diff --git a/README.md b/README.md index 97c539b66..d5830da2e 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,10 @@ - # cloud.gov -This site uses the [cloud.gov Pages USWDS Jekyll template](https://github.com/cloud-gov/pages-uswds-jekyll). [cloud.gov Pages](https://cloud.gov/pages/) runs on cloud.gov and supports the development of this template. By leveraging this template cloud.gov get the benefits of a maintained template as well as a way to test out new functionality in the template. +This site uses the [cloud.gov Pages USWDS Jekyll template](https://github.com/cloud-gov/pages-uswds-jekyll). [cloud.gov Pages](https://cloud.gov/pages/) runs on cloud.gov and supports the development of this template. By leveraging this template cloud.gov get the benefits of a maintained template as well as a way to test out new functionality in the template. This [Jekyll theme](https://jekyllrb.com/docs/themes/) uses the [U.S. Web Design System v 2.0](https://v2.designsystem.digital.gov) and provides developers a starter kit and reference implementation for cloud.gov Pages websites. -This code uses the [Jekyll](https://jekyllrb.com) site engine and built with Ruby. If you prefer to use Javascript, check out [pages-uswds-gatsby](https://github.com/cloud-gov/pages-uswds-gatsby), which uses [Gatsby](https://gatsbyjs.org) site engine. +This code uses the [Jekyll](https://jekyllrb.com) site engine and built with Ruby. If you prefer to use Javascript, check out [pages-uswds-gatsby](https://github.com/cloud-gov/pages-uswds-gatsby), which uses [Gatsby](https://gatsbyjs.com) site engine. This site uses a customized [U.S. Web Design System](https://v2.designsystem.digital.gov) theme and strives to be compliant with requirements set by [21st Century IDEA Act](https://designsystem.digital.gov/website-standards/). The standards require that a website or digital service: @@ -19,13 +18,14 @@ This site uses a customized [U.S. Web Design System](https://v2.designsystem.dig - is mobile-friendly. ## Key Functionality + This repository contains the following examples and functionality: -✅ Publish blog posts, press releases, announcements, etc. To modify this code, check out `blog/index.html`, which manages how the posts are listed. You should then check out `_layouts/post.html` to see how individual posts are structured. +✅ Publish blog posts, press releases, announcements, etc. To modify this code, check out `blog/index.html`, which manages how the posts are listed. You should then check out `_layouts/post.html` to see how individual posts are structured. ✅ Publish single one-off pages. Instead of creating lots of folders throughout the root directory, you should put single pages in `_pages` folder and change the `permalink` at the top of each page. Use sub-folders only when you really need to. -✅ Publish data (for example: job listings, links, references), you can use the template `_layouts/data.html`. Just create a file in you `_pages` folder with the following options: +✅ Publish data (for example: job listings, links, references), you can use the template `_layouts/data.html`. Just create a file in you `_pages` folder with the following options: ``` --- @@ -38,7 +38,7 @@ datafile: collections The reference to `datafile` referers to the name of the file in `_data/collections.yml` and loops through the values. Feel free to modify this as needed. -✅ There are two different kinds of `pages`, one does not have a side bar navigation, and the other uses `_includes/sidenav.html`. You can enable this option by adding `sidenav: true` to your page front matter. +✅ There are two different kinds of `pages`, one does not have a side bar navigation, and the other uses `_includes/sidenav.html`. You can enable this option by adding `sidenav: true` to your page front matter. ``` --- @@ -62,7 +62,8 @@ searchgov: ``` ## How to edit cloud.gov content -- Non-developers should focus on editing markdown content in the `_posts`, `_docs`, and `_pages` folder. Generally most of the cloud.gov content will be in the _docs file. + +- Non-developers should focus on editing markdown content in the `_posts`, `_docs`, and `_pages` folder. Generally most of the cloud.gov content will be in the \_docs file. - Pricing updates can go directly into `_data/pricing.yml` file and if any of the aws services need to be updated that can occur in the `_data/services.yml` file. @@ -75,9 +76,10 @@ searchgov: - To edit the look and feel of the site, you need to edit files in `_includes/` folder, which render key components, like the menu, side navigation, and logos. - Some pages are styled to be `.html` rather than markdown you can find these in the `_layouts` folder. - - The `homepage` can be editted more directly by manipulating the `.html` in `home.html` - - The `pricing` page is mostly edited with the `pricing.html` - - The `getting-started` page is in the `_pages/sign-up.md` folder. + + - The `homepage` can be editted more directly by manipulating the `.html` in `home.html` + - The `pricing` page is mostly edited with the `pricing.html` + - The `getting-started` page is in the `_pages/sign-up.md` folder. - `_layouts/` may require the least amount of editing of all the files since they are primarily responsible for printing the content. diff --git a/_docs/compliance/compliance-community.md b/_docs/compliance/compliance-community.md index d14e76a1e..080dc0273 100644 --- a/_docs/compliance/compliance-community.md +++ b/_docs/compliance/compliance-community.md @@ -3,16 +3,15 @@ parent: compliance layout: docs sidenav: true title: Compliance community -summary: cloud.gov supports an email listserv for FedRAMP compliance practitioners +summary: cloud.gov supports an email listserv for FedRAMP compliance practitioners weight: 50 --- - ## Cloud.gov and the compliance community Part of the mission of cloud.gov is to improve cloud adoption across the U.S. government, irrespective of vendor. In that vein, we support the FedRAMP®️ Compliance Practitioner Community of Practice, an email listserv supported by GSA's [Digital.gov](https://digital.gov/). -The goal of the community is to bring together people working on FedRAMP compliance to address common questions and concerns. We strive to maintain an inclusive, professional community that engages in on-topic discussions. The community is not associated with the FedRAMP Program Management Office. +The goal of the community is to bring together people working on FedRAMP compliance to address common questions and concerns. We strive to maintain an inclusive, professional community that engages in on-topic discussions. The community is not associated with the FedRAMP Program Management Office. By voluntarily participating in this community, you are agreeing to abide by these guidelines and the [TTS code of conduct](https://handbook.tts.gsa.gov/about-us/code-of-conduct/). If you do not agree, email us at [community@cloud.gov](mailto:community@cloud.gov), and we will unsubscribe you from the LISTSERV mailing list. @@ -20,9 +19,9 @@ When GSA becomes aware of alleged violations of the guidelines or code of conduc Courses of action include: -* taking no action, -* sending a reminder for infractions, and -* issuing a first or second notice for violations. +- taking no action, +- sending a reminder for infractions, and +- issuing a first or second notice for violations. Severe or repeated violations may result in temporary or permanent removal from the community. @@ -32,9 +31,9 @@ Email us at [community@cloud.gov](mailto:community@cloud.gov) to report an alleg The community is open to: -* compliance staff at CSPs listed in the [FedRAMP Marketplace](https://marketplace.fedramp.gov) as authorized or in-process -* compliance staff at CSPs pursuing authorization per their public statements (website, pdf) -* contracted staff dedicated to supporting FedRAMP authorization for client CSPs +- compliance staff at CSPs listed in the [FedRAMP Marketplace](https://marketplace.fedramp.gov) as authorized or in-process +- compliance staff at CSPs pursuing authorization per their public statements (website, pdf) +- contracted staff dedicated to supporting FedRAMP authorization for client CSPs The cloud.gov compliance team will approve memberships based on eligibility evidence. @@ -42,13 +41,13 @@ The cloud.gov compliance team will approve memberships based on eligibility evid Send an email to [community@cloud.gov](mailto:community@cloud.gov) providing: -* Your name and role -* CSP name and FedRAMP status -* Statement of interest (required if your CSP is not on the marketplace) +- Your name and role +- CSP name and FedRAMP status +- Statement of interest (required if your CSP is not on the marketplace) ## Your communications are not private -As a federal agency, GSA is subject to records access requests such as the Freedom of Information Act (FOIA). We must comply with requests for records made under FOIA. All communications made on the mailing lists are subject to release under FOIA, or potentially compromised by an adversary. We are not in a position to background check participants beyond a cursory CSP domain validation. +As a federal agency, GSA is subject to records access requests such as the Freedom of Information Act (FOIA). We must comply with requests for records made under FOIA. All communications made on the mailing lists are subject to release under FOIA, or potentially compromised by an adversary. We are not in a position to background check participants beyond a cursory CSP domain validation. ## Follow the ground rules @@ -58,35 +57,34 @@ When dealing with sensitive topics or during disagreements, written statements c Words matter. Choose words that create a safe, inclusive, respectful, and welcoming environment. Take a look at the following resources on inclusive language for additional information. -* [Inclusive language guidelines](https://www.apa.org/about/apa/equity-diversity-inclusion/language-guidelines) - American Psychological Association -* [Inclusive language](https://content-guide.18f.gov/our-style/inclusive-language/) - 18F Content Guide -* [Preferred terms for select population groups and communities](https://www.cdc.gov/healthcommunication/Preferred_Terms.html) - Centers for Disease Control and Prevention. - +- [Inclusive language guidelines](https://www.apa.org/about/apa/equity-diversity-inclusion/language-guidelines) - American Psychological Association +- [Inclusive language](https://content-guide.18f.gov/our-style/inclusive-language/) - 18F Content Guide +- [Preferred terms for select population groups and communities](https://www.cdc.gov/health-communication/php/toolkit/preferred-terms.html) - Centers for Disease Control and Prevention. ### When participating in the community, community members must follow the ground rules for discussions -| Preferred behavior | Discouraged behavior | -| ------------------ | -------------------- | -| Understand that you are participating in a professional community. | Don’t conduct yourself in a way that’s unbecoming of your organization. | -| Respect your colleagues. Always assume the best of others. | Don’t make personal attacks. | -| Be patient. Understand that community members have various experience levels.| Don’t be condescending or talk down to other people. | -| Listen carefully and actively. Listen as much as you speak. | Don’t disrupt meetings, talks, or discussions, including mailing lists and chats. | -| Review your message before pressing send. | Don’t use inappropriate language, images, or emojis. Don’t reply-all if your message may clutter other members’ inboxes. | -| Share your objective experiences with tools or techniques| Don't endorse products or services or appear to recommend them in your professional capacity. | -| Keep the conversation relevant and stay on point. Start a new thread if needed. Give others the time and space to participate. | Don’t dominate conversations. Don’t interrupt or talk over other people. | -| Respect members’ real, lived experiences. Recognize that people face systemic discrimination in a multitude of ways. | Don’t belittle others to make your point. | -| Take legal questions to your organizations’s lawyers. | Don’t seek legal advice from the community. Don’t take conversations or shared experiences as interpretations of federal laws and policies. | +| Preferred behavior | Discouraged behavior | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Understand that you are participating in a professional community. | Don’t conduct yourself in a way that’s unbecoming of your organization. | +| Respect your colleagues. Always assume the best of others. | Don’t make personal attacks. | +| Be patient. Understand that community members have various experience levels. | Don’t be condescending or talk down to other people. | +| Listen carefully and actively. Listen as much as you speak. | Don’t disrupt meetings, talks, or discussions, including mailing lists and chats. | +| Review your message before pressing send. | Don’t use inappropriate language, images, or emojis. Don’t reply-all if your message may clutter other members’ inboxes. | +| Share your objective experiences with tools or techniques | Don't endorse products or services or appear to recommend them in your professional capacity. | +| Keep the conversation relevant and stay on point. Start a new thread if needed. Give others the time and space to participate. | Don’t dominate conversations. Don’t interrupt or talk over other people. | +| Respect members’ real, lived experiences. Recognize that people face systemic discrimination in a multitude of ways. | Don’t belittle others to make your point. | +| Take legal questions to your organizations’s lawyers. | Don’t seek legal advice from the community. Don’t take conversations or shared experiences as interpretations of federal laws and policies. | | Treat other people's identities and cultures with respect. Spell and say their name correctly and use their [pronouns](https://digital.gov/resources/an-introduction-to-pronouns/). | Don’t make derogatory comments on race, color, sex, sexual orientation, gender identity, religion, national origin, age, disability, genetic information, marital status, parental status, political affiliation, or appearance. | -| Ensure the community is free from harassment, including sexual harassment and sexual misconduct. | Don’t harass anyone. This includes, but is not limited to, retaliating against anyone who files a complaint. | -| Remember that everything you write on the mailing list is a federal record and subject to release under FOIA. | Don’t assume your communications are private. | -| Use plain language. | Don’t use confusing or overly technical language. | - +| Ensure the community is free from harassment, including sexual harassment and sexual misconduct. | Don’t harass anyone. This includes, but is not limited to, retaliating against anyone who files a complaint. | +| Remember that everything you write on the mailing list is a federal record and subject to release under FOIA. | Don’t assume your communications are private. | +| Use plain language. | Don’t use confusing or overly technical language. | ## Manage your mailing list subscription Email us at [community@cloud.gov](mailto:community@cloud.gov) and we’ll help you manage your LISTSERV subscription. The most common requests are to: -* receive a daily digest (instead of each individual message), -* access the mailing list archive, and -* unsubscribe. + +- receive a daily digest (instead of each individual message), +- access the mailing list archive, and +- unsubscribe. When you email us, please include the name of the community and what you’d like to update. diff --git a/_docs/compliance/domain-standards.md b/_docs/compliance/domain-standards.md index f5f8a80bb..84d4d4ebd 100644 --- a/_docs/compliance/domain-standards.md +++ b/_docs/compliance/domain-standards.md @@ -27,7 +27,7 @@ You are responsible for setting up HSTS preloading for your [custom domain]({{ s The SSL/TLS implementation depends on how your client is reaching cloud.gov, which is either through an AWS load balancer, or through the CDN service based on Amazon CloudFront. -* [AWS load balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#tls13-security-policies) implement the `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` SSL/TLS policy. +* [AWS load balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#fips-security-policies) implement the `ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04` SSL/TLS policy. This policy leverages the AWS-LC FIPS validated cryptographic module. To learn more, see the [AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) page on the NIST Cryptographic Module Validation Program site. * [Amazon CloudFront distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) implement the `TLSv1.2_2018` policy. Our TLS implementation and cipher suites are consistent with [White House Office of Management and Budget's M-15-13](https://https.cio.gov/), the Department of Homeland Security's [Binding Operational Directive 18-01](https://cyber.dhs.gov/bod/18-01/), and [NIST's 800-52r2 Guidelines for TLS Implementations](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf). @@ -46,11 +46,11 @@ TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D) These are false positives. At cloud.gov we leverage TLS implementations from Amazon Web Services, which use [s2n-tls](https://github.com/aws/s2n-tls) to inject random timing variations [to mitigate CBC attacks like LUCKY13](https://aws.amazon.com/blogs/security/s2n-and-lucky-13/). Further, these ciphersuites are still acceptable per [NIST 800-52r2, Appendix D](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf#%5B%7B%22num%22%3A174%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C70%2C719%2C0%5D). While the CBC cipher modes of operation are being phased out (they are theoretically subject to padding oracle attacks), we support them so we can serve members of the public who are unable to adopt newer technology. -**TLS 1.3**: TLS 1.3 has been implemented with `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` security policies on our load balancers. All new Cloudfront domains are created with the `TLSv1.2_2018` security policy, which supports TLS 1.3. The TLS versions supported by other AWS service endpoints, like S3, are controlled by AWS itself. +**TLS 1.3**: TLS 1.3 has been implemented with `ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04` security policies on our load balancers. All new Cloudfront domains are created with the `TLSv1.2_2018` security policy, which supports TLS 1.3. The TLS versions supported by other AWS service endpoints, like S3, are controlled by AWS itself. **Cipher suite names**: The AWS documentation uses the OpenSSL cipher names which are different from IANA/RFC cipher names returned by scanners. For example, `ECDHE-RSA-AES128-SHA256` on the documentation page will be called `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` by scanners and other tools. -**Cipher suite count**: The `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` has 15 ciphers, but your scanner may only show 11 results. That's because our certificates are signed with RSA keys, not Elliptic Curve (ECDSA) keys, so those cipher suites are not in use. In June, 2023, a switch to ECDSA caused an [outage for a significant percentage of cloud.gov users](https://cloudgov.statuspage.io/incidents/vz9t74zm7zw8), so we will support RSA for the foreseeable future. +**Cipher suite count**: The `ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04` has 10 ciphers, but your scanner may only show 6 results. That's because our certificates are signed with RSA keys, not Elliptic Curve (ECDSA) keys, so those cipher suites are not in use. In June, 2023, a switch to ECDSA caused an [outage for a significant percentage of cloud.gov users](https://cloudgov.statuspage.io/incidents/vz9t74zm7zw8), so we will support RSA for the foreseeable future. ## Compression and BREACH (CVE-2013-3587)