From 548b76348c09a07ccba00cbd73d5b97f7d20712c Mon Sep 17 00:00:00 2001 From: John Jediny Date: Tue, 12 Mar 2024 09:14:39 -0400 Subject: [PATCH] minor edits --- .../tech-policies/gsa-pages.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/pages/general-information-and-resources/tech-policies/gsa-pages.md b/pages/general-information-and-resources/tech-policies/gsa-pages.md index 2f171a47f..1299971dd 100644 --- a/pages/general-information-and-resources/tech-policies/gsa-pages.md +++ b/pages/general-information-and-resources/tech-policies/gsa-pages.md @@ -10,13 +10,12 @@ redirect_from: >This guide is for **GSA Employees** operating a GSA Website using [Cloud.gov Pages](https://pages.cloud.gov). -"GSA Pages" is **GSA's internal "System"** with an Authority to Operate (ATO) of [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) of their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides **GSA employees** with a fast and secure approach to getting a Web Presence for your projects/programs. +"GSA Pages" is a **GSA only Authority to Operate (ATO)** of [Cloud.gov's FEDRAMP Authorization](https://marketplace.fedramp.gov/products/F1607067912) of their [Cloud.gov Pages](https://pages.cloud.gov) service. As such, it adds the Security Controls around the Source Code and Contents for the Website (e.g. Github). It provides **GSA employees** with a fast and secure approach to getting a Web Presence for your projects/programs. >Follow this link for more information about [Cloud.gov Pages](tools/pages) ## Launching a [Cloud.gov Pages](http://pages.cloud.gov) Website at GSA - - Identify a Federal GSA Employee as the **GSA Website Manager** > Note: **GSA Website Manager** is defined here [GSA's Digital.gov Program](https://digital.gov/2023/03/24/who-is-your-website-manager/) @@ -30,11 +29,11 @@ redirect_from: - Submit a Pull Request to add your Repository to our Github Configuration Scanner to [GSA](https://github.com/GSA/.allstar/blob/main/allstar.yaml) or [GSA-TTS](https://github.com/GSA-TTS/.allstar/blob/main/allstar.yaml) - Create a [`SECURITY.md` file](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository) - [Example](https://github.com/GSA-TTS/.allstar/blob/main/SECURITY.md) - Follow GSA's [Digital Lifecycle Program](https://insite.gsa.gov/employee-resources/communications/websites/strategy-policy-and-standards/digital-lifecycle-program?term=DLP) for the Website -- Confirm your Website is listed on https://touchpoints.digital.gov +- Confirm your Website is listed on [https://touchpoints.digital.gov](https://touchpoints.digital.gov) - if not Submit a [new website request](https://touchpoints.app.cloud.gov/admin/websites/new) ## Authority to Use (ATU) Review -Submit an [Authority to Use (ATU) Request](https://github.com/GSA-TTS/gsa-pages/issues/new?) +Submit an [Authority to Use (ATU) Request](https://github.com/GSA-TTS/gsa-pages/issues/new/choose) - Resolve any Critical or High security findings from Security Scanners @@ -43,7 +42,7 @@ Once the ATU review is completed the **GSA Website Manager** will be sent an ATU ## Maintaining Approved Sites Sites hosted on GSA Pages are required to have their URLs scanned in accordance with CIO-IT Security-06-30: Managing Enterprise Cybersecurity Risk and GSA’s parameter for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, control RA-5, Vulnerability Scanning. ->This is performed after the ATU request is submitted +>This is performed after the ATU request is submitted, reviewed, and signed. ## Reassessment A Site’s ATU will have to be reassessed and an ATU reissued if the Site is found `NOT` to be in conformity with the requirements. @@ -59,7 +58,7 @@ Conditions/events that may require a reassessment of the ATU include: **GSA Website Manager** will be notified, the following steps are only in the event that the **GSA Website Manager** is none responsive. ## Failure to Maintain Site - Site Removal -Sites that fail to maintain the ATU requirements will be issued a formal notice. The GSA Pages team may take steps to disable the site or remediate the vulnerabilities. ATU **GSA Website Manager** who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** detailing the steps that will be taken to address the deficiencies. +Sites that fail to maintain the ATU requirements will be issued a formal notice. The GSA Pages team may take steps to disable the site or remediate the vulnerabilities. **GSA Website Manager** who hit certain triggers of overdue POA&Ms and/or failure to maintain alignment to ATU requirements will be required to provide a **Corrective Action Plan (CAP)** detailing the steps that will be taken to address the deficiencies. The CAP must be approved by the **GSA Website Manager**, System Owner, ISSM, and IST Director. Sites or **GSA Website Managers** who fail to respond to a CAP or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below: - **Detailed Finding Review (DFR)** - **GSA Website Managers** will be issued a DFR upon failing to address a deficiency within the site or alignment with the ATU requirements. @@ -78,8 +77,12 @@ The **GSA Website Manager** CAP must be approved by the GSA Pages system owner, - A Site Removal letter will be issued indicating that the site is no longer authorized to operate. ## Incident Response +> In the event of a security incident + Follow [TTS Incident Response Plan](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/security-incidents/) ## Contingency Plan +> In the event of an outage + 1. Sign up for [Cloud.gov Pages Status](https://cloudgov.statuspage.io/) notifications 1. Follow [Cloud.gov Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/) \ No newline at end of file