Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSP document remediations #41

Closed
17 tasks done
mogul opened this issue Jun 18, 2016 · 1 comment
Closed
17 tasks done

SSP document remediations #41

mogul opened this issue Jun 18, 2016 · 1 comment
Labels
compliance Compliance, security, and accessibility issues

Comments

@mogul
Copy link
Contributor

mogul commented Jun 18, 2016
edited by afeld
Loading

In order to ensure our SSP is ready for JAB technical reviewers, we need to remediate the points raised by our 3PAO interviews.

(Note: Be careful to ensure that your changes are made in the right place to find their way back into the YAML! See in particular cloud-gov/cg-atlas#91.)

Acceptance Criteria

  • IR: Incident Response Plan should include:
    • Frequency of testing/tabletop exercises (yearly)
    • Frequency of review of the IRP (yearly)
    • Who is notified, and how they are notified about IRP changes (Make an issue in GitHub and @-cloud-gov-team)
  • PL: PL-1b reads “The 18F Program Office will review and update the current 18F Identification and authorization Policy at least every 3 years and any documented procedures at least annually.” when it should say “Security planning policy” instead.
  • AU: AU-3 (1) should remove the section about BOSH CLI
  • CP: Need to mark everything as planned controls.
  • AT: Need to mark AT-1 and AT-2 as partially implemented since we don’t have a cloud.gov-specific training plan (Adam sez: Veris seems to think this is entirely covered by GSA training, which applies to all employees and contractors! Double-check and if so ignore this one.)
  • AT: Add training on the IRP, CPP, CMP, etc. to the Onboarding Checklist
  • MA/MP/PE: Need to change from N/A to Inherited from AWS GovCloud FedRAMP package and mark everything as Implemented.
  • CM: Configuration Management
    • Replace all the references of Trello to GitHub
    • Replace “18F DevOps and SecOps” to “cloud.gov operators”
    • CM: CM-2 (3) Needs to read: “If there is any manual change on any part of the infrastructure Bosh and Terraform will correct the settings and revert back to the known state.”
    • CM: We should remove the reference to the number of VMs
    • CM: CM-2 (7) Needs to read: “Per Federal policy 18F employees are not allowed to take equipment outside of the United States without explicit permission.”
    • CM: CM-8: Add “Bosh continuously maintains inventory of all instances and configuration”
@mogul mogul added the Atlas label Jun 18, 2016
@mogul mogul added this to the FedRAMP JAB P-ATO Deadline milestone Jun 18, 2016
@mogul mogul added the compliance Compliance, security, and accessibility issues label Jun 18, 2016
This was referenced Jun 22, 2016
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@dlapiduz
Copy link
Contributor

@clovett3 can you pick these changes from cg-compliance?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compliance Compliance, security, and accessibility issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlapiduz @mogul @rogeruiz @jbarnicle