Skip to content
This repository has been archived by the owner on Dec 12, 2023. It is now read-only.

GSA and FedRAMP Standards to Clarify DoD #73

Closed
18 tasks
ohsh6o opened this issue May 7, 2021 · 2 comments
Closed
18 tasks

GSA and FedRAMP Standards to Clarify DoD #73

ohsh6o opened this issue May 7, 2021 · 2 comments
Labels
backlog item

Comments

@ohsh6o
Copy link

ohsh6o commented May 7, 2021
edited
Loading

Extended Description
As a FedRAMP representative, to understand this software meets security engineer requirements of GSA and FedRAMP, I want clear explanation of FedRAMP security engineering standards.

Preconditions

  • Defined standards endorsed from FedRAMP: be it GSA, or TTS, or standards of their own endorsed by the PMO.

Acceptance Critera

  • Acceptance criteria...

Story Tasks

  • Tasks...

Definition of Done

  • Acceptance criteria met - Each user story should meet the acceptance criteria in the description
  • Unit test coverage of our code > 90% (from QASP) this may be fuzzy and hard to prove
  • Code quality checks passed - Enable html tidy with XML code standards as part of the build (from QASP)
  • Accessibility: (from QASP) as we create guidance or documentation and reports (semantic tagging including aria tags): demonstrate with 0 errors reported for WCAG 2.1 AA standards using an automated scanner and 0 errors reported in manual testing
  • Code reviewed - Code reviewed by at least one other team members (or developed by a pair)
  • Source code merged - Code that’s demoed must be in source control and merged
  • Code must successfully build and deploy into staging environment (from QASP): this may evolve from xslt sh pipline into something more
  • Security reviewed and reported - Conduct vulnerability and compliance scanning. threat modeling?
  • Code submitted must be free of medium- and high-level static and dynamic security vulnerabilities (from QASP)
  • Usability tests passed - Each user story should be easy to use by target users (development community? FedRAMP FART team)
  • Usability testing and other user research methods must be conducted at regular intervals throughout the development process (not just at the beginning or end). (from QASP)
  • Code refactored for clarity - Code must be clean, self-documenting
  • No local design debt
  • Load/performance tests passed - test data needed - saxon instrumentation
  • Documentation generated - update readme or contributing markdown as necessary.
  • Architectural Decision Record completed as necessary for significant design choices
@ohsh6o ohsh6o added story task it's a task and removed task it's a task labels May 7, 2021
@ohsh6o ohsh6o mentioned this issue May 7, 2021
Merged
ohsh6o pushed a commit that referenced this issue May 27, 2021
@brian-ruf
Merge pull request #73 from david-waltermire-nist/daw-oscal-fix
5aec298 
Updating OSCAL repo commit and fixing ajv dependency version
@ohsh6o ohsh6o added task it's a task backlog item and removed story task it's a task labels Jun 1, 2021
@ohsh6o ohsh6o changed the title As a FedRAMP representative, to understand this software meets security engineer requirements of GSA and FedRAMP, I want clear explanation of FedRAMP security engineering standards. GSA and FedRAMP Standards to Clarify DoD Jun 15, 2021
@sstatz sstatz mentioned this issue Jul 20, 2021
Closed
5 tasks
@ohsh6o ohsh6o mentioned this issue Jul 21, 2021
Open
3 tasks
@ohsh6o
Copy link
Author

ohsh6o commented Jul 21, 2021

Closed in favor of GSA#144.

@ohsh6o ohsh6o closed this as completed Jul 21, 2021
@volpet2014
Copy link

Moved to FedRAMP automation PMO policy discussion board for further resolution.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
backlog item
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@volpet2014 @ohsh6o