Create GSA-pages.md

[JJediny]

Changes proposed in this pull request:

• DRAFT for review and comment
• @drewbo
• @kudehaatila

security considerations

Documents the steps required to request a new Authority to Use (ATU) for a GSA Website using https://pages.cloud.gov

[drewbo]

A few high level thoughts before I do a closer read:

• There is an existing page which covers cloud.gov Pages itself; I would definitely link those pages, or combine as appropriate.
• Prior to linking to the FedRAMP package, I would link to the page above as well as cloud.gov/pages so readers will have more understanding of the application and its purpose.

Let me know if you want help on either of those portions and I can add some language

[svenaas]

I suggest something other than blockquote for notes like this. If they need to be set off from the rest of the text under the heading, maybe just give them something like a "Note: " prefix or something else that indicates how they are distinct. If they need different markup I'd probably choose italics.

[JJediny]

Switching to alert component

[svenaas]

Maybe

Suggested change

"TTS Pages" is GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov)

"TTS Pages" is the name given to GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As part of this ATO GSA adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). This provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov)

[Edited to add:]

And also would it be worth going a step further, and adding an additional brief paragraph starting with "Cloud.gov Pages is ..." to help a reader understand the distinction, since both "TTS Pages" and "Cloud.gov Pages" are mentioned in the text below?

[JJediny]

updated based on edits suggested

[svenaas]

Suggested change

	## Reassessment
	## Reassessment

[JJediny]

accepted

[svenaas]

I'm having trouble parsing this next item. Which "following steps" does it refer to? The next ## subheadings?

Also there's a typo:

Suggested change

	Website Managers will be notified, the following steps are only in the event that the Website Manager is none responsive.
	Website Managers will be notified, the following steps are only in the event that the Website Manager is nonresponsive.

[JJediny]

updated to remove ref to steps and note that it is only conditioned on no response

[svenaas]

Suggested change

Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** addressing the plan to address the deficiencies.

Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** detailing the steps that will be taken to address the deficiencies.

[JJediny]

accepted

[svenaas]

Suggested change

	The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP, or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below:
	The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below:

[JJediny]

accepted

[svenaas]

Suggested change

	- **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR, will be issued a CAP request.
	- **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR will be issued a CAP request.

[JJediny]

accepted

[svenaas]

Suggested change

	- Disabling a site consists of removing the site within the Cloud.gov Pages Platform which will result in a site being unreachable.
	- Disabling a site consists of removing the site from the Cloud.gov Pages Platform which will result in a site being unreachable.

[JJediny]

accepted

[svenaas]

Suggested change

	- Deleting a site removes the published site from TTS Pages servers and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users.
	- Deleting a site removes the published site from the Cloud.gov Pages platform and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users.

[JJediny]

accepted

[sknep]

Some content changes would really help make this more readable and fit the cloud.gov content styleguide. Let me know if I can help! I don't mind making some of these changes for you if you're swamped.

[sknep]

should this URL be root-relative?

[JJediny]

Yes as it is ref another handbook page

[sknep]

None of the sentences with blockquote formatting (> prefix) end in a period, which is weird. also this use of blockquote formatting is inappropriate for mere visual distinction. It indicates quoting another document/source/speaker, and that semantic use should not be hijacked to call attention visually. Use a heading, or bold, or italics, etc.

[JJediny]

Removed many of the blockquotes to use handbook alert components. The remaining blockquotes have been updated with a .

[sknep]

This page has capital-C cloud.gov everywhere, which we’re moving to soon, but haven't yet. Our styleguide currently calls for cloud.gov, and I plan to make all the changes at once. I can live with it but ideally it would be consistent across the site until we officially change.

[sknep]

The capitalization of certain nouns here and elsewhere seems arbitrary: "Source Code", "Contents", "Website", "Web Presence". These aren't proper nouns.

[svenaas]

Agreed.

[JJediny]

Updated to remove capitalization of cloud.gov and list provided

[sknep]

code formatting isn't appropriate here.

[JJediny]

changed to bold

[sknep]

Can we spell out POA&M here, its the first time we use this acronym in this document

[sknep]

This is the first time the document describes a team for TTS Pages. It's not immediately clear to me (and I'm on the cloud.gov Pages team) whether that means us :D. Who or what is the team? is it an office? Can you introduce or identify it, provide a contact for it, or otherwise disambiguate it from the cloud.gov pages team?

[JJediny]

Updated to introduce TY!

[sknep]

Site Owner is capitalized here, but not "Site owners" in the bullet point above. I still think this is easier to read without the Extra Capitals, but whichever, please be consistent.

[sknep]

There's a lot of passive voice throughout this document. Site owners will be issued a DFR... will be issued a request... etc. It'd be clearer and easier to read throughout if we start with who is issuing these to the site owners. "The TTS Pages office will issue a DFR in the event a site owner fails to adequately respond.... " etc. It also makes it clearer who is doing what, rather than things just happening.

If you'd like, I can take a stab at reordering these phrases. I don't mind :)

[JJediny]

Updated to avoid passive language

[sknep]

owners'

[sknep]

is this TTS Pages servers or Cloud.gov Pages servers? I believe it's the latter.

[sknep]

Issued to whom?

[svenaas]

Also: Issued by whom?

[JJediny]

Updated to be specific - by whom and to whom

[kfoley-18F]

Hey @JJediny and folks here -

I am concerned about having this content be confusing for non-GSA Pages customers.
I'd really like them to be able to google or search.gov search for Pages ATO/ATU and get the right information and not end up in the TTS Handbook, so there's some wordsmithing that needs to happen on this still:

• Clear definition of scope at the top: "you are someone who is impacted by this if you: a) are a site owner within GSA b) are not covered by another ATO/ATU with a different scope c)... etc" as well as "This policy does not impact Cloud.gov Pages users who..."

• I know there's been some name changes involving "GSA implementation of Pages" vs. "TTS Pages" for the scope of the ATO, but that's not going to be clear enough here. "TTS Pages" as a name will be too confusing for customers of Cloud.gov Pages given that Cloud.gov is in TTS.

• There's quite a bit of this that needs some Plain Language editing. I'd recommend getting help from Star's team to review, as they have been the POCs for the TTS website and can help with tone, voice, and clear writing style.

• Outlining that System Owners are accountable for things and will get CAPs doesn't help if they literally don't have the skills or resources to do it. This needs to come along with recommendations on how to get help. We're already seeing the scramble for largely unattended sites. Sticks alone won't result in sites meeting expectations unless they also come with carrots.

Thank you for getting a broad review of this before publishing it!

[drewbo]

Suggested change

	> If you are building or launching a **new** GSA Website [follow this guide](tts-pages/)
	> If you are building or launching a **new** GSA Website [follow this guide](gsa-pages/)

[JJediny]

is defined by the... instead of click here style

[JJediny]

👍

[KKAtila]

The titles currently display "Create tts-pages.md", "TTS Pages", "TTS Pages - Handbook Page". Please note the name change from TTS Pages to GSA Pages if it hasn't been updated already.