Complete the SSR for the ATO.

[OpenGlobe]

We need to complete the System Security Review (SSR) document for the ATO. The following are items to be included in the SSR along with tentative assignments (to be discussed further).

• PIA updated (Theresa)
• We need the review/approval workflow processes documented, as well as the process for assigning permissions to the workflow. - Fureigh/18F
• We need the auditable events documented and understand where/how the events are recorded (what is recorded and where and how do we access the information if needed, and who can access that information). - Fureigh/18F
• We need the type of users and user privileges documented. - Fureigh/18F, DAS
• We need the data flow documented by describing the flow of data in and out of system boundaries and creating a data flow diagram. This should include protections implemented at all entry and exit points in the data flow as well as internal controls between different user types. - Matt, DIS - maybe some input from Fureigh
• We need to detail how accounts are created in beta.nsf.gov. How a user authenticates to beta.nsf.gov (probably through NSF ADFS or OpenAM services). How users are assigned roles and/or permissions in beta.nsf.gov. How is it determined which users get which roles (approval process for granting roles). - Fureigh/18F, Matt
• We need to document the systems configuration management process, including the change management process, inventory control, baseline configuration, and unauthorized change detection.
• We need to document the system’s contingency plan and disaster recovery plan, including the system backup and recovery procedures, as well as describing how backup information is stored, transmitted, and protected. - Fureigh/18F, cloud.gov
• We need to document the system’s incident response plan and procedures. - Fureigh/18F, cloud.gov, Matt, DIS
• We need to document the system’s communication protection mechanisms including any use of cryptography. - Fureigh/18F, Matt, DIS
• We need to document the system’s patch and vulnerability management procedures. How fast do patches need to be implemented? - Fureigh/18F, Matt, DIS
• We need to complete a network architecture diagram - Matt, DIS - maybe some input from Fureigh

Documents for reference include the QA docs and the MVP scoping document

[mtboesch]

These items are now added above.

We need to complete the System Security Review (SSR) document for the ATO. The following are items to be included in the SSR along with tentative assignments (to be discussed further).

• We need the review/approval workflow processes documented, as well as the process for assigning permissions to the workflow. - Fureigh/18F
• We need the auditable events documented and understand where/how the events are recorded (what is recorded and where and how do we access the information if needed, and who can access that information). - Fureigh/18F
• We need the type of users and user privileges documented. - Fureigh/18F, DAS
• We need the data flow documented by describing the flow of data in and out of system boundaries and creating a data flow diagram. This should include protections implemented at all entry and exit points in the data flow as well as internal controls between different user types. - Matt, DIS - maybe some input from Fureigh
• We need to detail how accounts are created in beta.nsf.gov. How a user authenticates to beta.nsf.gov (probably through NSF ADFS or OpenAM services). How users are assigned roles and/or permissions in beta.nsf.gov. How is it determined which users get which roles (approval process for granting roles). - Fureigh/18F, Matt
• We need to document the systems configuration management process, including the change management process, inventory control, baseline configuration, and unauthorized change detection.
• We need to document the system’s contingency plan and disaster recovery plan, including the system backup and recovery procedures, as well as describing how backup information is stored, transmitted, and protected. - Fureigh/18F, cloud.gov
• We need to document the system’s incident response plan and procedures. - Fureigh/18F, cloud.gov, Matt, DIS
• We need to document the system’s communication protection mechanisms including any use of cryptography. - Fureigh/18F, Matt, DIS
• We need to document the system’s patch and vulnerability management procedures. How fast do patches need to be implemented? - Fureigh/18F, Matt, DIS
• We need to complete a network architecture diagram - Matt, DIS - maybe some input from Fureigh

[mtboesch]

@trinehar can you take on the PIA assignment for beta.nsf.gov?

[fureigh]

@mtboesch Let's pair on this — likely in the next sprint.