end of the assessment.
- Deliver Penetration Test Report
- Request penetration test and assessment
- Penetration test complete
- Assessment scheduled
Needs to start within 30 days of penetration test.
- Assessment kickoff meeting
- Complete Security Assessment Plan (SAP)
- Complete Security Assessment Report (SAR)
- Polish up the System Security Plan (SSP).
- Controls tested - @[GSA IT representative]
- Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
- Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
- Remove the
Beta
label from the site. - Fix all
Moderate
vulnerabilities - due [30 days after ATO issued] - Fix all
Low
vulnerabilities - due [60 days after ATO issued] - Join the TTS Private Bug Bounty - due [60 days after ATO issued]
- Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last
- ATO letter signed
- Cert letter signed
- Launch
See the Before You Ship site for more information.
/cc @18F/tts-tech-portfolio