Skip to content

Propose a VDP procedure #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pburkholder wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Propose a VDP procedure #67

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
649f0b4
Update version
pburkholder Dec 7, 2023
c73bcbf
Address cSpell and MarkdownLint findings
pburkholder Aug 5, 2024
d501381
Address Linting issues, update version history
pburkholder Aug 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 21 additions & 4 deletions RA-Policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ changequote(`{{', `}}')
include({{bq_tts.md}})
x -->

# Procedures
## Procedures

All GSA teams, being part of a federal agency, follow the risk assessment and management process outlined in [NIST Special Publication (SP) 800-37](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf), _Risk Management Framework for
Information Systems and Organizations_.
Expand All @@ -49,13 +49,30 @@ In some cases Common Vulnerabilities and Exposures (CVEs) found by container sca

See RA-5, RA-5(1), RA-5(2), RA-5(3), RA-5(5), RA-5(6), RA-5(8).

# Version history
cloud.gov leverages GSA's vulnerability disclosure program to satisfy RA-5(11):

Complete version history: https://github.com/cloud-gov/cg-compliance-docs/commits/master/RA-Policy.md
- The program should send us, via cloud-gov-compliance@gsa.gov or
cloud-gov-security@gsa.gov, new Bug Bounty findings
- When receiving a new report, the Assurance team
- Ensures it has a proper tracking number from GSA IT
- Saves the report as a Google doc in the Google Folder
["GitHub Supplemental Information"](https://drive.google.com/drive/folders/1QfLClYg5lw-QPSrLKLEtSEI9ITn5wiYd)
with the naming convention: `YYYY-MM-DD BBP #NNNNN - short description - product`, e.g.
`2023-12-07 BBP alert #2247177 - improper access control - Pages`
- Creates a GitHub issue for the appropriate team, referencing the document
- Notifies the team via Slack

The assurance team should track the issue either as bug (if Low severity) or
as a finding if Medium or High severity).

## Version history

Complete version history: https://github.com/cloud-gov/cg-compliance-docs/commits/master/RA-Policy.md:

- 2016-10: Initial version for authorization
- 2017-09: Security policy link updates
- 2019-12: Update links to GSA security policy
- 2020-11: Update links to GitHub and GSA policies, split controls by CSF, add version history
- 2021-11: Correct to using GSA TTS as organization name
- 2024-05: Add container scanning and exlusion information, update links
- 2024-05: Add container scanning and exclusion information, update links
- 2024-07: Add GSA VDP Policy