Research: user needs for compliance director

[ultrasaurus]

Goal: be able to automatically update the dashboard about when projects are preparing for ATO and/or in review, and when ATO is granted and any relevant info

@NoahKunin has expectations about dashboard serving compliance needs

We would like to have a detailed understanding of what exactly is needed, how dashboard might serve those needs and which subset of projects apply

There is a file (system-security-plan.yml) in some projects that seems to be related to the ATO status of that project

Questions about fields in system-security-plan.yml:

• How is the project phase determined?
• Why wouldn't the ATO status be recorded here?
• Does every project have a uniqueID even if there is no system-security-plan.yml?
• How is the name field used?
• Who is responsible for maintaining system-security-plan.yml
• How do we consolidate if possible the data here with the data in .about.yml?
• How might we leverage this data for the dashboard for the purpose of presenting compliance status to our viewers?

[mtorres253]

I will check the compliance toolkit channel to get more information about this request. @NoahKunin is on vacation but will circle with him when he gets back.

[DavidEBest]

@afeld is writing up a page on SSPs here: 18F/before-you-ship#67

[afeld]

@ultrasaurus Hopefully most of your questions should be answered in there...would love feedback!

Why wouldn't the ATO status be recorded here?

SSPs are provided in order for the ATO to be completed. That being said, I think the intention is that it should be kept up-to-date by the project team, so we could add one if folks think it would be useful.

How do we consolidate if possible the data here with the data in .about.yml?

Good point! We can change the schema however we want, so if you have specific suggestions, let us know!

/cc @geramirez