Security and Compliance
Security is often associated with compliance at GSA. While an important part of the system life cycle, security is not just compliance. The Office of the Chief Information Security Officer's (OCISO) DevSecOps Program (ODP) aims to ensure that GSA teams who practice DevOps adopt security forward-thinking. The ODP aims to shift the agencies thinking of just Authorization to Operate (ATO)'s and Compliance to everyday considerations and operations. The ODP is intended to have everyone adopt a "How can we do this securely?" mindset.
ODP Governance Model
The ODP governance model consists of four major areas. Each area sets foundational principles to be followed by each stakeholder. To adopt an agile culture of DevSecOps, these foundational governing principals and their details can be revisited for each engagement and will be finalized as a mutually agreed set of principles/ROE between OCISO and integrated teams.
Below you will find the ODP Governance Model in four (4) OCISO DevSecOps categories applied in FAS. Each area contains valuable information and guidance for systems currently operating on-premise systems, operating in a FAS Cloud Service Environment, and in the process of migrating into a cloud-based solution.
OCISO DevSecOps Governance
Policy & Procedures
- Authority to Operate
- FEDRAMP Process
- Ongoing Authorization
- Identity Access Management
- GSA IT Resources
Communication, Reporting & Feedback
- Support Center
- Maintenance Schedule
- End of Life (EOL) Software Tracking
- Service Requests
- Jira
- ServiceNow
- Forms & Templates
- Educational Resource
IT Security Metrics
- Security Metrics
- Vulnerabilities
- Medium/High Critical Security Risks
- Security Patching