Merge branch 'main' into tech-portfolio-to-operations

18F · Apr 17, 2024 · 3db3f81 · 3db3f81
2 parents 87ef20f + 0d09bfa
commit 3db3f81
Show file tree

Hide file tree

Showing 15 changed files with 216 additions and 159 deletions.
diff --git a/_includes/low-system.html b/_includes/low-system.html
@@ -1,6 +1,6 @@
 <div class="usa-alert usa-alert--info">
   <div class="usa-alert__body">
-    <h3 class="usa-alert__heading">This is a <a href="https://atos.open-control.org/categorization/">Low</a> system</h3>
+    <h4 class="usa-alert__heading">This is a <a href="https://atos.open-control.org/categorization/">Low</a> system</h4>
     <div class="usa-alert__text">
       This means:
       <ul>

diff --git a/pages/general-information-and-resources/chicago.md b/pages/general-information-and-resources/chicago.md
@@ -18,7 +18,7 @@ cSpell: ignore Heppner,Buren,chitown
       <tr>
         <td class="col-key"><strong>Point of contact</strong></td>
         <td class="col-value">
-        <a href="jckfieldoffice@gsa.gov">Dave Lamb</a>
+        <a href="mailto:jckfieldoffice@gsa.gov">Dave Lamb</a>
         </td>
       </tr>
       <tr>
@@ -191,4 +191,4 @@ business casual.
 
 ## Who can I contact if I have questions about the office space?
 
-TTS no longer has formal operations support for the Chicago office. However, [jckfieldoffice@gsa.gov]([jckfieldoffice@gsa.gov]) should be able to answer most of your building-related questions. [Janie Burmeister](janie.burmeister@gsa.gov) may be able to help you with any questions specific to other FAS programs in Chicago and Region 5.
+TTS no longer has formal operations support for the Chicago office. However, [jckfieldoffice@gsa.gov](mailto:jckfieldoffice@gsa.gov) should be able to answer most of your building-related questions. [Janie Burmeister](mailto:janie.burmeister@gsa.gov) may be able to help you with any questions specific to other FAS programs in Chicago and Region 5.
diff --git a/...on-and-resources/employee-resources-policies/hosting-non-government-speakers.md b/...on-and-resources/employee-resources-policies/hosting-non-government-speakers.md
@@ -42,7 +42,7 @@ below.
      for a link to the Gratuitous Services Agreement
 1. _Optional:_ If you plan to record or take photographs of the speaker, have
    them fill out the
-   [GSA Model Release Form](https://insite.gsa.gov/portal/getMediaData?mediaId=702794).
+   [GSA Model Release Form](https://docs.google.com/document/d/1_f7JsBYIVKV5aSrv96sW_SWJroECpvjiz6JmkJVbrFE/edit).
 1. Put the signed Gratuitous Services Agreement and GSA Model Release Form (if
    applicable) in
    [the Gratuitous Services Agreement folder](https://drive.google.com/drive/folders/1UOKVVZGdI7IlAxrqcq48-HQQr8f5U6N7).

diff --git a/pages/general-information-and-resources/software.md b/pages/general-information-and-resources/software.md
@@ -38,7 +38,7 @@ If the software you are looking for is not one of the above, you will need to
 determine if it is already approved for use at GSA, or if there is a similar
 software product already approved that offers the same functionality.
 
-Please note: In the past, the Tech Portfolio team had a major role in procuring
+Please note: In the past, the Tech Operations team had a major role in procuring
 software for programs, but the team is no longer able to provide this service
 due to staff shortage.
 
@@ -49,8 +49,7 @@ to work with our Security team in “good faith and in a timely manner” will b
 critical to the approval process.
 
 Search the GSA IT Standards list in the
-[GSA Enterprise Architecture Analytics and Reporting (GEAR)](https://ea.gsa.gov/#!/itstandards)
-(requires VPN) to check if software is approved for use at GSA. You can also
+[GSA Enterprise Architecture Analytics and Reporting (GEAR)](https://ea.gsa.gov/#!/itstandards) to check if software is approved for use at GSA. You can also
 search for similar software already approved in GEAR if it meets most of your
 needs.
 

diff --git a/pages/general-information-and-resources/tech-policies/gsa-pages.md b/pages/general-information-and-resources/tech-policies/gsa-pages.md
@@ -3,49 +3,57 @@ title: GSA Pages
 questions:
   - tts-tech-operations
   - cg-pages
+  - dns
 redirect_from:
   - /gsa-pages/
 ---
 # Authority to Use (ATU) Process
 
->This guide is for **GSA Employees** operating a GSA Website using [Cloud.gov Pages](https://pages.cloud.gov).
+{% include "alert.html" level:"warning" content: "This guide is for **GSA Employees or Contractors** operating a GSA Website" %}
 
-"GSA Pages" is **GSA's internal "System"** with an Authority to Operate (ATO) of [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) of their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides **GSA employees** with a fast and secure approach to getting a Web Presence for your projects/programs. 
+"GSA Pages" is a **GSA only Authority to Operate (ATO)** of [cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) of their [cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the source code and contents for the website (e.g. Github). It provides **GSA employees** with a fast and secure approach to getting a web presence for your projects/programs.
 
->Follow this link for more information about [Cloud.gov Pages](tools/pages)
+## Launching a Website at GSA
+- Confirm your website is listed on [https://touchpoints.digital.gov](https://touchpoints.digital.gov)
+  - if not listed, [complete a new website request](https://touchpoints.app.cloud.gov/admin/websites/new)
+- Follow [GSA's Digital Lifecycle Program Guide](https://insite.gsa.gov/employee-resources/communications/websites/strategy-policy-and-standards/digital-lifecycle-program)
 
-## Launching a [Cloud.gov Pages](http://pages.cloud.gov) Website at GSA
+Prior to standing up a site with GSA Pages, you will need a domain or subdomain. To obtain a new domain or subdomain with GSA, approval is needed by GSA Leadership and Office of Customer Experience in Touchpoints. 
 
+## Launching a cloud.gov Pages Website
 
 - Identify a Federal GSA Employee as the **GSA Website Manager**
 
-> Note: **GSA Website Manager** is defined here [GSA's Digital.gov Program](https://digital.gov/2023/03/24/who-is-your-website-manager/) 
+> Note: **GSA Website Manager** is defined here [GSA's Digital.gov Program](https://digital.gov/2023/03/24/who-is-your-website-manager/).
 
-- Turn on all [Github Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) for the Site's Repository and `Enable`:
+- Turn on all [Github Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) for the website's repository and `Enable`:
   - [CodeQL](https://docs.github.com/en/code-security/code-scanning)
   - [Dependabot](https://docs.github.com/en/code-security/dependabot/)
   - [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning)
-- Designate (One) Github Team with `Admin` Access to the repository
-- Designate (One or More) Github Team(s) with `Write` Access to the repository
-- Submit a Pull Request to add your Repository to our Github Configuration Scanner to [GSA](https://github.com/GSA/.allstar/blob/main/allstar.yaml) or [GSA-TTS](https://github.com/GSA-TTS/.allstar/blob/main/allstar.yaml)
+- Designate (One) Github Team with `Admin` access to the repository
+- Designate (One or More) Github Team(s) with `Write` access to the repository
+- Submit a pull request to add your repository to our Github configuration scanner to [GSA](https://github.com/GSA/.allstar/blob/main/allstar.yaml) or [GSA-TTS](https://github.com/GSA-TTS/.allstar/blob/main/allstar.yaml)
 - Create a [`SECURITY.md` file](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository) - [Example](https://github.com/GSA-TTS/.allstar/blob/main/SECURITY.md)
 - Follow GSA's [Digital Lifecycle Program](https://insite.gsa.gov/employee-resources/communications/websites/strategy-policy-and-standards/digital-lifecycle-program?term=DLP) for the Website
-- Confirm your Website is listed on https://touchpoints.digital.gov
-  - if not Submit a [new website request](https://touchpoints.app.cloud.gov/admin/websites/new)
 
 ## Authority to Use (ATU) Review
-Submit an [Authority to Use (ATU) Request](https://github.com/GSA-TTS/gsa-pages/issues/new?)
+1. Review [GSA Pages Security Review and Approval Process](https://insite.gsa.gov/system/files/GSA-Pages-Security-Review-and-Approval-Process-%5BCIO-IT-Security-20-106-Revision-2%5D-03-08-2024_0.pdf)
+1. Complete [GSA Pages Security Review and Approval Form](https://docs.google.com/forms/d/e/1FAIpQLSeDNRkNOol6pNvWdTBXA_lVMyGr4v0o5wo2ElZAMMX2kPMjzg/viewform) your information will be used to complete [GSA Pages Security Review Document](https://insite.gsa.gov/system/files/GSA-Pages-Site-Review-and-Approval-Template-03-08-2024.docx)
+1. Email <a href="mailto:tts-tech-oprations@gsa.gov?subject=GSA Pages Authority to Use Request:">TTS Tech Operations</a> to confirm receipt or request review status.
 
-- Resolve any Critical or High security findings from Security Scanners
+- Resolve any Critical or High security findings from security scanners
+- <a href="mailto:tts-tech-oprations@gsa.gov?subject=GSA Pages Authority to Use Request:">TTS Tech Operations</a>will:
+  - Create a Google Group for your website
+  - Notify the Website Manager of any missing information or security findings
 
-Once the ATU review is completed the **GSA Website Manager** will be sent an ATU Approval package for signature. The **GSA Website Manager** will be responsible for managing Security Findings over the lifecycle of the Website.
+Once the ATU review is completed the **GSA Website Manager** will be sent an ATU Approval package for signature in Docusign. The **GSA Website Manager** will be responsible for managing Security Findings over the lifecycle of the Website using the Google Group created to manage communications.
 
-## Maintaining Approved Sites 
-Sites hosted on GSA Pages are required to have their URLs scanned in accordance with CIO-IT Security-06-30: Managing Enterprise Cybersecurity Risk and GSA’s parameter for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, control RA-5, Vulnerability Scanning. 
+## Maintaining Approved Sites
+Sites hosted on GSA Pages are required to have their URLs scanned in accordance with CIO-IT Security-06-30: Managing Enterprise Cybersecurity Risk and GSA’s parameter for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, control RA-5, Vulnerability Scanning.
 
->This is performed after the ATU request is submitted
+>This is performed after the ATU request is submitted, reviewed, and signed.
 
-## Reassessment 
+## Reassessment
 A Site’s ATU will have to be reassessed and an ATU reissued if the Site is found `NOT` to be in conformity with the requirements.
 
 Conditions/events that may require a reassessment of the ATU include:
@@ -56,30 +64,36 @@ Conditions/events that may require a reassessment of the ATU include:
 
 >This Determination is made by the GSA Pages System Owner `tts-tech-operations@gsa.gov`. Generally, this is done if security findings are not being addressed promptly.
 
-**GSA Website Manager** will be notified, the following steps are only in the event that the **GSA Website Manager** is none responsive.
+**GSA Pages System Owner** will proceed with the following actions, only in the event that the **GSA Website Manager** is none responsive.
 
 ## Failure to Maintain Site - Site Removal
-Sites that fail to maintain the ATU requirements will be issued a formal notice. The GSA Pages team may take steps to disable the site or remediate the vulnerabilities. ATU **GSA Website Manager** who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** detailing the steps that will be taken to address the deficiencies. 
+Sites that fail to maintain the ATU requirements will be issued a formal notice. The GSA Pages team may take steps to disable the site or remediate the vulnerabilities. **GSA Website Manager** who hit certain triggers of overdue **Plan of Actions & Milestones (POA&Ms)** and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** detailing the steps that will be taken to address the deficiencies.
 
-The CAP must be approved by the **GSA Website Manager**, System Owner, ISSM, and IST Director. Sites or **GSA Website Managers** who fail to respond to a CAP or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: 
+The CAP must be approved by the **GSA Website Manager**, System Owner, ISSM, and IST Director. Sites or **GSA Website Managers** who fail to respond to a CAP or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below:
 - **Detailed Finding Review (DFR)** - **GSA Website Managers** will be issued a DFR upon failing to address a deficiency within the site or alignment with the ATU requirements.
-- **Corrective Action Plan** - **GSA Website Managers** who fail to adequately respond or address a DFR will be issued a CAP request. 
+- **Corrective Action Plan** - **GSA Website Managers'** who fail to adequately respond or address a DFR will be issued a CAP request.
 The **GSA Website Manager** must provide a CAP to the System owner within 30 days of the CAP request. The CAP must detail how the team will address the deficiencies and the timeline for completion.
 
 The **GSA Website Manager** CAP must be approved by the GSA Pages system owner, the ISSM, and IST Director.
 
 ## Site Disablement
 **GSA Website Manager** who fail to respond to the CAP within the 30 day timeframe, or fail to provide an adequate CAP, or fail to comply with the provisions, timeline and duration of their CAP will have their site Disabled.
-- Disabling a site consists of removing the site from the [Cloud.gov Pages Platform](https://pages.cloud.gov) which will result in a site being unreachable. 
+- Disabling a site consists of removing the site from the [cloud.gov Pages Platform](https://pages.cloud.gov) which will result in a site being unreachable.
 
 ## Site Removal
-**GSA Website Manager** who fail to address deficiencies within 90 days of disablement will have their site removed from the GSA Pages ATO boundary and the site will be deleted. 
-- Deleting a site removes the published site from the [Cloud.gov Pages Platform](https://pages.cloud.gov) and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users.
-- A Site Removal letter will be issued indicating that the site is no longer authorized to operate. 
+**GSA Website Manager** who fail to address deficiencies within 90 days of disablement will have their site removed from the GSA Pages ATO boundary and the site will be deleted.
+- Deleting a site removes the published site from the [cloud.gov Pages Platform](https://pages.cloud.gov) and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users.
+- A Site Removal letter will be issued by the **GSA Pages System Owner** to **GSA Website Manager** indicating that the site is no longer authorized to operate.
 
 ## Incident Response
+**In the event of a security incident:**
+
 Follow [TTS Incident Response Plan](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/security-incidents/)
 
 ## Contingency Plan
-1. Sign up for [Cloud.gov Pages Status](https://cloudgov.statuspage.io/) notifications
-1. Follow [Cloud.gov Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/)
+**In the event of an outage:**
+
+1. Sign up for [cloud.gov Pages Status](https://cloudgov.statuspage.io/) notifications
+1. Follow [cloud.gov Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/)
+
+{% include "low-system.html" %}
diff --git a/pages/getting-started/classes/benefits.md b/pages/getting-started/classes/benefits.md
@@ -139,7 +139,7 @@ WorkLife4You programs can be accessed via the EAP phone line: 1-800-222-0364 or
 888-262-7848 (TTY). You can also register via the
 [WorkLife4You website](https://www.worklife4you.com/index.html). More
 information - including the registration code - is available on the
-[WorkLife4You Fact Sheet](https://drive.google.com/file/d/10LRzsiG705VDKVtdlJhp0Bo1uoz6NRay/view).
+[WorkLife4You Fact Sheet](https://drive.google.com/file/d/11TThQi2jk5Xs6d-PQsniQ8583Kj_jfnQ/view).
 
 ### EAP supervisor resources
 

diff --git a/pages/getting-started/classes/gsa-internal-tools.md b/pages/getting-started/classes/gsa-internal-tools.md
@@ -13,7 +13,7 @@ GSA-issued equipment._
 ## GSA tools
 
 Most of GSA's internal tools are accessible via our Agency's intranet
-[Insite](https://insite.gsa.gov). You must be on the VPN to connect if you work
+[Insite](https://insite.gsa.gov). You must be on the GSA network to connect if you work
 remotely. [Instructions for logging in are here]({% page "/how-to-log-in/" %}).
 Here's an overview of what you can access (you can click the names in this table
 to scroll down the page):
@@ -23,7 +23,7 @@ to scroll down the page):
 | [BookIT!](#bookit)                            | To reserve a desk or meeting room in GSA buildings                                                                                                         | ENT username and password              |
 | [Concur](https://travel.gsa.gov)              | To book travel. Learn more in [Travel 101]({% page "/travel-101/" %}).                                                                                     | ENT username and password              |
 | [Employee Express](#employee-express)         | To view your paystub, change your direct deposit, update your tax withholdings, or change your address                                                     | Employee Express username and password |
-| [HR Links](#hr-links)                         | To request/document leave and access your personnel file online                                                                                            | ENT on GSA Wireless or VPN             |
+| [HR Links](#hr-links)                         | To request/document leave and access your personnel file online                                                                                            | ENT on GSA Wireless              |
 | [IT Service Desk](#it-service-desk)           | General IT questions about Employee Express and other passwords (Note: They may not support requests for Macs, but will support requests for GSA websites) | ENT username and password              |
 | [Self Service](#self-service)                 | Used to install desktop software on Macs                                                                                                                   | ENT username and password              |
 | [Online University (OLU)]({% page "/olu/" %}) | To take mandatory trainings for federal employees                                                                                                          | ENT username and password              |
@@ -92,10 +92,6 @@ bereavement, and more) as well as access your personnel file (your salary, your
 GS level, your supervisor, your past performance rating(s), and information
 about health insurance plan).
 
-You must
-[be on the VPN](https://docs.google.com/document/d/1nBNXt6Ov4KWmpz6y9rgKw93mxZucVsoYC4PFABTeIA4/edit#heading=h.bbs2uvvcjvcg)
-to connect to HR Links, if you're working remotely.
-
 ## IT Service Desk
 
 _Also known as the GSA IT Help Desk or Service Now._