[10k]: Security approval for static site launch

[widal001]

Description

Jacob, our security officer, has confirmed that we expect all planned public deployment of services to fall under a security approval for beta.grants.gov. Review final proposal with Jacob or relevant security partner to ensure acceptance of our initial plan and we receive security approval to release the static site.

Outcome

• Acceptance of proposal that indicates our environment(s) meet the controls
• Our environment adheres to the SSP within the existing Grants.gov ATO

Dependencies

• [10k]: API Planning #42
• [10k]: Front-end planning #49
• [10k]: DB planning #48
• [10k]: Communication planning #47

Risks and Mitigations

Risk:

• Time to receive ATO is unknown and can be lengthy. The ATO process at HHS is new to the team. Team is unsure about the ATO process and who needs to be involved.

Mitigation:

• Start the process early, regular check ins with security partner to show progress and get input
• Get clarification early on who needs to be involved, set check ins with security partner to ensure the team is on the right track.

Sub-Tasks

• Clarification on the process - completed on 8/31
• [Task]: Create Security Impact Assessment #459

Below are dependent on the SIA:

• [Task]: Determine and Document Alerts Needed for Static Site #414
• [Task]: Create Internal Incident Response Plan #415
• Stretch goal: Load testing

Out-of-scope but will need the following for prod:

• Incident Response Plan for beta launch: runbook
• [Task]: Update Configuration Management Plan (CMP) #465
• [Task]: Contingency Plan (CP) for beta launch #466
• [Task]: Update Appendix X with Simpler changes #464

Definition of Done

• Acceptance of proposal that indicates our environment(s) meet the controls and adheres to the SSP/SIA for the beta launch in September

[sumiat]

Update on status: Meeting with security on 8/31 to discuss requirements for static site launch.