From 81934db31075ad0880a4874e0dbb83a12814f6fe Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Wed, 3 Jul 2024 11:33:19 -0400 Subject: [PATCH 1/7] Add WIP link to secret mgmg --- .github/ISSUE_TEMPLATE/onboard-any-team-member.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/onboard-any-team-member.md b/.github/ISSUE_TEMPLATE/onboard-any-team-member.md index 7a0389f..7c5f58d 100644 --- a/.github/ISSUE_TEMPLATE/onboard-any-team-member.md +++ b/.github/ISSUE_TEMPLATE/onboard-any-team-member.md @@ -56,7 +56,7 @@ Your onboarding buddy should reach out and introduce themselves to you. If you h Onboarding buddy: Contact the compliance team in [#cg-compliance](https://gsa.enterprise.slack.com/archives/C0A1Z7L2U) to schedule training(s). - [ ] Coordinate with your onboarding buddy to schedule [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: - - [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. + - [ ] Read our [sharing secret keys](https://github.com/cloud-gov/tktk/blob/main/docs/resources/Engineering-Practices/secrets.md) policy. - [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). ## Getting to know cloud.gov From f2a1b3b19935076e8180df570d00784bba28bd36 Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Wed, 10 Jul 2024 13:56:21 -0400 Subject: [PATCH 2/7] Use link to internal-docs Signed-off-by: Peter Burkholder --- .github/ISSUE_TEMPLATE/onboard-any-team-member.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/onboard-any-team-member.md b/.github/ISSUE_TEMPLATE/onboard-any-team-member.md index 7c5f58d..702e5d4 100644 --- a/.github/ISSUE_TEMPLATE/onboard-any-team-member.md +++ b/.github/ISSUE_TEMPLATE/onboard-any-team-member.md @@ -56,7 +56,7 @@ Your onboarding buddy should reach out and introduce themselves to you. If you h Onboarding buddy: Contact the compliance team in [#cg-compliance](https://gsa.enterprise.slack.com/archives/C0A1Z7L2U) to schedule training(s). - [ ] Coordinate with your onboarding buddy to schedule [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: - - [ ] Read our [sharing secret keys](https://github.com/cloud-gov/tktk/blob/main/docs/resources/Engineering-Practices/secrets.md) policy. + - [ ] Read our [sharing secret keys](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Engineering-Practices/secrets.md) policy. - [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). ## Getting to know cloud.gov From 4a29b868b1f4d109b1ffb5fee9250756c32444c2 Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Tue, 16 Jul 2024 10:01:29 -0400 Subject: [PATCH 3/7] Update IR and CP plan --- .github/ISSUE_TEMPLATE/onboard-compliance.md | 4 ++-- .github/ISSUE_TEMPLATE/onboard-engineer.md | 4 ++-- .github/ISSUE_TEMPLATE/onboard-support.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/onboard-compliance.md b/.github/ISSUE_TEMPLATE/onboard-compliance.md index 75baee7..5108ad6 100644 --- a/.github/ISSUE_TEMPLATE/onboard-compliance.md +++ b/.github/ISSUE_TEMPLATE/onboard-compliance.md @@ -24,9 +24,9 @@ assignees: "" Compliance staff who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: - [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). + - [ ] Read the [Contingency Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/contingency-plan.md). - [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). + - [ ] Read the [Incident Response Guide](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/security-ir.md/). diff --git a/.github/ISSUE_TEMPLATE/onboard-engineer.md b/.github/ISSUE_TEMPLATE/onboard-engineer.md index 46960d0..187035c 100644 --- a/.github/ISSUE_TEMPLATE/onboard-engineer.md +++ b/.github/ISSUE_TEMPLATE/onboard-engineer.md @@ -24,9 +24,9 @@ assignees: "" Engineers who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: - [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). + - [ ] Read the [Contingency Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/contingency-plan.md). - [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). + - [ ] Read the [Incident Response Guide](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/security-ir.md/). diff --git a/.github/ISSUE_TEMPLATE/onboard-support.md b/.github/ISSUE_TEMPLATE/onboard-support.md index ea643d8..9ae93ff 100644 --- a/.github/ISSUE_TEMPLATE/onboard-support.md +++ b/.github/ISSUE_TEMPLATE/onboard-support.md @@ -24,9 +24,9 @@ assignees: "" Engineers who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: - [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). + - [ ] Read the [Contingency Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/contingency-plan.md). - [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). + - [ ] Read the [Incident Response Guide](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/security-ir.md/). From 2d5c74148f1e68328fb258316921714dedfd2721 Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Tue, 16 Jul 2024 10:10:28 -0400 Subject: [PATCH 4/7] More updates to plans-and-procedures --- .github/ISSUE_TEMPLATE/conmon-0-run.md | 2 +- .github/ISSUE_TEMPLATE/conmon-1-deliver.md | 2 +- .github/ISSUE_TEMPLATE/onboard-compliance.md | 4 ++-- .github/ISSUE_TEMPLATE/onboard-engineer.md | 4 ++-- .github/ISSUE_TEMPLATE/onboard-support.md | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/conmon-0-run.md b/.github/ISSUE_TEMPLATE/conmon-0-run.md index dc241c2..b083869 100644 --- a/.github/ISSUE_TEMPLATE/conmon-0-run.md +++ b/.github/ISSUE_TEMPLATE/conmon-0-run.md @@ -8,7 +8,7 @@ assignees: "" In order for us to update the JAB on our compliance in a consistent way, we need to run Continuous Monitoring scans on approximately the 23rd of the month. (If this date falls on a weekend or federal holiday, adjust to the last business day before the date.) -For context, see our [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), including [the monthly reporting summary explanation](https://cloud.gov/docs/ops/continuous-monitoring/#monthly-reporting-summary). +For context, see our [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), including [the monthly reporting summary explanation](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#monthly-reporting-summary). ## Netsparker diff --git a/.github/ISSUE_TEMPLATE/conmon-1-deliver.md b/.github/ISSUE_TEMPLATE/conmon-1-deliver.md index ef7a19b..459282a 100644 --- a/.github/ISSUE_TEMPLATE/conmon-1-deliver.md +++ b/.github/ISSUE_TEMPLATE/conmon-1-deliver.md @@ -8,7 +8,7 @@ assignees: '' --- In order for us to update the JAB on our compliance in a consistent way, we need to deliver a Continuous Monitoring report monthly (our standard due date is the 2nd of the month. If these dates fall on a weekend or federal holiday, adjust to the last business day before the date.) -For context, see our [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), including [the monthly reporting summary explanation](https://cloud.gov/docs/ops/continuous-monitoring/#monthly-reporting-summary). +For context, see our [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), including [the monthly reporting summary explanation](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#monthly-reporting-summary). We need to process our scan results and prepare documentation for any updated or new items, including updating the [vulnerability tracker](https://docs.google.com/spreadsheets/d/1tAYNmiEUwMSquRcQ0MrqtP-VIo7oxh1OzD6rmkWl-9w/edit#gid=1701775784) and [POA&M](https://docs.google.com/spreadsheets/d/16igVl8cD3SqeX5_SOn5Su34KmwMRnP20gPbfQlqIwfM/edit#gid=1701775784). (Vulnerabilities that are patched within RA-05/SI-02 deadlines are not reported on the POA&M sheet). diff --git a/.github/ISSUE_TEMPLATE/onboard-compliance.md b/.github/ISSUE_TEMPLATE/onboard-compliance.md index 5108ad6..f45b2fb 100644 --- a/.github/ISSUE_TEMPLATE/onboard-compliance.md +++ b/.github/ISSUE_TEMPLATE/onboard-compliance.md @@ -33,8 +33,8 @@ Compliance staff who are federal employees or staff contractors have a Contingen ## Learn our policies and procedures - [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). -- [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). -- [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). +- [ ] Read the [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), particularly the [cloud.gov team responsibilities](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#cloud-gov-team). +- [ ] Read the [Configuration Management Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. - [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) diff --git a/.github/ISSUE_TEMPLATE/onboard-engineer.md b/.github/ISSUE_TEMPLATE/onboard-engineer.md index 187035c..4330c7e 100644 --- a/.github/ISSUE_TEMPLATE/onboard-engineer.md +++ b/.github/ISSUE_TEMPLATE/onboard-engineer.md @@ -71,8 +71,8 @@ Channels marked with (🗣️) receive a lot of messages, either from customers In addition to the topics in [the trainings section](#complete-cloudgov-trainings), review the following documents: - [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). -- [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). -- [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). +- [ ] Read the [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), particularly the [cloud.gov team responsibilities](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#cloud-gov-team). +- [ ] Read the [Configuration Management Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. - [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) - [ ] Review the team's [Engineering Practices](https://github.com/cloud-gov/internal-docs/tree/main/docs/resources/Engineering-Practices). Some of these are mandatory because they fulfill FedRAMP requirements. diff --git a/.github/ISSUE_TEMPLATE/onboard-support.md b/.github/ISSUE_TEMPLATE/onboard-support.md index 9ae93ff..1c69efe 100644 --- a/.github/ISSUE_TEMPLATE/onboard-support.md +++ b/.github/ISSUE_TEMPLATE/onboard-support.md @@ -33,8 +33,8 @@ Engineers who are federal employees or staff contractors have a Contingency Plan ## Learn our policies and procedures - [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). -- [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). -- [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). +- [ ] Read the [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), particularly the [cloud.gov team responsibilities](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#cloud-gov-team). +- [ ] Read the [Configuration Management Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. - [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) From 19f0063c1f9b10b4887b42a20b5a8d0bd26c69fa Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Tue, 16 Jul 2024 10:17:24 -0400 Subject: [PATCH 5/7] Update link to service disruption guide --- .github/ISSUE_TEMPLATE/onboard-compliance.md | 2 +- .github/ISSUE_TEMPLATE/onboard-engineer.md | 2 +- .github/ISSUE_TEMPLATE/onboard-support.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/onboard-compliance.md b/.github/ISSUE_TEMPLATE/onboard-compliance.md index f45b2fb..1ef23dd 100644 --- a/.github/ISSUE_TEMPLATE/onboard-compliance.md +++ b/.github/ISSUE_TEMPLATE/onboard-compliance.md @@ -78,7 +78,7 @@ very quickly, so your onboarding buddy will walk through this list with you at a - [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. - This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training. - [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/main/StoryLifecycle.md) to learn about how we work. -- [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. +- [ ] Read our [service disruption guide](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/service-disruption-guide.md) to learn how we handle customer-facing service disruptions. ## Compliance-role specific items diff --git a/.github/ISSUE_TEMPLATE/onboard-engineer.md b/.github/ISSUE_TEMPLATE/onboard-engineer.md index 4330c7e..8479f36 100644 --- a/.github/ISSUE_TEMPLATE/onboard-engineer.md +++ b/.github/ISSUE_TEMPLATE/onboard-engineer.md @@ -83,7 +83,7 @@ Resources on cloud.gov: - [ ] View the video: [A Technical Overview of cloud.gov](https://youtu.be/lwQCDeIm1Es) - [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/master/StoryLifecycle.md) to learn about how we work. -- [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. +- [ ] Read our [service disruption guide](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/service-disruption-guide.md) to learn how we handle customer-facing service disruptions. Resources on CloudFoundry/BOSH: diff --git a/.github/ISSUE_TEMPLATE/onboard-support.md b/.github/ISSUE_TEMPLATE/onboard-support.md index 1c69efe..5b26b9f 100644 --- a/.github/ISSUE_TEMPLATE/onboard-support.md +++ b/.github/ISSUE_TEMPLATE/onboard-support.md @@ -45,7 +45,7 @@ should take the time to go through them, please do not try and tackle it all in very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. - [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. -- [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. +- [ ] Read our [service disruption guide](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/service-disruption-guide.md) to learn how we handle customer-facing service disruptions. ## Slack channels From a0a3de835e0d030687974e4c8cf5e0674c7f0f68 Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Tue, 16 Jul 2024 11:35:28 -0400 Subject: [PATCH 6/7] Update link to SSP in Drive --- .github/ISSUE_TEMPLATE/onboard-compliance.md | 2 +- .github/ISSUE_TEMPLATE/onboard-engineer.md | 2 +- .github/ISSUE_TEMPLATE/onboard-support.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/onboard-compliance.md b/.github/ISSUE_TEMPLATE/onboard-compliance.md index 1ef23dd..92574b4 100644 --- a/.github/ISSUE_TEMPLATE/onboard-compliance.md +++ b/.github/ISSUE_TEMPLATE/onboard-compliance.md @@ -36,7 +36,7 @@ Compliance staff who are federal employees or staff contractors have a Contingen - [ ] Read the [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), particularly the [cloud.gov team responsibilities](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#cloud-gov-team). - [ ] Read the [Configuration Management Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. -- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) +- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/folders/1K90aAi_-YYyXTbrqQUCmmfLx25AQL_3i); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) ## Slack channels diff --git a/.github/ISSUE_TEMPLATE/onboard-engineer.md b/.github/ISSUE_TEMPLATE/onboard-engineer.md index 8479f36..023a107 100644 --- a/.github/ISSUE_TEMPLATE/onboard-engineer.md +++ b/.github/ISSUE_TEMPLATE/onboard-engineer.md @@ -74,7 +74,7 @@ In addition to the topics in [the trainings section](#complete-cloudgov-training - [ ] Read the [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), particularly the [cloud.gov team responsibilities](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#cloud-gov-team). - [ ] Read the [Configuration Management Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. -- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) +- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/folders/1K90aAi_-YYyXTbrqQUCmmfLx25AQL_3i); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) - [ ] Review the team's [Engineering Practices](https://github.com/cloud-gov/internal-docs/tree/main/docs/resources/Engineering-Practices). Some of these are mandatory because they fulfill FedRAMP requirements. ## Getting to know cloud.gov diff --git a/.github/ISSUE_TEMPLATE/onboard-support.md b/.github/ISSUE_TEMPLATE/onboard-support.md index 5b26b9f..b8b10ae 100644 --- a/.github/ISSUE_TEMPLATE/onboard-support.md +++ b/.github/ISSUE_TEMPLATE/onboard-support.md @@ -36,7 +36,7 @@ Engineers who are federal employees or staff contractors have a Contingency Plan - [ ] Read the [Continuous Monitoring Strategy](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md), particularly the [cloud.gov team responsibilities](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md#cloud-gov-team). - [ ] Read the [Configuration Management Plan](https://github.com/cloud-gov/internal-docs/blob/main/docs/resources/Plans-and-Procedures/continuous-monitoring.md). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. -- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) +- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/folders/1K90aAi_-YYyXTbrqQUCmmfLx25AQL_3i); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) ## Getting to know cloud.gov From dd730dbc9f1bb6d8ace4de205626d3ba21860df1 Mon Sep 17 00:00:00 2001 From: Peter Burkholder Date: Tue, 23 Jul 2024 12:54:11 -0400 Subject: [PATCH 7/7] Better link to aws-vault setup --- .github/ISSUE_TEMPLATE/onboard-compliance.md | 2 +- .github/ISSUE_TEMPLATE/onboard-engineer.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/onboard-compliance.md b/.github/ISSUE_TEMPLATE/onboard-compliance.md index 92574b4..77c6abf 100644 --- a/.github/ISSUE_TEMPLATE/onboard-compliance.md +++ b/.github/ISSUE_TEMPLATE/onboard-compliance.md @@ -128,7 +128,7 @@ Your onboarding buddy will create a separate ticket tied to this one to track th - `cf orgs` - As a cloud.gov team member, you should have a long list of organizations - If you have none or one (e.g. sandbox) org, please reach out to your onboarding buddy -- [ ] Configure `aws-vault` by [following our directions](https://cloud.gov/docs/ops/secrets/#aws-credentials) +- [ ] Configure `aws-vault` by [following our directions](https://github.com/cloud-gov/aws-admin/blob/main/docs/user_access.md) - [ ] Fix `fly`, the Concourse CLI, by running `xattr -d com.apple.quarantine $(brew --prefix)/bin/fly`. Concourse does not sign `fly` with an Apple Developer account, so you must use `xattr` to manually remove the binary from quarantine. Verify by running `fly -h` in your command line. - [ ] Install cloud.gov dev tools by cloning the [`cg-scripts` repo](https://github.com/cloud-gov/cg-scripts/): run `git clone https://github.com/cloud-gov/cg-scripts.git` in your command line diff --git a/.github/ISSUE_TEMPLATE/onboard-engineer.md b/.github/ISSUE_TEMPLATE/onboard-engineer.md index 023a107..c97e8cb 100644 --- a/.github/ISSUE_TEMPLATE/onboard-engineer.md +++ b/.github/ISSUE_TEMPLATE/onboard-engineer.md @@ -152,7 +152,7 @@ You are a member of the Cloud Operations team, which means you have additional a - `cf orgs` - As a cloud.gov team member, you should have a long list of organizations - If you have none or one (e.g. sandbox) org, please reach out to your onboarding buddy -- [ ] Configure `aws-vault` by [following our directions](https://cloud.gov/docs/ops/secrets/#aws-credentials) +- [ ] Configure `aws-vault` by [following our directions](https://github.com/cloud-gov/aws-admin/blob/main/docs/user_access.md) - [ ] Fix `fly`, the Concourse CLI, by running `xattr -d com.apple.quarantine $(brew --prefix)/bin/fly`. Concourse does not sign `fly` with an Apple Developer account, so you must use `xattr` to manually remove the binary from quarantine. Verify by running `fly -h` in your command line. - [ ] Install cloud.gov dev tools by cloning the [`cg-scripts` repo](https://github.com/cloud-gov/cg-scripts/): run `git clone https://github.com/cloud-gov/cg-scripts.git` in your command line