Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub ATO and Open Source Development in a Federal Development Environment #100

Open
jlaura opened this issue Feb 27, 2022 · 1 comment

Comments

@jlaura
Copy link

jlaura commented Feb 27, 2022

Not sure if this is the best place to ask, and please feel free to reply directly ([email protected]) if preferred.

I am working on team getting an ATO in place for using GitHub and am wondering how you all have structured your security guidelines to support open development on GitHub. For example, what, if any controls are in place to handle the need to maintain security and administrative reviews on repositories that are public or going to be made public? Do you maintain a prescriptive development workflow to enforce any policy requirements? Do you use some combination of policy and technical solution to ensure that repositories remain free from PII?

Thanks for any information you might be able to provide!

@brittag
Copy link

brittag commented Mar 17, 2023

@jlaura Hello from a year in the future! I figure this info is probably no longer helpful to you, but maybe it'll be helpful to somebody else stumbling on this issue.

I no longer work for 18F/TTS, but I previously worked on a project there. Robust, specific, well-maintained documentation was a big part of our argument for why our Authorizing Officials should allow us to do public open source development. Here are some components:

  • Configuration management policy, including a specific change workflow - it's a relatively standard pull request workflow, just carefully described.
  • Secret key management policy
  • Sensitive information policy - including a requirement to install an equivalent to git-secrets and specific details about incident response for accidental secret leaks.
  • cloud.gov AC-22 training (not public, but you could probably get a copy by doing a FOIA request, or maybe by just emailing the team). In addition to the typical contingency plan & incident response trainings required for all members of the team, we developed a custom mandatory training on managing public and private information, covering the policies listed above and encouraging discussion & questions. New members had to receive the training within a certain number of days of joining the team, and everyone had to get it at least annually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants