AppDat Customer Responsibilities #

AppDat’s continuous ATO model provides all customers full NASA IT security and compliance authority, but does require customers to adhere to the AppDat DevSecOps processes and confirm the accept of the below shared service responsibilities.

In order to be covered under the AppDat continuous ATO you must review all of the following sections and confirm that the implementation details accurately reflect your application implementations for these following NIST security controls. For any cases where the default implementation is not applicable or not followed, you must document your specific implementations to meet the NIST requirement.

AC-6 LEAST PRIVILEGE #

Within the application(s) users are initially provisioned an application role with the least privilege level possible. Administrative and high privilege level access is then added to each user within the application on a need be and approved basis.

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS #

Not applicable to any of the applications, as none of the applications allow access to the applications from an external system and also they do not allow any external systems to process, store, or transmit organization-controlled information.

Not applicable to any of the applications, as none of the applications provide information sharing of restricted (non public) data.

AC-22 PUBLICLY ACCESSIBLE CONTENT #

For applications that have public accessibility:

a. Designates individuals authorized to post information onto a publicly accessible information system

Only administrators have the access permissions to approve the dissemination of data to the public within the applications.

b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

All administrators are properly trained on the public data dissemination processes to ensure that no nonpublic information is shared publicly.

c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

The administrators perform a manual data review process where all information is reviewed prior to making any data publicly available.

d. Reviews the content on the publicly accessible information system for nonpublic information and removes such information, if discovered.

The administrators regularly review the publicly accessible information, and the AppDat platform provides direct functionality to the administrators to revoke publicly accessible information when necessary.

CM-7 LEAST FUNCTIONALITY #

a. Configures the information system to provide only essential capabilities; and

All applications are configured to provide only essential capabilities around the entry, storage, and transmission of application data and functions.

b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services

AppDat manages all aspects of requirement “b.”

RA-5 VULNERABILITY SCANNING #

a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

AppDat manages all aspects of requirement “a.”

b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

AppDat manages all aspect of requirement “b.”

c. Analyzes vulnerability scan reports and results from security control assessments;

The application maintainers are responsible for reviewing the weekly AppDat system security scan results within the Gitlab “Security & Compliance” Dashboards. In addition the AppDat SRE team also reviews these same dashboards on a weekly basis.

d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

The application maintainers are responsible for providing remediation fixes to the applications per the following timeline:

remediation-chart

e. Shares information obtained from the vulnerability scanning process and security control assessments with Assignment: organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

AppDat manages all aspect of requirement “e.”

SA-2 ALLOCATION OF RESOURCES #

The application maintainers are responsible for the annual review of these shared service responsibilities, along with any other application or organization specific implementation details.

SI-2 FLAW REMEDIATION #

The application maintainers are responsible for testing the applications and identifying and reporting (via issues), any system flaws. Additionally, application maintainers are responsible for the remediation of those system flaws in a timely manner. Those remediation’s are to be incorporated via the nominal AppDat DevSecOps processes.

SI-11 ERROR HANDLING #

The application maintainers are responsible for ensuring that all error messages produced by the application only reveal necessary corrective information and do not reveal any information that could be exploited by adversaries.