GSA Pages
Authority to Use (ATU) Process
This guide is for GSA Employees or Contractors operating a GSA Website
"GSA Pages" is a GSA only Authority to Operate (ATO) of , external,cloud.gov's FEDRAMP Authorization of their , external,cloud.gov Pages service. As such, it adds the Security Controls around the source code and contents for the website (e.g. Github). It provides GSA employees with a fast and secure approach to getting a web presence for your projects/programs.
Launching a Website at GSA
- Confirm your website is listed on , external,https://touchpoints.digital.gov
- if not listed, , external,complete a new website request
- Follow TTS-only, GSA's Digital Lifecycle Program Guide
Prior to standing up a site with GSA Pages, you will need a domain or subdomain. To obtain a new domain or subdomain with GSA, approval is needed by GSA Leadership and Office of Customer Experience in Touchpoints.
Launching a cloud.gov Pages Website
- Identify a Federal GSA Employee as the GSA Website Manager
Note: GSA Website Manager is defined here , external,GSA's Digital.gov Program.
- Turn on all , external,Github Advanced Security for the website's repository and
Enable
: - Designate (One) Github Team with
Admin
access to the repository - Designate (One or More) Github Team(s) with
Write
access to the repository - Submit a pull request to add your repository to our Github configuration scanner to , external,GSA or , external,GSA-TTS
- Create a , external,
SECURITY.md
file - , external,Example - Follow GSA's TTS-only, Digital Lifecycle Program for the Website
Authority to Use (ATU) Review
- Review TTS-only, GSA Pages Security Review and Approval Process
- Complete , external,TTS-only, GSA Pages Security Review and Approval Form your information will be used to complete TTS-only, GSA Pages Security Review Document
- Email , external,TTS Tech Operations to confirm receipt or request review status.
- Resolve any Critical or High security findings from security scanners
- , external,TTS Tech Operations will:
- Create a Google Group for your website
- Notify the Website Manager of any missing information or security findings
Once the ATU review is completed the GSA Website Manager will be sent an ATU Approval package for signature in Docusign. The GSA Website Manager will be responsible for managing Security Findings over the lifecycle of the Website using the Google Group created to manage communications.
Maintaining Approved Sites
Sites hosted on GSA Pages are required to have their URLs scanned in accordance with CIO-IT Security-06-30: Managing Enterprise Cybersecurity Risk and GSA’s parameter for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, control RA-5, Vulnerability Scanning.
This is performed after the ATU request is submitted, reviewed, and signed.
Reassessment
A Site’s ATU will have to be reassessed and an ATU reissued if the Site is found NOT
to be in conformity with the requirements.
Conditions/events that may require a reassessment of the ATU include:
- New third party integrations not on the approved list are added.
- The data types or information presented on the site changes.
- A significant security incident occurs.
- There are deviations from the ATU maintenance requirements.
This Determination is made by the GSA Pages System Owner
tts-tech-operations@gsa.gov
. Generally, this is done if security findings are not being addressed promptly.
GSA Pages System Owner will proceed with the following actions, only in the event that the GSA Website Manager is none responsive.
Failure to Maintain Site - Site Removal
Sites that fail to maintain the ATU requirements will be issued a formal notice. The GSA Pages team may take steps to disable the site or remediate the vulnerabilities. GSA Website Manager who hit certain triggers of overdue Plan of Actions & Milestones (POA&Ms) and/or failure to maintain alignment to ATU requirements will be required to provide a Corrective Action Plan (CAP) detailing the steps that will be taken to address the deficiencies.
The CAP must be approved by the GSA Website Manager, System Owner, ISSM, and IST Director. Sites or GSA Website Managers who fail to respond to a CAP or complete approved actions will be removed from the ATO boundary, and will no longer be authorized. The removal process steps are further described below:
- Detailed Finding Review (DFR) - GSA Website Managers will be issued a DFR upon failing to address a deficiency within the site or alignment with the ATU requirements.
- Corrective Action Plan - GSA Website Managers' who fail to adequately respond or address a DFR will be issued a CAP request. The GSA Website Manager must provide a CAP to the System owner within 30 days of the CAP request. The CAP must detail how the team will address the deficiencies and the timeline for completion.
The GSA Website Manager CAP must be approved by the GSA Pages system owner, the ISSM, and IST Director.
Site Disablement
GSA Website Manager who fail to respond to the CAP within the 30 day timeframe, or fail to provide an adequate CAP, or fail to comply with the provisions, timeline and duration of their CAP will have their site Disabled.
- Disabling a site consists of removing the site from the , external,cloud.gov Pages Platform which will result in a site being unreachable.
Site Removal
GSA Website Manager who fail to address deficiencies within 90 days of disablement will have their site removed from the GSA Pages ATO boundary and the site will be deleted.
- Deleting a site removes the published site from the , external,cloud.gov Pages Platform and from the dashboards of all site users. This will bring the entire site offline and make it inaccessible for users.
- A Site Removal letter will be issued by the GSA Pages System Owner to GSA Website Manager indicating that the site is no longer authorized to operate.
Incident Response
In the event of a security incident:
Follow TTS Incident Response Plan
Contingency Plan
In the event of an outage:
- Sign up for , external,cloud.gov Pages Status notifications
- Follow , external,cloud.gov Contingency Plan
This is a , external,Low system
- You cannot use it to store any sensitive information
- It generally can't have write access to any , external,Moderate systems