diff --git a/docs/ato/ATO.authorization.drawio.svg b/docs/ato/ATO.authorization.drawio.svg new file mode 100644 index 0000000..ddf5fcc --- /dev/null +++ b/docs/ato/ATO.authorization.drawio.svg @@ -0,0 +1,1131 @@ + + + + + + + + + + + + + + + + + + + +
+
+
+ + + Participate + +
+ + in Information Exchange + +
+ + Organization +
+
+
+ + + Participate... + + + + + + + + + + + + + + + +
+
+
+ + + FEEDBACK RECORD +
+ + + ATO Channel + +
+ +
+
+
+ + + FEEDBACK RECORD... + + + + + + + +
+
+
+ + + L1 +
+ T3* +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + FEEDBACK RECEIVED +
+ + + Email & System Notification + +
+ +
+
+
+ + + FEEDBACK RECEIVED... + + + + + + + +
+
+
+ + + N3 + + +
+
+
+ + + N3 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + VOTE RECORD +
+ + + ATO Channel + +
+ +
+
+
+ + + VOTE RECORD... + + + + + + + +
+
+
+ + + L1 +
+ T4* +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + VOTE COMPLETE +
+ + + Email & System Notification + +
+ +
+
+
+ + + VOTE COMPLETE... + + + + + + + +
+
+
+ + + N4 + + +
+
+
+ + + N4 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + CONFIRM JOIN +
+ + + ATO Channel + +
+ +
+
+
+ + + CONFIRM JOIN... + + + + + + + +
+
+
+ + + L1 +
+ T5 +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + CONFIRMATION +
+ + + Email & System Notification + +
+ +
+
+
+ + + CONFIRMATION... + + + + + + + +
+
+
+ + + N5 + + +
+
+
+ + + N5 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + SYSTEM CHANGE +
+ + + ATO Channel + +
+ +
+
+
+ + + SYSTEM CHANGE... + + + + + + + +
+
+
+ + + L1 +
+ T6* +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + NOTICE OF CHANGE +
+ + + Email & System Notification + +
+ +
+
+
+ + + NOTICE OF CHANGE... + + + + + + + +
+
+
+ + + N6 + + +
+
+
+ + + N6 + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ + + REASSESS +
+ + + ATO Channel + +
+ +
+
+
+ + + REASSESS... + + + + + + + +
+
+
+ + + L1 +
+ T7 +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + ASSESSMENT REQUIRED +
+ + + Email & System Notification + +
+ +
+
+
+ + + ASSESSMENT REQUIRED... + + + + + + + +
+
+
+ + + N7 + + +
+
+
+ + + N7 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + Reauthorization +
+ + + All Federation Members +
+
+
+ + + Reauthorization... + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + Record +
+ Changes +
+ + + System Administrator +
+
+
+ + + Record... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Monitor +
+ for Changes +
+ + + System Administrator +
+
+
+ + + Monitor... + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + +
+
+
+ + + Confirm +
+ Commitment to Join +
+ + + Authorizing Official +
+
+
+ + + Confirm... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Review Federated POAMs/ATO +
+ + + Authorizing Official +
+
+
+ + + Review Federated POAMs/ATO... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Vote In/Out +
+ New Organization +
+ + + All Federation Members +
+
+
+ + + Vote In/Out... + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + Provide Feedback +
+ for Conditions of Participation +
+ + + All Federation Members +
+
+
+ + + Provide Feedback... + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + Evaluate/Review +
+ Critical Controls +
+ + + All Federation Members +
+
+
+ + + Evaluate/Review... + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + Review +
+ POAMs +
+ + + All Federation Members +
+
+
+ + + Review... + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + Review +
+ ATO Document +
+ + + All Federation Members +
+
+
+ + + Review... + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/docs/ato/ATO.implementation.drawio.svg b/docs/ato/ATO.implementation.drawio.svg new file mode 100644 index 0000000..d9a95e3 --- /dev/null +++ b/docs/ato/ATO.implementation.drawio.svg @@ -0,0 +1,802 @@ + + + + + + + + + + + + + +
+
+
+ + + ATTESTATION +
+ + + ATO Channel + +
+ +
+
+
+ + + ATTESTATION... + + + + + + + +
+
+
+ + + L1 +
+ T2 +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + ATTESTATION (PDF) + +
+ + File/Data Store TBD + +
+ +
+
+
+ + + ATTESTATION (PDF)... + + + + + + + +
+
+
+ + + S1 +
+ D3 +
+ + +
+
+
+ + + S1... + + + + + + + +
+
+
+ + + PACKAGE SUBMITTED +
+ + + Email & System Notification + +
+ +
+
+
+ + + PACKAGE SUBMITTED... + + + + + + + +
+
+
+ + + N2 + + +
+
+
+ + + N2 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + Report +
+ to Federation +
+ + + Authorizing Official +
+
+
+ + + Report... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Produce +
+ Attestation Documentation +
+ + + Authorizing Official +
+
+
+ + + Produce... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Compile +
+ Unresolved POAMs +
+ + + Security Officer or Designee +
+
+
+ + + Compile... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Address +
+ POAMs Based on Risk Tolerance +
+ + + System Administrator +
+
+
+ + + Address... + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + +
+
+
+ + + Review +
+ Risk +
+ + + Authorizing Official +
+
+
+ + + Review... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Document +
+ Findings in POAMs +
+ + + Security Officer or Designee +
+
+
+ + + Document... + + + + + + + +
+
+
+ IS +
+
+
+ + + IS + + + + + + + +
+
+
+ + Record +
+ Results + + + +
+ + + Security Officer or Designee +
+
+
+ + + Record... + + + + + + + +
+
+
+ IS +
+
+
+ + + IS + + + + + + + +
+
+
+ + + Perform +
+ Assessment +
+ + + Security Officer or Designee +
+
+
+ + + Perform... + + + + + + + +
+
+
+ IS +
+
+
+ + + IS + + + + + + + +
+
+
+ + Develop or Revise +
+ Assessment Plan + + + +
+ + + Security Officer or Designee +
+
+
+ + + Develop or Revise... + + + + + + + +
+
+
+ IS +
+
+
+ + + IS + + + + + + + +
+
+
+ + + Document +
+ Security Controls in SSP +
+ + + Security Officer or Designee +
+
+
+ + + Document... + + + + + + + +
+
+
+ IS +
+
+
+ + + IS + + + + + + + +
+
+
+ + + Deploy +
+ Member Node +
+ + + System Administrator +
+
+
+ + + Deploy... + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + +
+
+
+ + + Implement +
+ Infrastructure +
+ + + System Administrator +
+
+
+ + + Implement... + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + +
+
+
+ + + POAMs (PDF, OSCAL) + +
+ + File/Data Store TBD + +
+ +
+
+
+ + + POAMs (PDF, OSCAL)... + + + + + + + +
+
+
+ + + S1 +
+ D2* +
+ + +
+
+
+ + + S1... + + + + + + + + + +
+
+
+ + + Fix/Assume +
+ Risk for POAMs +
+ + + System Administrator +
+
+
+ + + Fix/Assume... + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/docs/ato/ATO.initiation.drawio.svg b/docs/ato/ATO.initiation.drawio.svg new file mode 100644 index 0000000..be18aff --- /dev/null +++ b/docs/ato/ATO.initiation.drawio.svg @@ -0,0 +1,373 @@ + + + + + + + + + + + + + +
+
+
+ + + MOU SIGNED +
+ + + Email & System Notification + +
+ +
+
+
+ + + MOU SIGNED... + + + + + + + +
+
+
+ + + N1 + + +
+
+
+ + + N1 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + MOU DOCUMENT (PDF) + +
+ + File/Data Store TBD + +
+ +
+
+
+ + + MOU DOCUMENT (PDF)... + + + + + + + +
+
+
+ + + S1 +
+ D1 +
+ + +
+
+
+ + + S1... + + + + + + + +
+
+
+ + + MOU SIGNED + +
+ + ATO Channel + +
+ +
+
+
+ + + MOU SIGNED... + + + + + + + +
+
+
+ + + L1 +
+ T1 +
+ + +
+
+
+ + + L1... + + + + + + + +
+
+
+ + + Sign +
+ MOU + + + (Contract To Join) + +
+ + Authorizing Official + + +
+
+
+ + + Sign... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Understand +
+ Assessment Requirements +
+ + + Authorizing Official +
+
+
+ + + Understand... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Understand +
+ Applicable Security Controls +
+ + + Authorizing Official +
+
+
+ + + Understand... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ + + Review +
+ MOU +
+ + + Authorizing Official +
+
+
+ + + Review... + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/docs/ato/ATO.legend.drawio.svg b/docs/ato/ATO.legend.drawio.svg new file mode 100644 index 0000000..1d9d7ff --- /dev/null +++ b/docs/ato/ATO.legend.drawio.svg @@ -0,0 +1,481 @@ + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ IS +
+
+
+ + + IS + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + System Interaction (Verb) +
+ Step +
+ + + Role +
+
+
+ + + System Interaction (Verb)... + + + + + + + +
+
+
+ + + System Interaction (Verb) +
+ Step with Record +
+ + + Role +
+
+
+ + + System Interaction (Verb)... + + + + + + + +
+
+
+ + + NOTIFICATION +
+ + + Type of Notification + +
+ +
+
+
+ + + NOTIFICATION... + + + + + + + +
+
+
+ + + N1 + + +
+
+
+ + + N1 + + + + + + + +
+
+
+ - +
+
+
+ + + - + + + + + + + +
+
+
+ - +
+
+
+ + + - + + + + + + + +
+
+
+ + + DOCUMENT (TYPE) + +
+ + File/Data Store Name + +
+ +
+
+
+ + + DOCUMENT (TYPE)... + + + + + + + +
+
+
+ + + S1 +
+ D1 +
+ + +
+
+
+ + + S1... + + + + + + + +
+
+
+ + + TRANSACTION +
+ + + Ledger Name + +
+ +
+
+
+ + + TRANSACTION... + + + + + + + +
+
+
+ + + L1 +
+ T1 +
+ + +
+
+
+ + + L1... + + + + + + +
+
+
+ Roles +
+
+
+ + + Roles + + + + + + +
+
+
+ Steps +
+
+
+ + + Steps + + + + + + +
+
+
+ Records +
+
+
+ + + Records + + + + + + +
+
+
+ FROM +
+
+
+ + + FROM + + + + + + +
+
+
+ TO +
+
+
+ + + TO + + + + + + +
+
+
+ ORGANIZATION AUTHORIZING OFFICIAL +
+
+
+ + + ORGANIZATION AUTHORIZING OFFICIAL + + + + + + +
+
+
+ ORGANIZATION SYSTEM OWNER +
+
+
+ + + ORGANIZATION SYSTEM OWNER + + + + + + +
+
+
+ INFORMATION SECURITY ROLES (ORGANIZATION DEPENDENT) +
+
+
+ + + INFORMATION SECURITY ROLES (ORGANIZATION DEPENDENT) + + + + + + +
+
+
+ FEDERATION (OTHER AUTHORIZING OFFICIALS) +
+
+
+ + + FEDERATION (OTHER AUTHORIZING OFFICIALS) + + + + + + + +
+
+
+ + External Action + + + +
+ + + Role +
+
+
+ + + External ActionRole + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/docs/ato/README.md b/docs/ato/README.md new file mode 100644 index 0000000..e01d14b --- /dev/null +++ b/docs/ato/README.md @@ -0,0 +1,69 @@ +# Rough Draft of ATO Process + + +## Diagram Legend + +![Legend](ATO.legend.drawio.svg) +>*Fig 1. Legend for the diagrams that follow.* + + + +--- + +## Initiation Phase + +![Initiation](ATO.initiation.drawio.svg) +>*Fig 2. Outline of the steps necessary to complete initiation phase.* + + +### Process Description + +1. The first step is for the organization to obtain and review the **MOU - "Contract to Join"**, which contains: + - *a.*) Preselected security controls that must be addressed. + - *b.*) An outline of the assessment method, and expectations for what is produced. +2. Initiation is completed by signing the **MOU**. + + + +--- + +## Implementation Phase + +![Implementation](ATO.implementation.drawio.svg) +>*Fig 3. Outline of the steps necessary to complete initiation phase.* + +### Process Description + +3. The organization deploys a member node, on their own infrastructure, that will participate in the information exchange. +4. The controls for the member node are documented in an System Security Plan (SSP). +5. An assessment plan is developed to assess the controls for the implemented system. +6. An assessment is performed, and results are recorded in an assessment result. +7. Any findings from the assessment are documented in a Plan of Action and Milestone (POAM) document. +8. The organizational (local) Authorizing Official (AO) conducts a review of risk. +9. The POAMs are addressed at AO discretion, based on risk tolerance. +10. **The AO produces a document along with unresolved POAMs (Attestation/ATO memo)** that serves as Authority to Operate. +11. Implmentation, as a phase, is completed upon producing an Attestation and related POAMs. + + +--- + +## Authorization Phase + +![Authorization](ATO.authorization.drawio.svg) +>*Fig 4. Outline of the steps necessary to complete initiation phase.* + +### Process Description + +12. **Any unresolved POAMs are reported to the federation, along with the AO attestation.** +13. This process of fix or assume risk may be repeated as necessary to address outstanding POAMs in order to meet promised milestones. +14. The ATO document and POAMs will be reviewed by all federation members. +15. This will include a critical controls evaluation/review. +16. **Feedback by all parties in the federation will be shared, and any conditions for joining the federation will be discussed** +17. **The federation will vote in or out on the new organizational member.** +18. Access to POAMS/ATO docs by organization. +19. **The last step allows the new organizational member to communicate commitment to join the federation.** +20. At this point, the new member is able to participate in the information exchange (in this case, license acquisition). +21. **Monitor for changes on an ongoing basis** +22. **Record system changes.** +23. Reassess. Go to #5 (or #4 if the plan requires adjustment.) +24. Reauthorize the members. \ No newline at end of file diff --git a/docs/ato/support/ATO.drawio.svg b/docs/ato/support/ATO.drawio.svg new file mode 100644 index 0000000..473180d --- /dev/null +++ b/docs/ato/support/ATO.drawio.svg @@ -0,0 +1,481 @@ + + + + + + + +
+
+
+ SO +
+
+
+ + + SO + + + + + + + +
+
+
+ AO +
+
+
+ + + AO + + + + + + + +
+
+
+ ISO +
+
+
+ + + ISO + + + + + + + +
+
+
+ FED +
+
+
+ + + FED + + + + + + + +
+
+
+ + + System Interaction (Verb) +
+ Step +
+ + + Role +
+
+
+ + + System Interaction (Verb)... + + + + + + + +
+
+
+ + + System Interaction (Verb) +
+ Step with Record +
+ + + Role +
+
+
+ + + System Interaction (Verb)... + + + + + + + +
+
+
+ + + NOTIFICATION +
+ + + Type of Notification + +
+ +
+
+
+ + + NOTIFICATION... + + + + + + + +
+
+
+ + + N1 + + +
+
+
+ + + N1 + + + + + + + +
+
+
+ A +
+
+
+ + + A + + + + + + + +
+
+
+ F +
+
+
+ + + F + + + + + + + +
+
+
+ + + DOCUMENT (TYPE) + +
+ + File/Data Store Name + +
+ +
+
+
+ + + DOCUMENT (TYPE)... + + + + + + + +
+
+
+ + + S1 +
+ D1 +
+ + +
+
+
+ + + S1... + + + + + + + +
+
+
+ + + TRANSACTION +
+ + + Ledger Name + +
+ +
+
+
+ + + TRANSACTION... + + + + + + + +
+
+
+ + + L1 +
+ T1 +
+ + +
+
+
+ + + L1... + + + + + + +
+
+
+ Roles +
+
+
+ + + Roles + + + + + + +
+
+
+ Steps +
+
+
+ + + Steps + + + + + + +
+
+
+ Records +
+
+
+ + + Records + + + + + + +
+
+
+ FROM +
+
+
+ + + FROM + + + + + + +
+
+
+ TO +
+
+
+ + + TO + + + + + + +
+
+
+ ORGANIZATION AUTHORIZING OFFICIAL +
+
+
+ + + ORGANIZATION AUTHORIZING OFFICIAL + + + + + + +
+
+
+ ORGANIZATION SYSTEM OWNER +
+
+
+ + + ORGANIZATION SYSTEM OWNER + + + + + + +
+
+
+ INFORMATION SECURITY ROLES (ORGANIZATION DEPENDENT) +
+
+
+ + + INFORMATION SECURITY ROLES (ORGANIZATION DEPENDENT) + + + + + + +
+
+
+ FEDERATION (OTHER AUTHORIZING OFFICIALS) +
+
+
+ + + FEDERATION (OTHER AUTHORIZING OFFICIALS) + + + + + + + +
+
+
+ + External Action + + + +
+ + + Role +
+
+
+ + + External ActionRole + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file