The ATO checklist helps you track progress towards a successful launch throughout your project. It is a formatted issue on GitHub, and is the canonical source of information for your path to launch.
To start the security clearance process, create an issue in the Infrastructure repository using this template as the body. Make sure to replace the placeholders (the things in
[square brackets]). Feel free to add a username after each task to assign it, and/or make corresponding items in your issue tracker. Unless otherwise specified, all tasks are the responsibility of the project team.
The tasks are in suggested order of priority, though they can often be done in parallel. Note that all of the prerequisite tasks need to be completed before your project will be scheduled for a sprint.
Make sure to:
- Mention the @18F/ato team in any issues or pull requests.
- Leave a comment in the ATO issue when the
Project teamsection of the checklist is complete and ready for review.
You are welcome to ask any questions as comments in the issue or #infrastructure.
- Main repository: [url]
- Site: [url]
- Product manager: @[username]
- System Owner: @[username of technical point of contact who will be the project representative in the Sprint]
- Infrastructure Lead: @[username]
- ATO folder: [url]
- Sprint notes: [url]
If your system isn’t live yet, “production” refers to the environment that will be production.
Phase 1: ATO Sprint prerequisites
Everything in this section needs to be completed before the project will be scheduled for an ATO Sprint.
- Set up an ATO intro meeting with the project team.
- Determine the impact level.
- Confirm with @[Authorizing Official]
- Add this issue to the
Backlogof the ATO Kanban board.
- Assign the appropriate labels to this issue.
- Set up the project ATO folder.
- In the
ATOsfolder in Google Drive, go to
Work in progress, and create a subfolder called in the format
<project> ATO - <duration> <level>. Link to it as the
ATO folderat the top of this issue.
- Add Rules of Engagement (RoE) template
- Add System Security Plan (SSP) template
- For Low systems on cloud.gov, use this template
- For a 90-day ATO, delete Section 13.
- In the
- Make a copy of the ATO Sprinting notes template and save it in the Sprinting Team folder with a title of
ATO Sprinting Team notes - <project>.
- Fill out the placeholders.
- Link to it as the
Sprint notesat the top of this issue.
These tasks apply to every repository/application/hostname/language that is directly involved in your project.
- Enable protected branches for the project repository.
- Get help via #admins-github, if needed.
- Ensure that your production environment is fully set up, and matches what’s described in your ATO materials.
- Set up monitoring
- Log required events
- Perform security scans, and put the results (or a link to them) in the project’s
- Set up dependency analysis service
- Add service badge to your README
- Put a point-in-time PDF of the scan results in the project’s
- Set up static code analysis
- If using a service, add the badge to your README.
- Perform dynamic vulnerability scanning
- Resolve any visible security issues, re-running the scan as needed
- Add the issue-free scan report or documentation about false positives to the project’s ATO folder.
- Set up dependency analysis service
- If this is a new system, add a prominent
Betalabel to the site.
- Ensure the production environment has sufficient capacity to withstand the testing.
- The testing tools create very heavy usage and traffic.
…reading and writing.
- Read the Overview and the ATO section (including sub-pages) of Before You Ship.
- Read the LATO guide.
- Search this page for “Lightweight Security Authorization Guide”.
- Request a privacy threshold analysis (PTA)
- Fill out the Rules of Engagement (RoE)
- Update relevant documentation, primarily the README.
- Fill out the System Security Plan (SSP).
Phase 2: Documentation review
- Move this issue to the
Documentation reviewcolumn of the ATO Kanban board. - @[infrastructure lead]
- Schedule a documentation review session. - @[infrastructure lead]
- One or more follow-up sessions may be necessary.
- Fix any documentation issues identified in the session.
- RoE signed
- System Owner
- GSA IT
- Confirm you can access Archer
Phase 3: ATO Sprint
- Sprint started.
- Polish up the System Security Plan (SSP).
- Penetration test complete. - @[tester]
- Enhanced Scanning and Assessment Process (ESAP) document added to ATO folder - @[tester]
- Put all vulnerabilities from the ESAP in the project’s issue tracker.
- Fix any
Highvulnerabilities from the ESAP.
- This needs to be done before the ATO can be issued, though not necessarily before the end of the sprint.
Phase 4: Post-Sprint
- Controls tested - @[GSA IT representative]
- Create a Plan of Actions and Milestones (POAM). - @[GSA IT representative]
- Final review and risk acceptance signatures (issue the ATO) - @[Authorizing Official]
- Remove the
Betalabel from the site.
- Fix all
Moderatevulnerabilities - due [30 days after ATO issued]
- Fix all
Lowvulnerabilities - due [60 days after ATO issued]
- Join the TTS Private Bug Bounty - due [60 days after ATO issued]
- Move to the TTS Public Bug Bounty - ask #bug-bounty - due [two weeks after start] or two weeks after the last critcal/high report was triaged, whichever comes last
See the Before You Ship site for more information.