This repository has been archived by the owner on Feb 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
30 additions
and
0 deletions.
There are no files selected for viewing
30 changes: 30 additions & 0 deletions
30
Staffing Issues/FY18 Round 2 Phase 1/Bundle-4-(Security-Compliance).md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| ## Project Description | ||
|
|
||
| * **Client:** OPP / 10x | ||
| * **Engagement Type:** Phase 1 $20k Investigation (x4) | ||
| * **Problem to be solved:** TTS will explore the possibility of 1) reducing the burden for small and medium-sized firms to move through the FedRAMP process, 2) identifying standards for compliant IT tooling across agencies, 3) monitoring certificates to check for the validity of .gov domains across the government, and 4) evaluating whether or not FedRAMP requirements are beyond compliance frameworks such as ISO and HIPAA. | ||
| * **Original Pitches:** | ||
| * *Security Compliance Angel Investors*. Security compliance is a massive obstacle for modern software-as-a-service (SaaS) companies, particularly small-to-medium-sized ones, to sell to the federal government. TTS will explore ways to reduce the burden, via funding or other assistance, on small and medium-sized cloud providers that want to enter the federal marketplace, with the goal of increasing incentive and lowering risk for these companies to go through FedRAMP. | ||
| * *Trusted Tooling for IT Compliance*. TTS will explore collaboration with IT compliance officers and auditors across the federal government to identify what constitutes trusted tooling, what they need to learn to use new tooling effectively, and how institutional or cultural hurdles to adopting automated compliance can be removed. | ||
| * *Certificate Transparency*. The future of assurance for HTTPS certificates is certificate transparency, an initiative piloted and adopted by Mozilla, Apple, and all major browsers. The project will explore ways to monitor all certificates from all sources to check for validity of .gov domain certificates. | ||
| * *Compliance Gap Analysis*. Cloud service vendors looking to do business with the government frequently complain to the Office of Management and Budget (OMB) and the Federal Chief Information Officer (CIO) that the FedRAMP process imposes additional compliance requirements on top of existing requirements like those mandated by the International Organization for Standardization (ISO) and the Health Insurance Portability and Accountability Act (HIPAA). TTS will conduct research to validate or invalidate this assertion with the goal of identifying any unique FedRAMP requirements that are beyond compliance frameworks such as ISO and HIPAA. | ||
|
|
||
| Direct questions about this engagement to Will Cahoe or Carolyn Dew | ||
|
|
||
| ## Timeline | ||
|
|
||
| **Duration of engagement:** 8-10 weeks, each of these investigation sprints has ~65 hours allocated to them, for a total of 260 hours for this staffing issue. | ||
|
|
||
| **Last date on which work can be done per the agreement:** 9/30/2019 (flexible) | ||
|
|
||
| ## Skills Needed | ||
|
|
||
| - [ ] Strategist / Researcher with a security compliance background: | ||
|
|
||
| * Number of weeks this role is needed: 8-10 weeks | ||
|
|
||
| * Hourly commitment per week: 25-32 hours | ||
|
|
||
| ## Prior to closing this issue | ||
|
|
||
| - [ ] Ping @abrouilette that the issue is ready to close, so he can update some things. |