raft-tech · andrew-jameson · Sep 16, 2022 · Jun 28, 2022 · Jul 1, 2022 · Jul 1, 2022
diff --git a/docs/Product-Strategy/Roadmap-and-Backlog.md b/docs/Product-Strategy/Roadmap-and-Backlog.md
@@ -1,50 +1,64 @@
-_updated January 2022_
+_updated July 2022_
 # Product Roadmap
-Our [roadmap](https://app.mural.co/invitation/mural/raft2792/1629476801275?sender=laurenfrohlich3146&key=5328c2c6-a097-4b3d-bcf7-f2e551a01a72) :lock: represents our latest thinking about the order in which we’ll tackle the various pieces of the overarching problem.
+Our [roadmap](https://app.mural.co/t/raft2792/m/raft2792/1649193957647/f8656ffaae4f5dfd47017eb981b04ff2ab7e792d?fromVisitorModal=true&sender=uc514273731b3f70763f30539) : represents our latest thinking about the order in which we’ll tackle the various pieces of the overarching problem.
 
 This roadmap provides a high level plan through Release 4. There might be a few shifts in approach, timing or scope, but in general, these outcomes will be worked on by the team. Metrics for success will be added as they are defined for releases.
 
-Beyond that, we're still discovering and planning on what best serves our users. This doc will continue to be updated as we make decisions and scope releases. 
+Beyond that, our iterative agile framework will lend itself to feature sets that best serve our users. This doc will continue to be updated as we make decisions and scope releases. 
 
 ## ATO  
-Value Delivered: Get approval for the authority to operate and create a production environment. 
-
-| Outcome | Status | 
-| -------- | ------- | 
-| User can log in using login.gov | Complete
-| Users with appropriate privileges can manage users | Complete
-| Users can upload data files by section and quarter | Complete
-| Users with appropriate privileges can download files that were previously uploaded     | Complete
-|Create production environment | In Progress
-
-## Release 1: Secure access and upload to TDP
-Our first release to production will include the functionality built for ATO (above) and also include secure ways for users to access the system via ACF AMS for ACF users and NextGen XMS/Login.gov for non-ACF users. It is important that these measures are put into place before sensitive production data is uploaded to the system.
-
-| Outcome | Status | 
-| -------- | ------- | 
-| TDP is secure and compliant as a system and for all users. | Nearly Complete
-| TDP Users have a smooth onboarding and login experience that is secure. | Nearly Complete
-| TDP platform is hardened and stable and robust for deployment and live in a production environment. | In Progress
-
-
-## Release 2: Early Secure Release
-This release will allow users to securely upload data into our system in production, replacing a less secure way of doing so, while increasing communication with the users and not increasing burden for OFA Admin staff. This release will allow approximately 8 tribes to pilot the use of login, upload, and download of files, while maintaining TDRS on the backend. While this type of workflow isn't our long term workflow, including it at this point delivers value to the users more quickly. 
-
-_Risks:_ The users who would be onboarded to this process would potentially have to learn and adjust with future releases and changes in functionality and workflow. Increased communication with them should help here.
-| Outcome | Status | 
-| -------- | ------- | 
-| Tribal users are engaged with OFA and communication channels are clear. | In Progress| 
-| Users know how to access and onboard TDP easily. | In Progress| 
-| Users can upload and transmit files securely to TDRS database. |Not Started|
-| Early Tribe and State users can securely upload reports with TDP instead of using unsecured email. |Not Started|
-| Users can resubmit files with error fixes |Not Started|
+Approval for the authority to operate. 
+
+| Outcome | 
+| -------- |
+| User can log in using login.gov |
+| Users with appropriate privileges can manage users | 
+| Users can upload data files by section and quarter | 
+| Users with appropriate privileges can download files that were previously uploaded     | 
+| Approval to create a production environment |
+
+## Release 1  
+This is the first release to the production environment including the ATO and reliable application access to internal and external users in a secure production environment. Additionally it includes user management interface for OFA and System Admin. It is important that these measures are put into place before sensitive production data is uploaded to the system.
+
+| Outcome | 
+| -------- | 
+| TDP is secure and compliant as a system and for all users. |
+| TDP platform is hardened and stable and robust for deployment and live in a production environment. |
+| TDP Users have a secure login experience. |
+| Users with appropriate privileges can download files that were previously uploaded     |
+
+
+## Release 2: Pilot Release
+This release will allow users to securely upload data into our system in production, replacing a less secure way of doing so, while increasing communication with the users and not increasing burden for OFA Admin staff. This release will allow approximately 15 STTs to pilot the use of login, upload, and download of files, while maintaining TDRS on the backend. While this type of workflow isn't our long term workflow, including it at this point delivers value to the users more quickly and provides the team valuable user feedback to validate and improve the application features. 
+
+
+| Outcome |
+| -------- | 
+| Tribal users are engaged with OFA and communication channels are clear. |
+| Users know how to access and onboard TDP easily. |
+| Users can upload and transmit files securely to TDRS database. |
+| Users can resubmit files with error fixes. |
+| Users will receive email notifications on the status of their account and data. |
+| Users can differentiate TANF and SSP files upon submission. |
+| A research oriented TDP environment is created. |
+
 
 
 ## Release 3: Parity, Data Parsing, Automated Status, Notifications
-This release will parse and validate submitted data and store accepted data in a database. This workflow will include automated email notifications and user-friendly in-app error messages to help users better understand their data errors and submission history. This release will also include onboarding more users and will eventually deprecate the legacy TANF Data Reporting System.
+This release will parse and validate submitted data and store accepted data in a database. This workflow will include additional automated email notifications and user-friendly in-app error messages to help users better understand their data errors and submission history. This release will also include Django admin enhancements and onboard all users as it will meet parity with the legacy TANF Data Reporting System.
+
+| Outcome |
+| -------- | 
+| TDP can parse all data sections and types through to the Elasticsearch database. |
+| TDP runs validation checks on all submitted files. |
+| Users receive easy to understand error messages. |
+| Users can view their submission history. |
+| All users will submit all of their data through TDP . |
+| TDP enhancements for System administrator users. |
+
 
 ## Release 4 and Beyond
-In Release 4, we will begin to deliver features beyond parity with TDRS to address user needs, including (but not limited to) pre-submission data cleansing and validation, additional user access management tools, user interface enhancements based on usability testing, and reports and analytics. 
+In Release 4, we will begin to deliver features beyond parity with TDRS to address user needs, including (but not limited to) additional user access management tools, user interface enhancements based on usability testing, and reports and analytics. 
 
 ## Backlog
-The backlog can be found in the [raft-tech fork of the TANF-app GitHub public repository](https://github.com/raft-tech/TANF-app/issues).
+For the most up-to-date status please see the roadmap or backlog at [raft-tech fork of the TANF-app GitHub public repository](https://github.com/raft-tech/TANF-app/issues).
diff --git a/docs/Security-Compliance/Security-Controls/at-2/index.md b/docs/Security-Compliance/Security-Controls/at-2/index.md
@@ -0,0 +1,26 @@
+# Awareness and Training (AT)
+## AT-2c - Security Awareness Training
+The organization provides basic security awareness training to information system(IS) users (including managers, senior executives, and contractors):
+a. As part of initial training for new users;
+b. When required by information system changes; and
+c. [At least every 365 days] thereafter.
+
+The content should:
+
+- provide a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents
+- address awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.
+For CSP Only
+AT-2(c) [at least annually]
+
+## TDP Implementation
+
+TDP's privileged users, as ACF staff, are required to complete the following trainings annually:
+- HHS Records Management Training
+- ACF Privacy 101 Training 
+- ACF Cybersecurity Awareness Training
+- 2022 Introductory Role Based Training for IT Administrators
+
+Per TDP's IPT meeting on April 6, 2022, the abovementioned trainings are sufficient for satisfying AT-2 as well as [Related controls](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=AT): AT-01 (security training policy), AT-03 (role-based security), and AT-04 (security training record-keeping). Copies of certificates of completion are managed in [TDP's Sharepoint site](https://hhsgov.sharepoint.com/:f:/r/sites/TANFDataPortalOFA/Shared%20Documents/compliance/TDP%20System%20Admin%20Trainings?csf=1&web=1&e=cwteMG). :lock:
+
+
+### Related Files
diff --git a/docs/Security-Compliance/boundary-diagram.md b/docs/Security-Compliance/boundary-diagram.md
@@ -6,19 +6,25 @@
 
 ### Data flow
 
-For the MVP, OFA admins will upload data on behalf of STTs and upload data files locally into the web application which will store the files in cloud.gov AWS S3 buckets. Developers will deploy new code through GitHub, initiating the continuous integration process through Circle CI.
+Users with `OFA Admin` and (STT) `Data Analyst` roles can upload data on upload data files locally into the web application which will store the files in cloud.gov AWS S3 buckets only after the files are successfully scanned for viruses via [ClamAV](../Technical-Documentation/Architecture-Decision-Record/012-antivirus-strategy.md). Developers will deploy new code through GitHub, initiating the continuous integration process through Circle CI.
 
 ### Environments/Spaces
 
-Production, Staging, and Dev spaces provide users with access to a shared location for app development, deployment, and maintenance. The frontend and backend application in each environment is scoped to a space. Roles provide access control for these resources and each space role applies only to a particular space. Developer access to the Dev space does not permit access to Production. Development and Staging environments will not contain any PII.
+[Production, Staging, and Dev spaces](../Technical-Documentation/diagrams/tdp-environments.png) provide users with access to a shared location for app development, deployment, and maintenance. The frontend and backend application in each environment is scoped to a space. Roles provide access control for these resources and each space role applies only to a particular space. Developer access to the Dev space does not permit access to Production. Development and Staging environments will not contain any PII.
 
 ### User access
 
-All web users, including OFA admins will log into the system through their web browsers using Login.gov and two factor authentication. Developers will also have access to the Dev Space using SSH. STT users will be required to be approved within the application by an administrator.
+All web users will log into the system through their web browsers. 
+- all non-acf users will leverage Login.gov and two factor authentication.
+- all ACF users will leverage ACF AMS and authenticate using PIV/CAC.  Developers will also have access to the `dev` and `staging` spaces using SSH.
+
+All users will be required to be approved within the application by an administrator.
 
 ### Access points
 
-Beyond web based authentication through Login.gov, and developer SSH access to the Dev Space, CircleCI will also have access to the various environments to support deployments.
+Beyond web-based authentication through ACF AMS or Login.gov, and developer SSH access to the dev Space, CircleCI will also have access to the various environments to support deployments.
+
+TDP system administrators will trigger CircleCI-based deployments via GitHub. 
 
 ### Configuration