Create GSA-pages.md #3814
Create GSA-pages.md #3814
Conversation
There was a problem hiding this comment.
A few high level thoughts before I do a closer read:
- There is an existing page which covers cloud.gov Pages itself; I would definitely link those pages, or combine as appropriate.
- Prior to linking to the FedRAMP package, I would link to the page above as well as cloud.gov/pages so readers will have more understanding of the application and its purpose.
Let me know if you want help on either of those portions and I can add some language
| --- | ||
| # TTS Pages - Authority to Use (ATU) Process | ||
|
|
||
| >This guide is intended for `Website Managers` to meet their requirements under the TTS Pages Authority to Operate (ATO) |
There was a problem hiding this comment.
I suggest something other than blockquote for notes like this. If they need to be set off from the rest of the text under the heading, maybe just give them something like a "Note: " prefix or something else that indicates how they are distinct. If they need different markup I'd probably choose italics.
There was a problem hiding this comment.
Switching to alert component
|
|
||
| >This guide is intended for `Website Managers` to meet their requirements under the TTS Pages Authority to Operate (ATO) | ||
|
|
||
| "TTS Pages" is GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov) |
There was a problem hiding this comment.
Maybe
| "TTS Pages" is GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov) | |
| "TTS Pages" is the name given to GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As part of this ATO GSA adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). This provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov) |
[Edited to add:]
And also would it be worth going a step further, and adding an additional brief paragraph starting with "Cloud.gov Pages is ..." to help a reader understand the distinction, since both "TTS Pages" and "Cloud.gov Pages" are mentioned in the text below?
There was a problem hiding this comment.
updated based on edits suggested
|
|
||
| >This is performed after the ATU request is submitted | ||
|
|
||
| ## Reassessment |
There was a problem hiding this comment.
| ## Reassessment | |
| ## Reassessment |
|
|
||
| >This Determination is made by the TTS Pages System Owner `[email protected]`. Generally, this is done if security findings are not being addressed promptly. | ||
|
|
||
| Website Managers will be notified, the following steps are only in the event that the Website Manager is none responsive. |
There was a problem hiding this comment.
I'm having trouble parsing this next item. Which "following steps" does it refer to? The next ## subheadings?
Also there's a typo:
| Website Managers will be notified, the following steps are only in the event that the Website Manager is none responsive. | |
| Website Managers will be notified, the following steps are only in the event that the Website Manager is nonresponsive. |
There was a problem hiding this comment.
updated to remove ref to steps and note that it is only conditioned on no response
| Website Managers will be notified, the following steps are only in the event that the Website Manager is none responsive. | ||
|
|
||
| ## Failure to Maintain Site - Site Removal | ||
| Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** addressing the plan to address the deficiencies. |
There was a problem hiding this comment.
| Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** addressing the plan to address the deficiencies. | |
| Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** detailing the steps that will be taken to address the deficiencies. |
| ## Failure to Maintain Site - Site Removal | ||
| Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** addressing the plan to address the deficiencies. | ||
|
|
||
| The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP, or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: |
There was a problem hiding this comment.
| The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP, or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: | |
| The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: |
|
|
||
| The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP, or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: | ||
| - **Detailed Finding Review (DFR)** - Site owners will be issued a DFR upon failing to address a deficiency within the site or alignment with the ATU requirements. | ||
| - **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR, will be issued a CAP request. |
There was a problem hiding this comment.
| - **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR, will be issued a CAP request. | |
| - **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR will be issued a CAP request. |
|
|
||
| ## Site Disablement | ||
| Site Owners who fail to respond to the CAP within the 30 day timeframe, or fail to provide an adequate CAP, or fail to comply with the provisions, timeline and duration of their CAP will have their site Disabled. | ||
| - Disabling a site consists of removing the site within the Cloud.gov Pages Platform which will result in a site being unreachable. |
There was a problem hiding this comment.
| - Disabling a site consists of removing the site within the Cloud.gov Pages Platform which will result in a site being unreachable. | |
| - Disabling a site consists of removing the site from the Cloud.gov Pages Platform which will result in a site being unreachable. |
|
|
||
| ## Site Removal | ||
| Site Owners who fail to address deficiencies within 90 days of disablement will have their site removed from the TTS Pages ATO boundary and the site will be deleted. | ||
| - Deleting a site removes the published site from TTS Pages servers and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users. |
There was a problem hiding this comment.
| - Deleting a site removes the published site from TTS Pages servers and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users. | |
| - Deleting a site removes the published site from the Cloud.gov Pages platform and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users. |
|
|
||
| "TTS Pages" is GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov) | ||
|
|
||
| >Follow this link for more information about using [Cloud.gov Pages](tools/pages) |
There was a problem hiding this comment.
Yes as it is ref another handbook page
| --- | ||
| # TTS Pages - Authority to Use (ATU) Process | ||
|
|
||
| >This guide is intended for `Website Managers` to meet their requirements under the TTS Pages Authority to Operate (ATO) |
There was a problem hiding this comment.
None of the sentences with blockquote formatting (> prefix) end in a period, which is weird. also this use of blockquote formatting is inappropriate for mere visual distinction. It indicates quoting another document/source/speaker, and that semantic use should not be hijacked to call attention visually. Use a heading, or bold, or italics, etc.
There was a problem hiding this comment.
Removed many of the blockquotes to use handbook alert components. The remaining blockquotes have been updated with a .
| Follow [TTS Incident Response Plan](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/security-incidents/) | ||
|
|
||
| ## Contingency Plan | ||
| 1. Sign up for [Cloud.gov Pages Status](https://cloudgov.statuspage.io/) notifications |
There was a problem hiding this comment.
This page has capital-C cloud.gov everywhere, which we’re moving to soon, but haven't yet. Our styleguide currently calls for cloud.gov, and I plan to make all the changes at once. I can live with it but ideally it would be consistent across the site until we officially change.
|
|
||
| >This guide is intended for `Website Managers` to meet their requirements under the TTS Pages Authority to Operate (ATO) | ||
|
|
||
| "TTS Pages" is GSA's Authority to Operate (ATO) using [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) for their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides TTS users with a fast and secure approach to getting a Web Presence for your projects/programs. This page defines the requirements for launching a new website at GSA using [Cloud.gov Pages](https://pages.cloud.gov) |
There was a problem hiding this comment.
The capitalization of certain nouns here and elsewhere seems arbitrary: "Source Code", "Contents", "Website", "Web Presence". These aren't proper nouns.
There was a problem hiding this comment.
Updated to remove capitalization of cloud.gov and list provided
|
|
||
| ## Launching a New Static Website at TTS | ||
|
|
||
| - [ ] Determine who will serve as the `Website Manager` |
There was a problem hiding this comment.
code formatting isn't appropriate here.
| Website Managers will be notified, the following steps are only in the event that the Website Manager is none responsive. | ||
|
|
||
| ## Failure to Maintain Site - Site Removal | ||
| Sites that fail to maintain the ATU requirements will be issued a formal notice. The TTS Pages team may take steps to disable the site or remediate the vulnerabilities. ATU site owners who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** addressing the plan to address the deficiencies. |
There was a problem hiding this comment.
Can we spell out POA&M here, its the first time we use this acronym in this document
There was a problem hiding this comment.
This is the first time the document describes a team for TTS Pages. It's not immediately clear to me (and I'm on the cloud.gov Pages team) whether that means us :D. Who or what is the team? is it an office? Can you introduce or identify it, provide a contact for it, or otherwise disambiguate it from the cloud.gov pages team?
There was a problem hiding this comment.
Updated to introduce TY!
|
|
||
| The CAP must be approved by the Site owner, System Owner, ISSM, and IST Director. Sites or Site owners who fail to respond to a CAP, or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: | ||
| - **Detailed Finding Review (DFR)** - Site owners will be issued a DFR upon failing to address a deficiency within the site or alignment with the ATU requirements. | ||
| - **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR, will be issued a CAP request. |
There was a problem hiding this comment.
Site Owner is capitalized here, but not "Site owners" in the bullet point above. I still think this is easier to read without the Extra Capitals, but whichever, please be consistent.
There was a problem hiding this comment.
There's a lot of passive voice throughout this document. Site owners will be issued a DFR... will be issued a request... etc. It'd be clearer and easier to read throughout if we start with who is issuing these to the site owners. "The TTS Pages office will issue a DFR in the event a site owner fails to adequately respond.... " etc. It also makes it clearer who is doing what, rather than things just happening.
If you'd like, I can take a stab at reordering these phrases. I don't mind :)
There was a problem hiding this comment.
Updated to avoid passive language
| - **Corrective Action Plan** - Site Owners who fail to adequately respond or address a DFR, will be issued a CAP request. | ||
| The Site Owner must provide a CAP to the System owner within 30 days of the CAP request. The CAP must detail how the team will address the deficiencies and the timeline for completion. | ||
|
|
||
| The Site Owners CAP must be approved by the TTS Pages system owner, the ISSM, and IST Director. |
|
|
||
| ## Site Removal | ||
| Site Owners who fail to address deficiencies within 90 days of disablement will have their site removed from the TTS Pages ATO boundary and the site will be deleted. | ||
| - Deleting a site removes the published site from TTS Pages servers and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users. |
There was a problem hiding this comment.
is this TTS Pages servers or Cloud.gov Pages servers? I believe it's the latter.
| ## Site Removal | ||
| Site Owners who fail to address deficiencies within 90 days of disablement will have their site removed from the TTS Pages ATO boundary and the site will be deleted. | ||
| - Deleting a site removes the published site from TTS Pages servers and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users. | ||
| - A Site Removal letter will be issued indicating that the site is no longer authorized to operate. |
There was a problem hiding this comment.
Updated to be specific - by whom and to whom
|
Hey @JJediny and folks here - I am concerned about having this content be confusing for non-GSA Pages customers.
Thank you for getting a broad review of this before publishing it! |
Spell check and internal link fix https://github.com/18F/handbook/actions/runs/8120129807/job/22196930149?pr=3814
…nto gsa-pages-atu-WIP
pages/tools/pages.md
Outdated
| @@ -7,6 +7,8 @@ redirect_from: | |||
|
|
|||
| We use [cloud.gov Pages](https://cloud.gov/pages/) to build websites. | |||
|
|
|||
| > If you are building or launching a **new** GSA Website [follow this guide](tts-pages/) | |||
There was a problem hiding this comment.
| > If you are building or launching a **new** GSA Website [follow this guide](tts-pages/) | |
| > If you are building or launching a **new** GSA Website [follow this guide](gsa-pages/) |
|
|
||
| - Identify a Federal GSA Employee as the **GSA Website Manager** | ||
|
|
||
| > Note: **GSA Website Manager** is defined here [GSA's Digital.gov Program](https://digital.gov/2023/03/24/who-is-your-website-manager/). | ||
| > Note: **GSA Website Manager** is defined here [GSA's Digital.gov Program](https://digital.gov/2023/03/24/who-is-your-website-manager/). |
There was a problem hiding this comment.
is defined by the... instead of click here style
| {% include "low-system.html" %} | ||
|
|
||
| "GSA Pages" is a **GSA only Authority to Operate (ATO)** of [cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) of their [cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the source code and contents for the website (e.g. Github). It provides **GSA employees** with a fast and secure approach to getting a web presence for your projects/programs. | ||
| "GSA Pages" is a **GSA only Authority to Operate (ATO)** of [cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) of their [cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the source code and contents for the website (e.g. Github). It provides **GSA employees** with a fast and secure approach to getting a web presence for your projects/programs. |
…nto gsa-pages-atu-WIP
…nto gsa-pages-atu-WIP
Changes proposed in this pull request:
security considerations
Documents the steps required to request a new Authority to Use (ATU) for a GSA Website using https://pages.cloud.gov