Guidance for getting ATO with cloud.gov (16)

[mogul]

No description provided.

[brittag]

Improving or rethinking the 18F Before You Ship guide is part of this, since that guide needs to line up with these docs and be easy to follow for 18F staff.

We need to think about whether some of the existing content in that guide should be "owned"/maintained as part of the cloud.gov docs.

Multiple issues at https://github.com/18F/before-you-ship/issues would be relevant here. :D

[thisisdano]

Perhaps eventually this will be tightly integrated into the onboarding of new users/projects and automated/facilitated through a dashboard interface.

At the most basic level, it's introducing the idea of ATO and the steps required to ATO (and a link to the Before You Ship docs) from Space creation (the establishment of the container for the provisional security boundary) or maybe at the more general onboarding stage. And, as Britta says, possibly integrating some variation of the BYS documentation into the CG docs. (And surfacing these docs at the right time...)

Beyond this, greater ATO process integration with the CG platform could afford even more speed and efficiency. At a more complex level, the dashboard could actively guide project stakeholders through the ATO process (and expose more necessary parties to the ATO requirements). To start, setting up and associating preliminary categorization and FISMA levels/baseline — based on simple Qs about project specs — when creating a new space, and automatically using these project specs to generate lists of necessary controls. Later, using the dashboard to modify compliance masonry — without editing YAML — giving a clear path to fulfilling all necessary controls and a common display of progress toward compliance. Automated testing could be performed to demonstrate the controls are implemented, and continuously implemented through the life of the project — accessible through the common gateway of the dashboard. Once implemented and tested, the documentation and testing data could be exposed to the Authorizing Official.

Clearly, this is all sketchy, down the road, and beyond the scope of this feature — but the intention to move in this direction can influence the way we analyze the existing flow/checklist/docs/pathway (with an eye toward display and automation), and the kind of hypotheses we attempt to validate with our customers. Is this automation and integration something our customers want? Something we want? Would it make the process easier? Would it help from the AO side? We should learn more as we learn how to communicate existing ATO guidance to them.

[thisisdano]

So, I'd also be interested in making a graphic representation of the steps to ATO, with the ways that cloud.gov handles some of those steps (takes care of them altogether or makes them easier) — how any project on cloud.gov can take an idea and go from........ 🎉 A TO ATO. 🎉

[afeld]

I'd also be interested in making a graphic representation of the steps to ATO

18F/before-you-ship#41

[brittag]

Tracking "User-centered customer responsibility matrix for GSA needs" at https://favro.com/card/1e11108a2da81e3bd7153a7a/18F-3954

[mogul]

Speaking of graphic representation (249 days later): See this discussion in Slack.

[brittag]

BU perspective:

How do we know this is successful:

• When we talk to prospective customers and give them this website link (or they come to us having read this link), we hear confidence in cloud.gov. (Prospective customer has specific information on how cloud.gov will make their compliance process much faster.)
• Current customers tell us that the compliance information meets their needs, both at GSA and at least one other agency.
• Easy to find this information from the cloud.gov website for both prospective and current customers.

---

More info (rough draft):

Detailed components of success:

• A prospective customer has access to a high level description of getting an ATO on cloud.gov that gives them confidence in how cloud.gov helps them and makes it easier than usual and faster than usual.
• A current customer who is ready to start thinking about ATO has access to a practical list of the high level steps that they'll need to take.
• Both prospective and current customers who want to dig into this have access to a worked example of a typical (ideally real) customer journey through assembling their ATO materials (and a bit about the ATO process).
• People in auditing and assessing roles (including Org Managers) need information that helps them correctly and confidently audit cloud.gov customer apps.

Additional components for a successful experience for the above:

• Address the difference between compliance for IaaS and PaaS
• Guidance on customer responsibility (annotated CIS/CRM)
• Guidance on auditing (see notes from Infra sync about AU-2)

Potential examples of implementation:

• One public document that lists the steps you must take to get an ATO with cloud.gov within GSA, including a checklist.
• Another public document with these steps for customers outside GSA (including a checklist) - likely less detailed.
• Training for assessors.