GSA/TTS has implemented all of the General Services Administration (GSA)'s formal and documented common control policies. All policies are disseminated to employees and contractors via the GSA Internal Directives System and through required re-occuring trainings via the GSA Online University.
The GSA Directives Program, under the Executive Secretariat Division in the Office of Administrative Services (OAS), manages GSA's internal directives issuance process and works with GSA's program offices (inclusive of the GSA Office of the Chief Information Officer and the Technology Transformation Service) to ensure policies stay current given any updates to law, regulation, or operational procedures.
These policies are managed as part of the general information security policy for the entire GSA organization.
To ensure the consistency of all information security policies.
All GSA employees and contracts are subject to these policies.
The GSA Office of the Chief Information Security Officer, otherwise known as GSA Information Security, is responsible for ensuring that all employees and contracts are familiar and trained in these policies, and to ensure that appropriate procedures are established and tested. The TTS Technology Portfolio Director acts as the liaison between GSA Information Security and TTS programs, including cloud.gov. The Cloud Operations team is responsible for all procedures and implementations within cloud.gov.
The GSA Chief Information Security Officer is ultimately responsible for these policies.
GSA Information Security works in close coordination and collaboration with all of the Services of the GSA, including the Technology Transformation Service (TTS). TTS is home to multiple infrastructure and security experts, so implementations, and recommendations for policy additions and improvements, are constantly coordinated between GSA Information Security, TTS Technology Portfolio, and cloud.gov.
The cloud.gov System Owner is ultimately responsible for ensuring that the procedures within cloud.gov adhere to these policies, and in ensuring cloud.gov maintains its authorization status with the FedRAMP JAB. The FedRAMP program management office (PMO) acts as the Authorizing Official for cloud.gov.
GSA Information Security and the TTS Technology Portfolio review all policies and procedures when new ATOs are required, or once every 3 years, whichever comes first. The teams also review modifications to policies and procedures when modifications become necessary due to changes in law, regulation, or operations.