diff --git a/.github/ISSUE_TEMPLATE/offboard-team-member.md b/.github/ISSUE_TEMPLATE/offboard-team-member.md index f3ecdb4..ffe4f9f 100644 --- a/.github/ISSUE_TEMPLATE/offboard-team-member.md +++ b/.github/ISSUE_TEMPLATE/offboard-team-member.md @@ -2,9 +2,8 @@ name: Offboard cloud.gov Team Member title: Checklist for Offboarding a Team Member about: This is the checklist and requirements for offboarding a team member from the cloud.gov team -labels: '' -assignees: '' - +labels: "" +assignees: "" --- # Team Member Offboarding Checklist @@ -13,8 +12,8 @@ assignees: '' We must offboard a team member when they are: -* Absent for 30 or more days, or about to be. For example, team members on detail or extended leave. -* Permanently separating from the team. For example, terminated or reassigned. +- Absent for 30 or more days, or about to be. For example, team members on detail or extended leave. +- Permanently separating from the team. For example, terminated or reassigned. See our [AC Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/main/AC-Policy.md), "When a privileged team member has been absent...". @@ -22,18 +21,21 @@ See our [AC Policy](https://github.com/cloud-gov/cg-compliance-docs/blob/main/AC - **Do not create this issue until the System Owner has formally authorized and requested it.** You can obtain that OK by one of two ways: A: + - [ ] A: System Owner creates this issue B: + - [ ] B.1: System owner emails cloud-gov-compliance@gsa.gov and cloud-gov-operations@gsa.gov with their authorization - [ ] B.2: An operator adds links to the email archive of the authorizing email. + - **Please only use first names.** --- ## Instructions -* [ ] Assign this ticket to the person currently staffing the maintenance rotation. +- [ ] Assign this ticket to the person currently staffing the maintenance rotation. In order to complete `Existing Person`'s exit from the cloud.gov team, the assignee should complete a prescribed set of tasks that will remove any special access. @@ -52,14 +54,14 @@ If the person offboarding is a contractor, reach out to the COR to ensure any of - [ ] Remove their access to [StatusPage](https://manage.statuspage.io/organizations/btc69fwyvjh7/team) - [ ] Remove their agent access to Zendesk - [switch their role to "end user"](https://cloud-gov.zendesk.com/agent/admin/people) - [ ] Remove them from `@cg-team`, `@cg-operators`, and any other `@cg-` teams in the Slack Team Directory [using the three-dot menu (instructions)](https://get.slack.help/hc/en-us/articles/212906697-User-Groups) - * Check one of the following: - * [ ] Temporary federal departure: Remove them all private cloud.gov Slack channels, except `#cg-priv-gov`, so they may continue to receive essential team communications. - * [ ] Permanent departure: If the person is leaving permanently, they will be removed from all channels automatically. + - Check one of the following: + - [ ] Temporary federal departure: Remove them all private cloud.gov Slack channels, except `#cg-priv-gov`, so they may continue to receive essential team communications. + - [ ] Permanent departure: If the person is leaving permanently, they will be removed from all channels automatically. - [ ] Remove them from the [team roster](https://docs.google.com/spreadsheets/d/187663k5MYJBNlKExLu_nhuovcZQfIbqYCu2n4noNY1o/edit#gid=0) - [ ] Remove them from the [squad list](https://github.com/cloud-gov/product/blob/main/DeliveryProcess.md#squads) - [ ] In the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0): if they're staying at TTS, move them to the "former teammates" tab; if they're leaving TTS, delete them from the spreadsheet - [ ] Remove them as invitees for any meetings on the cloud.gov calendar where they are specifically named - - Invites where they are listed as part of the `cloud.gov` invitee group will be removed when they are removed from that group by the System Owner + - Invites where they are listed as part of the `cloud.gov` invitee group will be removed when they are removed from that group by the System Owner - [ ] Remove them from [our dockerhub org](https://hub.docker.com/orgs/cloudgov) ## System Owner (or person delegated by System Owner) @@ -79,7 +81,6 @@ The following do not directly impact cloud.gov security & operations and can hap - [ ] Remove them from [Nessus](https://nessus.fr.cloud.gov/#/settings/users) - [ ] Remove them from [Tenable (if Compliance Team)](https://community.tenable.com/s/contacts] -- [ ] Remove them from the [CG-PRIV Space](https://mail.google.com/mail/u/0/#chat/space/AAAAr60JXAc) - [ ] Remove them from the [Cloud Foundry Community GitHub org cloud.gov team](https://github.com/orgs/cloudfoundry-community/teams/cloud-gov/members) - [ ] Remove them from [the cloud.gov operations Google Group](https://groups.google.com/a/gsa.gov/forum/#!managemembers/cloud-gov-operations/members/active) - [ ] Remove them from [the cloud.gov compliance team Google Group](https://groups.google.com/a/gsa.gov/forum/?hl=en#!managemembers/cloud-gov-compliance/members/active) @@ -95,12 +96,12 @@ The following do not directly impact cloud.gov security & operations and can hap **The following steps must be conducted and documented within 24 hours of departure**: -* [ ] Not a member of Engineering +- [ ] Not a member of Engineering -- or -- - [ ] Delete the user in all cloud.gov AWS accounts by submitting a PR to [`aws-admin`](https://github.com/cloud-gov/aws-admin) - [ ] [Remove their access as an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) on the platform - [ ] Remove any privileges that their cloud.gov account has due to membership in the cloud.gov team (even if not in Cloud Ops), such as `admin_ui.user` and `scim.read` - - [ ] Verify these permissions have been removed using the [cg-scripts validate-admins.sh](https://github.com/18F/cg-scripts/blob/master/validate-admins.sh) run from a jumpbox + - [ ] Verify these permissions have been removed using the [cg-scripts validate-admins.sh](https://github.com/18F/cg-scripts/blob/master/validate-admins.sh) run from a jumpbox - [ ] Remove any Org or Space roles that their cloud.gov account holds due to membership in the cloud.gov team (for example, remove them from the `cloud-gov` and `cloud-gov-operators` organizations) diff --git a/.github/ISSUE_TEMPLATE/onboard-compliance.md b/.github/ISSUE_TEMPLATE/onboard-compliance.md index 7f7ba7c..2b013a1 100644 --- a/.github/ISSUE_TEMPLATE/onboard-compliance.md +++ b/.github/ISSUE_TEMPLATE/onboard-compliance.md @@ -1,124 +1,91 @@ --- name: Onboard New cloud.gov Compliance Team Member -title: Checklist for Onboarding a New Compliance Team Member +title: Compliance Checklist for Onboarding (first name here) about: This is the checklist and requirements for onboarding a new compliance team member to the cloud.gov team -labels: '' -assignees: '' - +labels: "" +assignees: "" --- # New Compliance Team Member Onboarding Checklist ## Special Notes -- **Do not create this issue until the System Owner has formally authorized and requested it.**. You can get that OK by one of two ways: - - A: - - [ ] A: System Owner creates this issue - - B: - - [ ] B.1: System owner emails and with their authorization - - [ ] B.2: An operator adds a link to the Google Group conversation that includes the authorizing email. -- **Please only use first names.** +- [ ] Paste a link to the general onboarding ticket, which includes the onboarding authorization, here: --- -In order to get `New Person` productively contributing to the cloud.gov team, `Buddy` should help `New Person` complete a prescribed set of tasks that will bring them up to speed and get them setup with cloud.gov. - -## Instructions - -1. Try to go through the checklists in order. -2. If `Buddy` can’t complete any of the items on their checklist personally, _they are responsible for ensuring that someone with the correct access completes that item_. - -## Onboarding Checklist - -### Required items for all team members - -These items help us fulfill security and compliance requirements (including for FedRAMP). If you get stuck, or if these requirements are confusing, ask for help from your buddy or in a cloud.gov channel. - -- [ ] Take judicious notes on what about this onboarding process or cloud.gov is confusing or frustrating. If you notice a problem (especially with things like documentation), you are more than welcome to fix it! At the very least, please share this information with your onboarding buddy (or someone) at some point so we can make the team/platform better. (You can also file issues and pull requests on [the template Onboarding checklist](https://github.com/cloud-gov/product/blob/main/.github/ISSUE_TEMPLATE/onboard-compliance.md). -- [ ] Be sure to introduce yourself and follow up with your onboarding buddy (they should have reached out to you at this point; if they haven't, please let the team know) and make sure this issue is assigned to them in our [Github Project Planning Board](https://github.com/orgs/cloud-gov/projects/2). We use this board to organize, prioritize, and track our work. - -#### Pre-requisites +## Complete additional cloud.gov trainings -- [ ] Complete [GSA OLU](https://gsaolu.gsa.gov/) GSA Mandatory Cyber Security and Privacy Training, including accepting the GSA IT Rules of Behavior, which is required before we can give you access to any cloud.gov systems. If you joined GSA more than two months ago, you've already completed this task and can just check the box. +
+ + Federal employees and staff contractors, expand this section. Not applicable to project contractors. + -#### Fulfill security and compliance requirements (including for FedRAMP) - Completed by onboarding buddy +Compliance staff who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: -- [ ] Make sure they're in [the list of people working on the project](https://docs.google.com/spreadsheets/d/187663k5MYJBNlKExLu_nhuovcZQfIbqYCu2n4noNY1o/edit#gid=0). -- [ ] Add their name, whether they're Cloud Ops (Platform), and the date they joined the team to the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). Copy the formulas for the due dates from an existing row (grab the "corner" of the cells and pull down). -- [ ] As they complete training, fill out their completion dates in the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). -- [ ] Add them to the @cloud-gov-team [in Slack’s Team Directory](https://get.slack.help/hc/en-us/articles/212906697-User-Groups#edit-a-user-group). -- [ ] Review the recurring cloud.gov meetings that are relevant for them in [the team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (they will get access to this when added to the cloud.gov Team Google Group). -- [ ] Add them to the [`cloud-gov`](https://github.com/orgs/cloud-gov/people) organization in GitHub, and the [`cloud-gov-team`](https://github.com/orgs/cloud-gov/teams/cloud-gov-team) team. +- [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: + - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). +- [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: + - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). -#### Learn our policies and procedures +
-For the three trainings list at the top, your onboarding buddy will create a separate ticket to track the trainings once scheduling has been finished. This will help consolidate trainings for multiple new members to the team and prevent them from blocking progress on this onboarding ticket. Once the trainings are scheduled, they can be marked as complete here. +## Learn our policies and procedures -- [ ] Coordinate with the compliance team to go through Contingency Planning training within 60 days (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). -- [ ] Coordinate with the compliance team to go through [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). -- [ ] Coordinate with the compliance team to go through [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: - - [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). - - [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. - - [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). +- [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). - [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). - [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. - [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) -### Getting to know cloud.gov +## Slack channels -These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you -should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming -very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. - -- [ ] Read [the team onboarding document](https://github.com/cloud-gov/product/blob/master/Onboarding.md) for more context about cloud.gov. -- [ ] Bookmark the [pertinent links listed here](https://github.com/cloud-gov/product/blob/master/PertinentLinks.md). -- [ ] Read through [the Overview section of our site](https://cloud.gov/docs/overview/what-is-cloudgov/) for a broader understanding of cloud.gov, especially how we present it to potential customers and users. -- [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. - - This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training. -- [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/master/StoryLifecycle.md) to learn about how we work. -- [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. -- [ ] Add the [cloud.gov Google Drive folder](https://drive.google.com/drive/folders/0Bx6EvBXVDWwheUtVckVnOE1pRzA) to your Google Drive -- that's where we put cloud.gov docs. If you create or move a doc there, it'll get the right access permissions for team members to be able to view and edit it. -- [ ] Subscribe to [the cloud.gov team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (click the + in the bottom right) so you know when assorted team meetings are happening in the various squads. Tip: When you plan Out of Office time, make a calendar event for that on the cloud.gov calendar so that your teammates know you'll be away +Project contractors: Your buddy will add you to the private channel for your project. -### Slack channels +
+ + Federal employees and staff contractors, expand this section: + Your onboarding buddy will add you to these Slack channels: +- [ ] `#cg-aws-security` - private channel where bots post security notices - [ ] `#cg-billing` - private business development channel (if applicable) - [ ] `#cg-incidents` - private channel for incident response +- [ ] `#cg-ops-banter` - private channel for operations/engineering banter - [ ] `#cg-priv-all` - private channel for in-team discussion -- [ ] `#cg-priv-gov` (Federal employees only) - may contain discussion of contracting-related or other private, federal-employee-only comms -- [ ] `#cg-aws-security` - channel for alerts posted by automation about possible AWS security issues - -You can add yourself to these channels: - -- [ ] `#cg-ask-aws` - channel to communicate with representations from AWS -- [ ] `#cg-business` - business development (if applicable) -- [ ] `#cg-compliance` - compliance-related information and discussion -- [ ] `#cg-offtopic` - off-topic team sharing -- [ ] `#cg-platform` - platform operations -- [ ] `#cg-platform-news` - bots post platform alerts -- [ ] `#cg-general` - program-level information and discusion -- [ ] `#cg-support` - support requests and assistance within TTS +- [ ] `#cg-priv-compliance` - private channel for security and compliance discussions -You probably want to mute these channels: - -- [ ] `#cg-support` - support requests and assistance within TTS -- [ ] `#cg-platform-news` - platform alerts -- [ ] `#cloud-gov` - bots post announcements here +
You might also be interested in these channels: - [ ] `#g-security-compliance` - Channel for the Security & Compliance guild - [ ] `#dev` - general chat for all TTS engineers +## Google Groups + +- [ ] [cloud.gov Compliance](https://groups.google.com/a/gsa.gov/g/cloud-gov-compliance/members) (external-facing email address for communications with FedRAMP and others) + +## Getting to know cloud.gov + +These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you +should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming +very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. + +- [ ] Read [the team onboarding document](https://github.com/cloud-gov/product/blob/main/Onboarding.md) for more context about cloud.gov. +- [ ] Bookmark the [pertinent links listed here](https://github.com/cloud-gov/product/blob/main/PertinentLinks.md). +- [ ] Read through [the Overview section of our site](https://cloud.gov/docs/overview/what-is-cloudgov/) for a broader understanding of cloud.gov, especially how we present it to potential customers and users. +- [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. + - This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training. +- [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/main/StoryLifecycle.md) to learn about how we work. +- [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. + ## Compliance-role specific items -You should already have admin rights on your machine as a part of its original setup. If for whatever reason you don't, -Please let your onboarding buddy know and they will help you request [local admin rights](https://docs.google.com/document/d/1xepZsh83lxPDykrb1NXoeHxj8m78qsdW-9KqzO_CHOQ/edit) on your GFE Mac using [this justification](https://docs.google.com/document/d/1YGid3pTji5W_M9RuF1GDf614BVkLIRDmSrt1tDbej-o/edit). +### Machine admin rights + +- [ ] In order to install development tools on your Mac, you will need to request local admin rights by [submitting a ServiceDesk ticket](https://docs.google.com/document/d/1xepZsh83lxPDykrb1NXoeHxj8m78qsdW-9KqzO_CHOQ/edit) using [this justification](https://docs.google.com/document/d/1YGid3pTji5W_M9RuF1GDf614BVkLIRDmSrt1tDbej-o/edit). If you're unable to create a ticket for yourself, your onboarding buddy can create one for you. ### Other tooling and access for compliance @@ -129,64 +96,44 @@ Please let your onboarding buddy know and they will help you request [local admi Before starting this section, you must complete: -1. GSA Mandatory Cyber Security and Privacy Training -1. Role-based trainings listed under "Learn our policies and procedures" +1. GSA IT Security & Privacy Awareness Training +1. Role-based trainings listed under [Learn our policies and procedures](#learn-our-policies-and-procedures) AWS user names should be identical across accounts so that permissions can be correctly managed by Terraform. -- [ ] Create [AWS Accounts](https://cloud.gov/docs/ops/aws-onboarding/) via the AWS web console (not Terraform) and provide one-time credentials - these will be setup with read-only/auditor permissions, and once the 3 mandatory cloud.gov trainings are complete they will be added to the [audit input file](https://github.com/cloud-gov/cg-compliance/blob/master/audit/inputs.yml): +- [ ] Create AWS Accounts via the AWS web console (not Terraform) and provide one-time credentials - these will be setup with read-only/auditor permissions, and once the 3 mandatory cloud.gov trainings are complete they will be added to the [audit input file](https://github.com/cloud-gov/cg-compliance/blob/master/audit/inputs.yml): - [ ] AWS Commercial accounts - [ ] AWS GovCloud accounts - [ ] Add them to Nessus Manager via the GUI + - [ ] Add them to the ScanAdmins team in Settings > Groups - [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform. - [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub. - [ ] Add them to [the cloud.gov team Google Group](https://groups.google.com/a/gsa.gov/forum/?hl=en#!forum/cloud-gov) so they can participate in team-wide internal communication. - [ ] Add them to the `cloud-gov-assurance-team` Google Group for meeting invites and communications - [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count -- [ ] **If necessary:** Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/) -- [ ] Business Unit Only - Add them to the [cloud.gov inquiries Google Group](https://groups.google.com/a/gsa.gov/forum/#!forum/cloud-gov-inquiries) so they can keep apprised of prospective new clients. Your onboarding buddy will create a separate ticket tied to this one to track the AWS accounts being granted full admin access. ### Additional compliance setup/review -- [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/master/README.md) +- [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/main/README.md) - [ ] Verify `caulking` by running `make audit` and pasting a screenshot as a comment on this GitHub issue - [ ] Set GPG signing set up for GitHub (instructions [here](https://docs.google.com/document/d/11UDxvfkhncyLEs-NUCniw2u54j4uQBqsR2SBiLYPUZc/edit)) ### Install a development environment for cloud.gov - [ ] Install [Homebrew (`brew`)](https://brew.sh/) -- [ ] Install [CloudFoundry for mac per their docs](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html#pkg-mac): - - `brew tap cloudfoundry/tap` - - `brew install cf-cli@8` - - `brew install openssl` -- [ ] Verify CloudFoundry Installation via the CLI (once an existing cloud.gov teammate has [made your cloud.gov admin account](https://cloud.gov/docs/ops/managing-users/#creating-admins)) +- [ ] Clone [the product repo](https://github.com/cloud-gov/product), `cd` into it, and run `brew bundle install` to install everything in `Brewfile`. +- [ ] Verify CloudFoundry installation via the CLI (once an existing cloud.gov teammate has [made your cloud.gov admin account](https://cloud.gov/docs/ops/managing-users/#creating-admins)) - `cf login -a api.fr.cloud.gov --sso` - `cf orgs` - - As a cloud.gov compliance team member, you should have a very giant list of organizations + - As a cloud.gov team member, you should have a long list of organizations - If you have none or one (e.g. sandbox) org, please reach out to your onboarding buddy -- [ ] Install the [Bosh CLI using their instructions for MacOS](https://bosh.io/docs/cli-v2-install/#using-homebrew-on-macos) - - `brew install cloudfoundry/tap/bosh-cli` - - [ ] Verify the installation by running `bosh -v` in the command line -- [ ] Install Terraform and other tools per [cg-provision](https://github.com/cloud-gov/cg-provision) - - `brew install terraform` - - `brew install awscli` - - `brew install jq` - - [ ] Verify Terraform installed and is in your path: run `terraform` and helper text should display - - [ ] Verify AWS CLI installed and is in your path: run `aws` and helper text should display -- [ ] Install and configure `aws-vault` by [following our directions](https://cloud.gov/docs/ops/secrets/#aws-credentials) -- [ ] Install the Concourse `fly` CLI - - Download the `fly` binary zip for MacOS from https://concourse-ci.org/ - - Extract the binary and move it to `/usr/local/bin/fly` so it's in your path - - `cd ~/Downloads` - - `mv fly /usr/local/bin/fly` - - [ ] Verify by running `fly -h` in your command line - - This may fail due to app security policy on your mac rejecting apps from unidentified developers. - - You can try the procedure [here](https://www.imore.com/how-open-apps-anywhere-macos-catalina-and-mojave) to change the app's security settings. +- [ ] Configure `aws-vault` by [following our directions](https://cloud.gov/docs/ops/secrets/#aws-credentials) +- [ ] Fix `fly`, the Concourse CLI, by running `xattr -d com.apple.quarantine /opt/homebrew/bin/fly`. Concourse does not sign `fly` with an Apple Developer account, so you must use `xattr` to manually remove the binary from quarantine. Verify by running `fly -h` in your command line. - [ ] Install cloud.gov dev tools by cloning the [`cg-scripts` repo](https://github.com/cloud-gov/cg-scripts/): run `git clone https://github.com/cloud-gov/cg-scripts.git` in your command line -These are items that are only necessary for someone stepping into a compliance role, but you can still subscribe to the alerts and mailing lists if you're interested: +## Security and Compliance News - [ ] Subscribe to CISA alerts/updates: - [ ] Subscribe to FedRAMP mailing lists: diff --git a/.github/ISSUE_TEMPLATE/onboard-engineer.md b/.github/ISSUE_TEMPLATE/onboard-engineer.md index d38e486..fd629df 100644 --- a/.github/ISSUE_TEMPLATE/onboard-engineer.md +++ b/.github/ISSUE_TEMPLATE/onboard-engineer.md @@ -1,99 +1,81 @@ --- name: Onboard New cloud.gov Engineer -title: Checklist for Onboarding a New Engineer -about: This is the checklist and requirements for onboarding a new Engineer to the cloud.gov team -labels: '' -assignees: '' - +title: Engineering Checklist for Onboarding (first name here) +about: Onboarding checklist for engineers. Pairs with a general onboarding checklist. +labels: "" +assignees: "" --- # New Engineer Onboarding Checklist ## Special Notes -- **Do not create this issue until the System Owner has formally authorized and requested it.**. You can get that OK by one of two ways: - - A: - - [ ] A: System Owner creates this issue - - B: - - [ ] B.1: System owner emails cloud-gov-compliance@gsa.gov and cloud-gov-operations@gsa.gov with their authorization - - [ ] B.2: An operator adds a link to the Google Group conversation that includes the authorizing email. -- **Please only use first names.** +- [ ] Paste a link to the general onboarding ticket, which includes the onboarding authorization, here: --- -In order to get `New Person` productively contributing to the cloud.gov team, `Buddy` should help `New Person` complete a prescribed set of tasks that will bring them up to speed and get them setup with cloud.gov. - -## Instructions - -1. Try to go through the checklists in order. -2. If `Buddy` can’t complete any of the items on their checklist personally, _they are responsible for ensuring that someone with the correct access completes that item_. - -## Required items for all team members - -These items help us fulfill security and compliance requirements (including for FedRAMP). If you get stuck, or if these requirements are confusing, ask for help from your buddy or in a cloud.gov channel. - -- [ ] Take judicious notes on what about this onboarding process or cloud.gov is confusing or frustrating. If you notice a problem (especially with things like documentation), you are more than welcome to fix it! At the very least, please share this information with your onboarding buddy (or someone) at some point so we can make the team/platform better. (You can also file issues and pull requests on [the template Onboarding checklist](https://github.com/cloud-gov/product/blob/main/.github/ISSUE_TEMPLATE/onboard-platform-ops.md). -- [ ] Be sure to introduce yourself and follow up with your onboarding buddy (they should have reached out to you at this point; if they haven't, please let the team know) and make sure this issue is assigned to them in our [Github Project Planning Board](https://github.com/orgs/cloud-gov/projects/27/views/1). We use this board to organize, prioritize, and track our work. +## Complete additional cloud.gov trainings -### Pre-requisites - -- [ ] Complete [GSA OLU](https://gsaolu.gsa.gov/) IT Security & Privacy Awareness Training, which includes accepting the GSA IT Rules of Behavior. This is required before we can give you access to any cloud.gov systems. If you joined GSA more than two months ago, you've already completed this task and can check the box. - -### Fulfill security and compliance requirements (including for FedRAMP) - Completed by onboarding buddy +
+ + Federal employees and staff contractors, expand this section. Not applicable to project contractors. + -- [ ] Make sure they're in the [Team Roster](https://docs.google.com/spreadsheets/d/187663k5MYJBNlKExLu_nhuovcZQfIbqYCu2n4noNY1o/edit#gid=0). -- [ ] Add their name, whether they're Cloud Operations, and the date they joined the team to the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). - - Copy the formulas for the due dates from an existing row (grab the "corner" of the cells and pull down). - - As they complete training, fill out their completion dates in the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). -- [ ] Add them to the @cloud-gov-team [in Slack’s Team Directory](https://get.slack.help/hc/en-us/articles/212906697-User-Groups#edit-a-user-group). -- [ ] Inform them of recurring cloud.gov meetings that are relevant for them in [the team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (they will get access to this when added to the cloud.gov Team Google Group). -- [ ] Add them on GitHub to the [`cloud-gov-team`](https://github.com/orgs/cloud-gov/teams/cloud-gov-team) team, which will automatically invite them to our [`cloud-gov`](https://github.com/orgs/cloud-gov/people) organization. +Engineers who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: -### Complete cloud.gov trainings +- [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: + - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). +- [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: + - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). -Onboarding buddy: Contact the compliance team in [#cg-compliance](https://gsa.enterprise.slack.com/archives/C0A1Z7L2U) to schedule training(s). +
-All team members: +## Slack channels -- [ ] Coordinate with your onboarding buddy to schedule [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: - - [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). - - [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. - - [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). +Project contractors: Your buddy will add you to the private channel for your project.
Federal employees and staff contractors, expand this section: -Engineers who are federal employees and staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: +Your onboarding buddy will add you to these Slack channels: -- [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Contingency Plan](https://docs.cloud.gov/ops/contingency-plan/). -- [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). +- [ ] `#cg-aws-security` - private channel where bots post security notices +- [ ] `#cg-billing` - private business development channel (if applicable) +- [ ] `#cg-incidents` - private channel for incident response +- [ ] `#cg-ops-banter` - private channel for operations/engineering banter +- [ ] `#cg-priv-all` - private channel for in-team discussion +- [ ] `#cg-priv-compliance` - private channel for security and compliance discussions
-### Learn more policies and procedures +## Google Groups + +- [ ] [cloud.gov AWS](https://groups.google.com/a/gsa.gov/g/cloud-gov-aws/members) +- [ ] [cloud.gov Notifications](https://groups.google.com/a/gsa.gov/g/cloud-gov-notifications/members) (🗣️) +- [ ] [cloud.gov Operations](https://groups.google.com/a/gsa.gov/g/cloud-gov-operations/members) +- [ ] [cloud.gov Security](https://groups.google.com/a/gsa.gov/g/cloud-gov-security/members) +- [ ] [cloud.gov Support](https://groups.google.com/a/gsa.gov/g/cloud-gov-support/members) (🗣️) + +Channels marked with (🗣️) receive a lot of messages, either from customers or bots, and you may want to mute them. + +## Learn our policies and procedures In addition to the topics in [the trainings section](#complete-cloudgov-trainings), review the following documents: +- [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). - [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). - [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. - [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) - [ ] Review the team's [Engineering Practices](https://github.com/cloud-gov/internal-docs/tree/main/docs/resources/Engineering-Practices). Some of these are mandatory because they fulfill FedRAMP requirements. -### Getting to know cloud.gov - -These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. +## Getting to know cloud.gov Resources on cloud.gov: - [ ] View the video: [A Technical Overview of cloud.gov](https://youtu.be/lwQCDeIm1Es) -- [ ] Read [the team onboarding document](https://github.com/cloud-gov/product/blob/master/Onboarding.md) for more context about cloud.gov. -- [ ] Bookmark the [pertinent links listed here](https://github.com/cloud-gov/product/blob/master/PertinentLinks.md). -- [ ] Read through [the Overview section of our site](https://cloud.gov/docs/overview/what-is-cloudgov/) for a broader understanding of cloud.gov, especially how we present it to potential customers and users. - [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/master/StoryLifecycle.md) to learn about how we work. - [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. @@ -109,117 +91,47 @@ Getting hands-on with cloud.gov: - [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. - This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training. -Team resources: - -You will automatically be added to one or more Google Drives: the [Cloud.gov All Staff Drive](https://drive.google.com/drive/folders/0ANH-Bql6mXGBUk9PVA) and, for federal employees, the [Cloud.gov Federal Employees Drive](https://drive.google.com/drive/folders/0AE_c0OLGmVIgUk9PVA). Put all documents related to cloud.gov in the appropriate shared drive so the team can access them and meet federal records requirements. Each drive contains a folder for each squad, and each squad folder contains a "wiki" that explains how the sub-folders are structured. - -
- - Federal employees and staff contractors, expand this section: - - -- [ ] Subscribe to [the cloud.gov team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (click the + in the bottom right) so you know when assorted team meetings are happening in the various squads. Tip: When you plan Out of Office time, make a calendar event for that on the cloud.gov calendar so that your teammates know you'll be away - -
- -### Slack channels - -The following cloud.gov channels are public and all team members are welcome to join: - -- [ ] `#cg-aws-status` - bots post announcements about AWS service outages/incidents -- [ ] `#cg-business` - business development (if applicable) -- [ ] `#cg-compliance` - compliance-related information and discussion -- [ ] `#cg-customer-success` - customer success squad channel -- [ ] `#cg-general` - program-level information and discussion -- [ ] `#cg-offtopic` - off-topic team sharing -- [ ] `#cg-platform-news` (🗣️) - bots post platform alerts (mostly CI job notifications) -- [ ] `#cg-platform` - platform operations -- [ ] `#cg-support` (🗣️) - support requests and assistance within TTS -- [ ] `#cg-supportstream` (🗣️) - stream of activity on Zendesk tickets -- [ ] `#cloud-gov` (🗣️) - bots post announcements here - -Channels marked with (🗣️) receive a lot of messages, either from customers or bots, and you may want to mute them. - -Project contractors: Your buddy will add you to the private channel for your project. - -
- - Federal employees and staff contractors, expand this section: - - -Your onboarding buddy will add you to these Slack channels: - -- [ ] `#cg-aws-security` - private channel where bots post security notices -- [ ] `#cg-billing` - private business development channel (if applicable) -- [ ] `#cg-incidents` - private channel for incident response -- [ ] `#cg-ops-banter` - private channel for operations/engineering banter -- [ ] `#cg-priv-all` - private channel for in-team discussion -- [ ] `#cg-priv-compliance` - private channel for security and compliance discussions - -Lastly, for federal employees only: - -- [ ] `#cg-priv-gov` - may contain discussion of contracting-related or other private, federal-employee-only comms - -
- ## Engineering-specific items ### Machine admin rights -In order to install development tools on your Mac, you will need to request local admin rights by [submitting a ServiceDesk ticket](https://docs.google.com/document/d/1xepZsh83lxPDykrb1NXoeHxj8m78qsdW-9KqzO_CHOQ/edit) using [this justification](https://docs.google.com/document/d/1YGid3pTji5W_M9RuF1GDf614BVkLIRDmSrt1tDbej-o/edit). If you're unable to create a ticket for yourself, your onboarding buddy can create one for you. +- [ ] In order to install development tools on your Mac, you will need to request local admin rights by [submitting a ServiceDesk ticket](https://docs.google.com/document/d/1xepZsh83lxPDykrb1NXoeHxj8m78qsdW-9KqzO_CHOQ/edit) using [this justification](https://docs.google.com/document/d/1YGid3pTji5W_M9RuF1GDf614BVkLIRDmSrt1tDbej-o/edit). If you're unable to create a ticket for yourself, your onboarding buddy can create one for you. -### Cloud Operations account management +### Engineering account management Before starting this section, you must complete: -1. GSA Mandatory Cyber Security and Privacy Training -1. Role-based trainings listed under "Learn our policies and procedures" +1. GSA IT Security & Privacy Awareness Training +1. Role-based trainings listed under [Learn our policies and procedures](#learn-our-policies-and-procedures) AWS user names should be identical across accounts so that permissions can be correctly managed by Terraform. -- [ ] Create [AWS Accounts](https://cloud.gov/docs/ops/aws-onboarding/) by following [these instructions](https://github.com/cloud-gov/aws-admin/blob/main/docs/user_mgmt.md). These accounts should be setup as read-only at the start, and once the 3 mandatory cloud.gov trainings are complete they will be switched to full admin accounts and added to the [audit input file](https://github.com/cloud-gov/cg-compliance/blob/master/audit/inputs.yml): +- [ ] Create AWS Accounts by following [these instructions](https://github.com/cloud-gov/aws-admin/blob/main/docs/user_mgmt.md). These accounts should be setup as read-only at the start, and once the 3 mandatory cloud.gov trainings are complete they will be switched to full admin accounts and added to the [audit input file](https://github.com/cloud-gov/cg-compliance/blob/master/audit/inputs.yml): - [ ] AWS Commercial accounts - [ ] AWS GovCloud accounts - - [ ] Ensure new person has 60-day Google Calendar reminder to reset passwords + - [ ] Ensure new person creates a 55-day Google Calendar reminder to update passwords, which expire every 60 days - [ ] Add them to Nessus Manager via the GUI -- [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform. -- [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub. -- [ ] Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/) -- [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count -- [ ] Add them as an `agent` to the cloud.gov support Zendesk (Ask a cloud.gov member with admin access to Zendesk to add them). -- [ ] Add them as Technical users to [Ubuntu Advantage](https://ubuntu.com/pro/users) (Admin users for leads and supervisors) - -Your onboarding buddy will create a separate ticket tied to this one to track the AWS accounts being granted full admin access. - -### Google Groups and Spaces - -We manage calendar invites and Google Drive access using Google Groups. Some groups can also receive message from outside emails. - -- [ ] Project contractors: Add them to the [cloud.gov Project Contractors Google Group]() for access to the All Staff Google Drive. + - [ ] Add them to the ScanAdmins team in Settings > Groups
Federal employees and staff contractors, expand this section: -Add them to the following Google Groups: - -- [ ] [cloud.gov Team](https://groups.google.com/a/gsa.gov/forum/?hl=en#!forum/cloud-gov) so they can participate in team-wide internal communication. -- [ ] Business Unit Only - Add them to the [cloud.gov inquiries Google Group](https://groups.google.com/a/gsa.gov/forum/#!forum/cloud-gov-inquiries) so they can keep apprised of prospective new clients. +You are a member of the Cloud Operations team, which means you have additional administrative permissions: -And the following Google Space: - -- [ ] [CG-PRIV](https://mail.google.com/mail/u/0/#chat/space/AAAAr60JXAc), a fallback team communication channel in the event Slack is down. - -Lastly, for federal employees only: - -- [ ] [cloud.gov Federal Employees](https://groups.google.com/a/gsa.gov/g/cloud-gov-federal-employees/members) +- [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform. +- [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub. +- [ ] Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/) +- [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count +- [ ] Add them as an `agent` to the cloud.gov support Zendesk (Ask a cloud.gov member with admin access to Zendesk to add them). +- [ ] Add them as Technical users to [Ubuntu Advantage](https://ubuntu.com/pro/users) (Admin users for leads and supervisors)
### Additional compliance setup/review -- [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/master/README.md) +- [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/main/README.md) - [ ] Verify `caulking` by running `make audit` and pasting a screenshot as a comment on this GitHub issue - [ ] Set GPG signing set up for GitHub (instructions [here](https://docs.google.com/document/d/11UDxvfkhncyLEs-NUCniw2u54j4uQBqsR2SBiLYPUZc/edit)) and paste the output of `git config commit.gpgsign` as a comment on this GitHub issue @@ -228,28 +140,14 @@ Lastly, for federal employees only: > **Note:** Make sure you have followed the instructions in [Machine admin rights](#machine-admin-rights) at the top of this section to get local admin rights on your machine before moving forward - [ ] Install [Homebrew (`brew`)](https://brew.sh/) -- [ ] Install [CloudFoundry for mac per their docs](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html#pkg-mac): - - `brew tap cloudfoundry/tap` - - `brew install cf-cli@8` - - `brew install openssl` -- [ ] Verify CloudFoundry Installation via the CLI (once an existing cloud.gov teammate has [made your cloud.gov admin account](https://cloud.gov/docs/ops/managing-users/#creating-admins)) +- [ ] Clone [the product repo](https://github.com/cloud-gov/product), `cd` into it, and run `brew bundle install` to install everything in `Brewfile`. +- [ ] Verify CloudFoundry installation via the CLI (once an existing cloud.gov teammate has [made your cloud.gov admin account](https://cloud.gov/docs/ops/managing-users/#creating-admins)) - `cf login -a api.fr.cloud.gov --sso` - `cf orgs` - - As a cloud.gov team member, you should have a very giant list of organizations + - As a cloud.gov team member, you should have a long list of organizations - If you have none or one (e.g. sandbox) org, please reach out to your onboarding buddy -- [ ] Install the [Bosh CLI using their instructions for MacOS](https://bosh.io/docs/cli-v2-install/#using-homebrew-on-macos) - - `brew install cloudfoundry/tap/bosh-cli` - - [ ] Verify the installation by running `bosh -v` in the command line -- [ ] Install Terraform and other tools per [cg-provision](https://github.com/cloud-gov/cg-provision) - - `brew install terraform` - - `brew install awscli` - - `brew install jq` - - [ ] Verify Terraform installed and is in your path: run `terraform` and helper text should display - - [ ] Verify AWS CLI installed and is in your path: run `aws` and helper text should display -- [ ] Install and configure `aws-vault` by [following our directions](https://cloud.gov/docs/ops/secrets/#aws-credentials) -- [ ] Install the Concourse `fly` CLI. Concourse does not sign `fly` with an Apple Developer account, so you must use `xattr` to manually remove the binary from quarantine: - - `brew install fly && xattr -d com.apple.quarantine /opt/homebrew/bin/fly`. - - [ ] Verify by running `fly -h` in your command line +- [ ] Configure `aws-vault` by [following our directions](https://cloud.gov/docs/ops/secrets/#aws-credentials) +- [ ] Fix `fly`, the Concourse CLI, by running `xattr -d com.apple.quarantine /opt/homebrew/bin/fly`. Concourse does not sign `fly` with an Apple Developer account, so you must use `xattr` to manually remove the binary from quarantine. Verify by running `fly -h` in your command line. - [ ] Install cloud.gov dev tools by cloning the [`cg-scripts` repo](https://github.com/cloud-gov/cg-scripts/): run `git clone https://github.com/cloud-gov/cg-scripts.git` in your command line ### Figure out your first tasks @@ -258,30 +156,23 @@ Project contractors: Check in with your project lead about first tasks.
- Federal employees and staff contractors, expand this for instructions. + Federal employees and staff contractors, expand this for instructions: -Please work with your onboarding buddy and your squad to determine a platform component to work on first. Once you've identified the component you're going to focus on, your onboarding buddy will introduce you to someone who can onboard you to that project in specific. For the next few sprints, work on features, bugs, and improvements on this component. Reach out to your onboarding buddy or anyone else on the team if you need any help. Here are some easily-separated pieces to consider: +The engineering team currently contains the following squads, each with their own projects: -- S3 broker (Golang, Open Service Broker API) -- Aws broker (Golang, Open Service Broker API) -- Domain brokers and friends (New stuff is all python + Open Service Broker API): - - External-domain broker - - legacy domain broker - - cdn broker -- Logging stack (BOSH, ELK) -- Prometheus (BOSH) -- Stratos (golang + js) -- uaa-extras (python + OIDC) -- shibboleth (Java, OIDC) +- Assurance, which focuses on security and compliance +- Platform, which maintains and improves cloud.gov, focusing on internals like our AWS architecture and Cloud Foundry +- Customer Success, which focuses on customer-facing features like service brokers and observability tools -
+If you are not already assigned to a particular squad, work with your onboarding buddy to join squad standups and learn what each squad is working on. + -## Compliance items +## Assurance-specific items -These are items that are only necessary for someone stepping into a compliance role, but you can still subscribe to the alerts and mailing lists if you're interested: +These items are only mandatory for someone stepping into an Assurance squad role, but you are welcome to subscribe even if you are on another squad: -- [ ] Subscribe to CISA alerts/updates: -- [ ] Subscribe to FedRAMP mailing lists: +- [ ] Subscribe to CISA alerts/updates: https://www.cisa.gov/about/contact-us/subscribe-updates-cisa +- [ ] Subscribe to FedRAMP mailing lists: https://public.govdelivery.com/accounts/USGSA/subscriber/topics?qsp=USGSA_2224 - [ ] Read Compliance Lead documents at root of the [Google Drive Security and Compliance](https://drive.google.com/drive/u/0/folders/1_vAXZsdVFYssR1DRCaavBCoDE_uxQCI5) folder diff --git a/.github/ISSUE_TEMPLATE/onboard-support.md b/.github/ISSUE_TEMPLATE/onboard-support.md index 0d96088..523bf32 100644 --- a/.github/ISSUE_TEMPLATE/onboard-support.md +++ b/.github/ISSUE_TEMPLATE/onboard-support.md @@ -1,122 +1,75 @@ --- name: Onboard New cloud.gov Support Team Member -title: Checklist for Onboarding a cloud.gov Support Team Member +title: Support Checklist for Onboarding (first name here) about: This is the checklist and requirements for onboarding a new support team member to the cloud.gov team -labels: '' -assignees: '' - +labels: "" +assignees: "" --- # New Support Team Member Onboarding Checklist ## Special Notes -- **Do not create this issue until the System Owner has formally authorized and requested it.**. You can get that OK by one of two ways: - - A: - - [ ] A: System Owner creates this issue - - B: - - [ ] B.1: System owner emails cloud-gov-compliance@gsa.gov and cloud-gov-operations@gsa.gov with their authorization - - [ ] B.2: An operator adds a link to the Google Group conversation that includes the authorizing email. -- **Please only use first names.** +- [ ] Paste a link to the general onboarding ticket, which includes the onboarding authorization, here: --- -In order to get `New Person` productively contributing to the cloud.gov team, `Buddy` should help `New Person` complete a prescribed set of tasks that will bring them up to speed and get them setup with cloud.gov. - -## Instructions - -1. Try to go through the checklists in order. -2. If `Buddy` can’t complete any of the items on their checklist personally, _they are responsible for ensuring that someone with the correct access completes that item_. - -## Onboarding Checklist - -### Required items for all team members +## Complete additional cloud.gov trainings -These items help us fulfill security and compliance requirements (including for FedRAMP). If you get stuck, or if these requirements are confusing, ask for help from your buddy or in a cloud.gov channel. +
+ + Federal employees and staff contractors, expand this section. Not applicable to project contractors. + -- [ ] Take judicious notes on what about this onboarding process or cloud.gov is confusing or frustrating. If you notice a problem (especially with things like documentation), you are more than welcome to fix it! At the very least, please share this information with your onboarding buddy (or someone) at some point so we can make the team/platform better. (You can also file issues and pull requests on [the template Onboarding checklist](https://github.com/cloud-gov/product/blob/main/.github/ISSUE_TEMPLATE/onboard-support.md). -- [ ] Be sure to introduce yourself and follow up with your onboarding buddy (they should have reached out to you at this point; if they haven't, please let the team know) and make sure this issue is assigned to them in our [Github Project Planning Board](https://github.com/orgs/cloud-gov/projects/2). We use this board to organize, prioritize, and track our work. +Engineers who are federal employees or staff contractors have a Contingency Plan role and may participate in Incident Response, so they must complete the CP and IR trainings. Project contractors do not need to complete these trainings. Check one of the following: -#### Pre-requisites +- [ ] Coordinate with your onboarding buddy to schedule Contingency Planning training within 60 days. (and annually after that). This will cover the following document, which you should also review before or after training: + - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). +- [ ] Coordinate with your onboarding buddy to schedule [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: + - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). -- [ ] Complete [GSA OLU](https://gsaolu.gsa.gov/) GSA Mandatory Cyber Security and Privacy Training, including accepting the GSA IT Rules of Behavior, which is required before we can give you access to any cloud.gov systems. If you joined GSA more than two months ago, you've already completed this task and can just check the box. +
-#### Fulfill security and compliance requirements (including for FedRAMP) - Completed by onboarding buddy +## Learn our policies and procedures -- [ ] Make sure they're in [the list of people working on the project](https://docs.google.com/spreadsheets/d/187663k5MYJBNlKExLu_nhuovcZQfIbqYCu2n4noNY1o/edit#gid=0). -- [ ] Add their name, whether they're Cloud Ops (Platform), and the date they joined the team to the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). Copy the formulas for the due dates from an existing row (grab the "corner" of the cells and pull down). -- [ ] As they complete training, fill out their completion dates in the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). -- [ ] Add them to the @cloud-gov-team [in Slack’s Team Directory](https://get.slack.help/hc/en-us/articles/212906697-User-Groups#edit-a-user-group). -- [ ] Review the recurring cloud.gov meetings that are relevant for them in [the team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (they will get access to this when added to the cloud.gov Team Google Group). -- [ ] Add them to the [`cloud-gov`](https://github.com/orgs/cloud-gov/people) organization in GitHub, and the [`cloud-gov-team`](https://github.com/orgs/cloud-gov/teams/cloud-gov-team) team. +- [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). +- [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). +- [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). +- [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. +- [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) -#### Learn our policies and procedures +## Getting to know cloud.gov -For the three trainings list at the top, your onboarding buddy will create a separate ticket to track the trainings once scheduling has been finished. This will help consolidate trainings for multiple new members to the team and prevent them from blocking progress on this onboarding ticket. Once the trainings are scheduled, they can be marked as complete here. - -* [ ] Coordinate with your onboarding buddy to go through Contingency Planning training within 60 days (and annually after that). This will cover the following document, which you should also review before or after training: - * [ ] Read the [Contingency Plan](https://docs.cloud.gov/ops/contingency-plan/). -* [ ] Coordinate with your onboarding buddy to go through [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - * [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). -* [ ] Coordinate with your onboarding buddy to go through [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: - * [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). - * [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. - * [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). -* [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). -* [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). -* [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. -* [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a *.docx* file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) - -### Getting to know cloud.gov - -These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you -should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming +These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you +should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. -- [ ] Read [the team onboarding document](https://github.com/cloud-gov/product/blob/master/Onboarding.md) for more context about cloud.gov. -- [ ] Bookmark the [pertinent links listed here](https://github.com/cloud-gov/product/blob/master/PertinentLinks.md). -- [ ] Read through [the Overview section of our site](https://cloud.gov/docs/overview/what-is-cloudgov/) for a broader understanding of cloud.gov, especially how we present it to potential customers and users. - [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. - - This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training. -- [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/master/StoryLifecycle.md) to learn about how we work. - [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. -- [ ] Add the [cloud.gov Google Drive folder](https://drive.google.com/drive/folders/0Bx6EvBXVDWwheUtVckVnOE1pRzA) to your Google Drive -- that's where we put cloud.gov docs. If you create or move a doc there, it'll get the right access permissions for team members to be able to view and edit it. -- [ ] Subscribe to [the cloud.gov team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (click the + in the bottom right) so you know when assorted team meetings are happening in the various squads. Tip: When you plan Out of Office time, make a calendar event for that on the cloud.gov calendar so that your teammates know you'll be away -### Slack channels +## Slack channels Your onboarding buddy will add you to these Slack channels: -- [ ] `#cloud-gov` - bots post announcements here -- [ ] `#cg-billing` - private business development channel (if applicable) -- [ ] `#cg-business` - business development (if applicable) -- [ ] `#cg-compliance` - compliance-related information and discussion -- [ ] `#cg-offtopic` - off-topic team sharing -- [ ] `#cg-platform` - platform operations -- [ ] `#cg-platform-news` - bots post platform alerts -- [ ] `#cg-general` - program-level information and discusion -- [ ] `#cg-support` - support requests and assistance within TTS +- [ ] `#cg-aws-security` - private channel where bots post security notices - [ ] `#cg-incidents` - private channel for incident response +- [ ] `#cg-ops-banter` - private channel for operations/engineering banter - [ ] `#cg-priv-all` - private channel for in-team discussion -- [ ] `#cg-priv-gov` (Federal employees only) - may contain discussion of contracting-related or other private, federal-employee-only comms - -Once you're added to these channels, you probably want to mute these channels until you're on support rotation: +- [ ] `#cg-priv-compliance` - private channel for security and compliance discussions -- [ ] `#cg-support` - support requests and assistance within TTS -- [ ] `#cg-platform-news` - platform alerts +You will want to keep `#cg-support` unmuted so you are aware of requests from TTS-internal customers of cloud.gov. ## Support-specific items -You should already have admin rights on your machine as a part of its original setup. If for whatever reason you don't, -Please let your onboarding buddy know and they will help you request [local admin rights](https://docs.google.com/document/d/1xepZsh83lxPDykrb1NXoeHxj8m78qsdW-9KqzO_CHOQ/edit) on your GFE Mac using [this justification](https://docs.google.com/document/d/1YGid3pTji5W_M9RuF1GDf614BVkLIRDmSrt1tDbej-o/edit). +### Machine admin rights -Your onboarding buddy will create a separate ticket tied to this one to track the AWS accounts being granted full admin access. +- [ ] In order to install development tools on your Mac, you will need to request local admin rights by [submitting a ServiceDesk ticket](https://docs.google.com/document/d/1xepZsh83lxPDykrb1NXoeHxj8m78qsdW-9KqzO_CHOQ/edit) using [this justification](https://docs.google.com/document/d/1YGid3pTji5W_M9RuF1GDf614BVkLIRDmSrt1tDbej-o/edit). If you're unable to create a ticket for yourself, your onboarding buddy can create one for you. ### Additional compliance setup/review -* [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/master/README.md) -* [ ] Verify `caulking` by running `make audit` and pasting a screenshot as a comment on this GitHub issue -* [ ] Set GPG signing set up for GitHub (instructions [here](https://docs.google.com/document/d/11UDxvfkhncyLEs-NUCniw2u54j4uQBqsR2SBiLYPUZc/edit)) +- [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/main/README.md) +- [ ] Verify `caulking` by running `make audit` and pasting a screenshot as a comment on this GitHub issue +- [ ] Set GPG signing set up for GitHub (instructions [here](https://docs.google.com/document/d/11UDxvfkhncyLEs-NUCniw2u54j4uQBqsR2SBiLYPUZc/edit)) ### Install a development environment for cloud.gov diff --git a/.github/ISSUE_TEMPLATE/onboard-team-member.md b/.github/ISSUE_TEMPLATE/onboard-team-member.md index 5e3f44d..2d0e44d 100644 --- a/.github/ISSUE_TEMPLATE/onboard-team-member.md +++ b/.github/ISSUE_TEMPLATE/onboard-team-member.md @@ -1,10 +1,9 @@ --- -name: Onboard New cloud.gov Team Member -title: Checklist for Onboarding a New Team Member -about: This is the checklist and requirements for onboarding a new team member to the cloud.gov team -labels: '' -assignees: '' - +name: Onboard Any New cloud.gov Team Member +title: General Checklist for Onboarding (first name here) +about: Onboarding checklist that applies to all team members. Pairs with a role-specific checklist. +labels: "" +assignees: "" --- # New Team Member Onboarding Checklist @@ -13,94 +12,125 @@ assignees: '' - **Do not create this issue until the System Owner has formally authorized and requested it.**. You can get that OK by one of two ways: - A: - - [ ] A: System Owner creates this issue. + - [ ] A: System Owner creates this issue - B: - - [ ] B.1: System owner emails cloud-gov-compliance@gsa.gov and cloud-gov-operations@gsa.gov with their authorization. + - [ ] B.1: System owner emails cloud-gov-compliance@gsa.gov and cloud-gov-operations@gsa.gov with their authorization - [ ] B.2: An operator adds a link to the Google Group conversation that includes the authorizing email. + - (link here) - **Please only use first names.** --- In order to get `New Person` productively contributing to the cloud.gov team, `Buddy` should help `New Person` complete a prescribed set of tasks that will bring them up to speed and get them setup with cloud.gov. +## Role-Specific Onboarding + +This onboarding ticket must be completed by all new cloud.gov team members. It must be paired with a role-specific onboarding ticket. Your onboarding buddy will create both. + ## Instructions +Your onboarding buddy should reach out and introduce themselves to you. If you have not heard from them after a day or two, please let the team know. + 1. Try to go through the checklists in order. -2. If `Buddy` can’t complete any of the items on their checklist personally, _they are responsible for ensuring that someone with the correct access completes that item_. +1. Make sure this issue is assigned you and your buddy in our [Github Project Planning Board](https://github.com/orgs/cloud-gov/projects/27/views/1). We use this board to organize, prioritize, and track our work. +1. If `Buddy` cannot complete any of the items on their checklist personally, _they are responsible for ensuring that someone with the correct access completes that item_. +1. Take notes on this onboarding process. If you notice a problem, let your buddy know by leaving a comment on this issue, or submit a fix yourself! You can propose a change to any documentation in GitHub using a pull request. The onboarding issue templates, including for this issue, are [here](https://github.com/cloud-gov/product/blob/main/.github/ISSUE_TEMPLATE). -## Onboarding Checklist +## Pre-requisites -### Required items for all team members +- [ ] Complete [GSA OLU](https://gsaolu.gsa.gov/) IT Security & Privacy Awareness Training, which includes accepting the GSA IT Rules of Behavior. This is required before we can give you access to any cloud.gov systems. If you joined GSA more than two months ago, you've already completed this task and can check the box. + - OLU has sometimes lost course completion data. We recommend downloading the PDF certificate of completion for each training and saving it to your Google Drive. -These items help us fulfill security and compliance requirements (including for FedRAMP). If you get stuck, or if these requirements are confusing, ask for help from your buddy or in a cloud.gov channel. +## Fulfill security and compliance requirements - Completed by onboarding buddy -- [ ] Take judicious notes on what about this onboarding process or cloud.gov is confusing or frustrating. If you notice a problem (especially with things like documentation), you are more than welcome to fix it! At the very least, please share this information with your onboarding buddy (or someone) at some point so we can make the team/platform better. (You can also file issues and pull requests on [the template Onboarding checklist](https://github.com/cloud-gov/product/blob/main/.github/ISSUE_TEMPLATE/onboard-team-member.md). -- [ ] Be sure to introduce yourself and follow up with your onboarding buddy (they should have reached out to you at this point; if they haven't, please let the team know) and make sure this issue is assigned to them in our [Github Project Planning Board](https://github.com/orgs/cloud-gov/projects/2). We use this board to organize, prioritize, and track our work. +- [ ] Make sure they're in the [Team Roster](https://docs.google.com/spreadsheets/d/187663k5MYJBNlKExLu_nhuovcZQfIbqYCu2n4noNY1o/edit#gid=0). +- [ ] Add their name, whether they're Cloud Operations, and the date they joined the team to the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). + - All engineers who are federal employees or staff contractors are part of Cloud Operations. Project contractors are not. + - Copy the formulas for the due dates from an existing row (grab the "corner" of the cells and pull down). + - As they complete training, fill out their completion dates in the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). +- [ ] Add them to the @cloud-gov-team [in Slack’s Team Directory](https://get.slack.help/hc/en-us/articles/212906697-User-Groups#edit-a-user-group). +- [ ] Add them on GitHub to the [`cloud-gov-team`](https://github.com/orgs/cloud-gov/teams/cloud-gov-team) team, which will automatically invite them to our [`cloud-gov`](https://github.com/orgs/cloud-gov/people) organization. -#### Pre-requisites +## Complete cloud.gov trainings -- [ ] Complete [GSA OLU](https://gsaolu.gsa.gov/) GSA Mandatory Cyber Security and Privacy Training, including accepting the GSA IT Rules of Behavior, which is required before we can give you access to any cloud.gov systems. If you joined GSA more than two months ago, you've already completed this task and can just check the box. +Onboarding buddy: Contact the compliance team in [#cg-compliance](https://gsa.enterprise.slack.com/archives/C0A1Z7L2U) to schedule training(s). -#### Fulfill security and compliance requirements (including for FedRAMP) - Completed by onboarding buddy +- [ ] Coordinate with your onboarding buddy to schedule [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: + - [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. + - [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). + +## Getting to know cloud.gov + +These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. -- [ ] Make sure they're in [the list of people working on the project](https://docs.google.com/spreadsheets/d/187663k5MYJBNlKExLu_nhuovcZQfIbqYCu2n4noNY1o/edit#gid=0). -- [ ] Add their name, whether they're Cloud Ops (Platform), and the date they joined the team to the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). Copy the formulas for the due dates from an existing row (grab the "corner" of the cells and pull down). -- [ ] As they complete training, fill out their completion dates in the [training tracker](https://docs.google.com/spreadsheets/d/1hqU6cNeEB293OT0j3OvbdAFRkrf2zDOrPVxGfnr4sSw/edit#gid=0). -- [ ] Add them to the @cloud-gov-team [in Slack’s Team Directory](https://get.slack.help/hc/en-us/articles/212906697-User-Groups#edit-a-user-group). -- [ ] Review the recurring cloud.gov meetings that are relevant for them in [the team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (they will get access to this when added to the cloud.gov Team Google Group). -- [ ] Add them to the [`cloud-gov`](https://github.com/orgs/cloud-gov/people) organization in GitHub, and the [`cloud-gov-team`](https://github.com/orgs/cloud-gov/teams/cloud-gov-team) team. - -#### Learn our policies and procedures - -For the three trainings list at the top, your onboarding buddy will create a separate ticket to track the trainings once scheduling has been finished. This will help consolidate trainings for multiple new members to the team and prevent them from blocking progress on this onboarding ticket. Once the trainings are scheduled, they can be marked as complete here. - -* [ ] Coordinate with your onboarding buddy to go through Contingency Planning training within 60 days (and annually after that). This will cover the following document, which you should also review before or after training: - * [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). -* [ ] Coordinate with your onboarding buddy to go through [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: - * [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). -* [ ] Coordinate with your onboarding buddy to go through [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: - * [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). - * [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. - * [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). -* [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). -* [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). -* [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. -* [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a *.docx* file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) - -### Getting to know cloud.gov - -These items will help you come up to speed on cloud.gov and what it is, how it works, why it exists, etc. While you -should take the time to go through them, please do not try and tackle it all in one shot! It can become overwhelming -very quickly, so your onboarding buddy will walk through this list with you at a high level with you to help manage the work. - -- [ ] Read [the team onboarding document](https://github.com/cloud-gov/product/blob/master/Onboarding.md) for more context about cloud.gov. -- [ ] Bookmark the [pertinent links listed here](https://github.com/cloud-gov/product/blob/master/PertinentLinks.md). - [ ] Read through [the Overview section of our site](https://cloud.gov/docs/overview/what-is-cloudgov/) for a broader understanding of cloud.gov, especially how we present it to potential customers and users. -- [ ] [Sign up for a cloud.gov sandbox](https://cloud.gov/sign-up/#get-trial-access-and-a-free-sandbox-space) using your GSA email address and start experimenting to get familiar with the basics of the PaaS from a user's perspective. - - This is also required in order to make you a platform admin once you've completed the Cybersecurity and Privacy training. -- [ ] Read the [Delivery Process document](https://github.com/cloud-gov/product/blob/master/StoryLifecycle.md) to learn about how we work. -- [ ] Read our [service disruption guide](https://cloud.gov/docs/ops/service-disruption-guide/) to learn how we handle customer-facing service disruptions. -- [ ] Add the [cloud.gov Google Drive folder](https://drive.google.com/drive/folders/0Bx6EvBXVDWwheUtVckVnOE1pRzA) to your Google Drive -- that's where we put cloud.gov docs. If you create or move a doc there, it'll get the right access permissions for team members to be able to view and edit it. -- [ ] Subscribe to [the cloud.gov team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (click the + in the bottom right) so you know when assorted team meetings are happening in the various squads. Tip: When you plan Out of Office time, make a calendar event for that on the cloud.gov calendar so that your teammates know you'll be away +- [ ] Read [the team onboarding document](https://github.com/cloud-gov/product/blob/main/Onboarding.md) for more context about cloud.gov. +- [ ] Bookmark the [pertinent links listed here](https://github.com/cloud-gov/product/blob/main/PertinentLinks.md). + +## Team resources + +You will automatically be added to one or more Google Drives: the [Cloud.gov All Staff Drive](https://drive.google.com/drive/folders/0ANH-Bql6mXGBUk9PVA) and, for federal employees, the [Cloud.gov Federal Employees Drive](https://drive.google.com/drive/folders/0AE_c0OLGmVIgUk9PVA). Put all documents related to cloud.gov in the appropriate shared drive so the team can access them and meet federal records requirements. Each drive contains a folder for each squad, and each squad folder contains a "wiki" that explains how the sub-folders are structured. + +
+ + Federal employees and staff contractors, expand this section: + -### Slack channels +- [ ] Subscribe to [the cloud.gov team calendar](https://calendar.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks@group.calendar.google.com&ctz=America/Los_Angeles) (click the + in the bottom right) so you know when assorted team meetings are happening in the various squads. Tip: When you plan Out of Office time, make a calendar event for that on the cloud.gov calendar so that your teammates know you'll be away. -Your onboarding buddy will add you to these Slack channels: +
-- [ ] `#cloud-gov` - bots post announcements here -- [ ] `#cg-billing` - private business development channel (if applicable) +## Slack Channels + +The following cloud.gov channels are public and all team members are welcome to join: + +- [ ] `#cg-aws-status` - bots post announcements about AWS service outages/incidents - [ ] `#cg-business` - business development (if applicable) - [ ] `#cg-compliance` - compliance-related information and discussion +- [ ] `#cg-customer-success` - customer success squad channel +- [ ] `#cg-general` - program-level information and discussion - [ ] `#cg-offtopic` - off-topic team sharing +- [ ] `#cg-platform-news` (🗣️) - bots post platform alerts (mostly CI job notifications) - [ ] `#cg-platform` - platform operations -- [ ] `#cg-platform-news` - bots post platform alerts -- [ ] `#cg-general` - program-level information and discusion -- [ ] `#cg-support` - support requests and assistance within TTS -- [ ] `#cg-incidents` - private channel for incident response -- [ ] `#cg-priv-all` - private channel for in-team discussion -- [ ] `#cg-priv-gov` (Federal employees only) - may contain discussion of contracting-related or other private, federal-employee-only comms +- [ ] `#cg-support` (🗣️) - support requests and assistance within TTS +- [ ] `#cg-supportstream` (🗣️) - stream of activity on Zendesk tickets +- [ ] `#cloud-gov` (🗣️) - bots post announcements here + +Channels marked with (🗣️) receive a lot of messages, either from customers or bots, and you may want to mute them. + +- [ ] Project contractors: Your buddy will add you to the private channel for your project. + +For federal employees only: + +- [ ] `#cg-priv-gov` - may contain discussion of contracting-related or other private, federal-employee-only comms + +## Google Groups and Spaces + +We manage calendar invites and Google Drive access using Google Groups. Some groups can also receive message from outside emails. + +- [ ] Project contractors: Add them to the [cloud.gov Project Contractors Google Group](https://groups.google.com/a/gsa.gov/g/cloud-gov-project-contractors/members) as the "Member" role. This grants them Commenter access to the All Staff Google Drive. If they are working on a project in a specific folder, you can grant them greater access to that folder. + +
+ + Federal employees and staff contractors, expand this section: + + +Add them to the following Google Groups: + +- [ ] [cloud.gov Team](https://groups.google.com/a/gsa.gov/g/cloud-gov/members) so they can participate in team-wide internal communication. +- [ ] Business Unit Only - Add them to the [cloud.gov inquiries Google Group](https://groups.google.com/a/gsa.gov/g/cloud-gov-inquiries/members) so they can keep apprised of prospective new clients. + +You will automatically be added to the Google Space [CG-PRIV](https://mail.google.com/mail/u/0/#chat/space/AAAAr60JXAc), a fallback team communication channel in the event Slack is down. + +They may need added to one or more of these team-specific groups: + +- [ ] [cloud.gov Assurance Team](https://groups.google.com/a/gsa.gov/g/cloud-gov-assurance/members) +- [ ] [cloud.gov Compliance](https://groups.google.com/a/gsa.gov/g/cloud-gov-compliance/members) (external email accepted) +- [ ] [cloud.gov Customer Success Team](https://groups.google.com/a/gsa.gov/g/cloud-gov-customer-success/members) + +Lastly, for federal employees only: -Once you're added to these channels, you probably want to mute these channels until you're on support rotation: +- [ ] [cloud.gov Federal Employees](https://groups.google.com/a/gsa.gov/g/cloud-gov-federal-employees/members) +- [ ] Make them a Space Manager in [CG-PRIV](https://mail.google.com/mail/u/0/#chat/space/AAAAr60JXAc). -- [ ] `#cg-support` - support requests and assistance within TTS -- [ ] `#cg-platform-news` - platform alerts +
diff --git a/Brewfile b/Brewfile new file mode 100644 index 0000000..7093831 --- /dev/null +++ b/Brewfile @@ -0,0 +1,15 @@ +tap "cloudfoundry/tap" +tap "hashicorp/tap" +tap "homebrew/bundle" +tap "homebrew/cask-versions" +tap "homebrew/services" +brew "aws-vault" +brew "awscli" +brew "docker" +brew "gnupg" +brew "jq" +brew "terraform" +brew "yq" +brew "cloudfoundry/tap/bosh-cli" +brew "cloudfoundry/tap/cf-cli@8" +cask "fly" diff --git a/Onboarding.md b/Onboarding.md index dfc730e..25e2a73 100644 --- a/Onboarding.md +++ b/Onboarding.md @@ -4,15 +4,7 @@ cloud.gov helps government teams attack core impediments to smooth, iterative de ## Instructions -When someone new joins the cloud.gov team: - -1. The System Owner (Director or Deputy Director) creates a new issue in the [cg-product Github repo](https://github.com/cloud-gov/product/issues) called "Authorize Onboarding for [NewPerson]". This constitutes 'formal approval' by leadership. - - The System Owner must do this step. An assignee can add the checklist afterward if the System Owner hasn't already. - - Use of an issue that only the System Owner is authorized to create before onboarding can proceed helps us satisfy the AC-2 control. -2. The cloud.gov Director or Deputy Director adds the new team member to the `cloud-gov` team in GitHub. -3. The System Owner or an assignee creates a new issue in the [cg-product Github repo](https://github.com/cloud-gov/product/issues) called `System Owner Authorization for Onboarding a New Team Member` -4. The System Owner or the person who bravely volunteered to be the new person's Onboarding Buddy can then proceed to create the onboarding checklist issue for the new person -5. Put the onboarding checklist issue into the _Doing_ column in our [project board](https://github.com/orgs/cloud-gov/projects/2). +See the first section of your general onboarding ticket for instructions about authorizing and onboarding a new team member. ## Onboarding @@ -34,7 +26,7 @@ Several tools are used for project management, but the main one you will probabl As a service offered to other federal agencies, cloud.gov must hold itself to a rigorous security standard in both our technical work and our team operations. We follow a formal set of security requirements as part of our FedRAMP P-ATO process. ([FedRAMP](https://www.fedramp.gov/) is a GSA-run program that assesses cloud services for government use, and we participate in this program.) -* When you log into our cloud.gov CLI or dashboard for cloud.gov work, such as to work on a component that sits on cloud.gov as an application (for example the dashboard or the website), and GSA SecureAuth prompts you for multi-factor authentication (MFA), pick an MFA option that isn't email — use the phone/text/app MFA option. This helps us comply with our FedRAMP requirements. +- When you log into our cloud.gov CLI or dashboard for cloud.gov work, such as to work on a component that sits on cloud.gov as an application (for example the dashboard or the website), and GSA SecureAuth prompts you for multi-factor authentication (MFA), pick an MFA option that isn't email — use the phone/text/app MFA option. This helps us comply with our FedRAMP requirements. ## Things we maintain @@ -47,7 +39,7 @@ As a service offered to other federal agencies, cloud.gov must hold itself to a - a [Google Drive folder](https://drive.google.com/a/gsa.gov/folderview?id=0Bx6EvBXVDWwheUtVckVnOE1pRzA&usp=sharing) full of artifacts related to design, user research, etc (also expected to move to GitHub in time) - [The cloud.gov support Google Group](https://groups.google.com/a/gsa.gov/forum/?hl=en#!forum/cloud-gov-support), where we currently wrangle inquiries from various agencies, and some support. -We liberally make upstream pull requests for stuff we use. We try to transfer broadly-useful Cloud Foundry-related projects to [the Cloud Foundry community GitHub organization](https://github.com/cloudfoundry-community/). +We liberally make upstream pull requests for stuff we use. We try to transfer broadly-useful Cloud Foundry-related projects to [the Cloud Foundry community GitHub organization](https://github.com/cloudfoundry-community/). ## Important terminology and context @@ -73,13 +65,13 @@ We liberally make upstream pull requests for stuff we use. We try to transfer br - InfoSec – information security. - PaaS – platform as a service. We use Cloud Foundry to run the cloud.gov PaaS. - [Pivotal](https://pivotal.io/) – the company that originally started Cloud Foundry. -- UAA - UAA is the User Authentication and Authorization hub for Cloud Foundry. It can delegate identity management via common standards such as LDAP/Active Directory, SAML, OAuth/OpenID Connect, and so forth. UAA is deployed as part of cloud.gov. +- UAA - UAA is the User Authentication and Authorization hub for Cloud Foundry. It can delegate identity management via common standards such as LDAP/Active Directory, SAML, OAuth/OpenID Connect, and so forth. UAA is deployed as part of cloud.gov. -Also see [the Cloud Foundry glossary](http://docs.cloudfoundry.org/concepts/glossary.html) for terms that are specific to the technology powering our platform. +Also see [the Cloud Foundry glossary](http://docs.cloudfoundry.org/concepts/glossary.html) for terms that are specific to the technology powering our platform. -# Joining the Federalist team +# Joining the Pages team -Federalist is a platform to build, launch, and manage static web sites for government agencies. The team develops, operates, and supports the platform so that we can offer it to agencies as a service. +cloud.gov Pages is a platform to build, launch, and manage static web sites for government agencies. The team develops, operates, and supports the platform so that we can offer it to agencies as a service. ## Onboarding diff --git a/PertinentLinks.md b/PertinentLinks.md index e5e5d22..ad3c1d9 100644 --- a/PertinentLinks.md +++ b/PertinentLinks.md @@ -1,54 +1,44 @@ # Pertinent links for the cloud.gov team -As a highly motivated and distributed team, there are many links that we use to -communicate effectively as a team. Below are a list of pertinent links that -should be bookmarked and encouraged to check on a regular basis. -For easy import of these bookmarks download and import [import_bookmarks.html](./import_bookmarks.html) in your browser. +As a highly motivated and distributed team, there are many links that we use to communicate effectively as a team. Below are a list of pertinent links that should be bookmarked and encouraged to check on a regular basis. For easy import of these bookmarks download and import [import_bookmarks.html](./import_bookmarks.html) in your browser. -#### General cloud.gov items +## Work and knowledge management -- [Project board (project tracking)](https://github.com/orgs/cloud-gov/projects/2) -- [cloud.gov Beta dashboard](https://dashboard-beta.fr.cloud.gov/) :lock: -- [cloud.gov dashboard](https://dashboard.fr.cloud.gov/) :lock: -- [cloud.gov Google Drive folder][cg-drive-folder] :lock: -- [cloud.gov `cg-site` repository](https://github.com/cloud-gov/cg-site/) +- [cloud.gov Roadmap GitHub Project](https://github.com/orgs/cloud-gov/projects/25) - public roadmap of epics, which are planned at a quarterly level +- [cloud.gov Team GitHub Project](https://github.com/orgs/cloud-gov/projects/27) :lock: - private board for tracking individual work items, planned sprint-by-sprint +- [cloud.gov All Staff Google Drive](https://drive.google.com/drive/folders/0ANH-Bql6mXGBUk9PVA) :lock: +- [cloud.gov Federal Employees Google Drive](https://drive.google.com/drive/folders/0AE_c0OLGmVIgUk9PVA) :lock: -#### Slack channels -- [Program channel][slack-program] :lock: -- [Support channel][slack-support] :lock: -- [Business Development channel][slack-business] :lock: -- [Compliance channel][slack-compliance] :lock: -- [Platform Operations channel][slack-platform] :lock: +## cloud.gov system links -#### Platform Operations +- [cloud.gov dashboard](https://dashboard.fr.cloud.gov/) :lock: +- [cloud.gov logs](https://logs-platform.fr.cloud.gov/) :lock: +- [cloud.gov Cloud Foundry API endpoint](http://api.fr.cloud.gov/) :lock: - Most requests require authentication, but the root returns some metadata. -- [Developer Documentation GDrive](https://drive.google.com/drive/folders/1-JuCl9WmxjOMPNCUI49srHHuEtkA4BoE) -- [ZenDesk support tickets](https://cloud-gov.zendesk.com/agent/dashboard) :lock: (SSO) -- [AWS GovCloud console][aws-fr-console] :lock: -- [Concourse GovCloud](https://ci.fr.cloud.gov/) :lock: -- [cloud.gov repositories][github-cloud-gov-cg] -- [cloud.gov deployment repositories][github-cloud-gov-cg-deploy] +## Slack channels -#### Business Development +See onboarding ticket(s). -- Add items here, if it's useful! +## Engineering -[slack-business]: https://gsa-tts.slack.com/channels/cg-business -[slack-compliance]: https://gsa-tts.slack.com/channels/cg-compliance -[slack-platform]: https://gsa-tts.slack.com/channels/cg-platform -[slack-program]: https://gsa-tts.slack.com/channels/cg-program -[slack-support]: https://gsa-tts.slack.com/channels/cg-support - -[aws-fr-console]: https://signin.amazonaws-us-gov.com/?region=us-gov-west-1 +- [Internal Documentation](https://github.com/cloud-gov/internal-docs) :lock: +- [ZenDesk support tickets](https://cloud-gov.zendesk.com/agent/dashboard) :lock: +- [AWS GovCloud console](https://signin.amazonaws-us-gov.com/?region=us-gov-west-1) :lock: +- [Concourse, our CI/CD tool](https://ci.fr.cloud.gov/) :lock: +- [cloud.gov git repositories](https://github.com/cloud-gov) +- [cloud.gov deployment repositories](https://github.com/search?utf8=✓&q=org%3Acloud-gov+cg-deploy-&type=Repositories&ref=searchresults) +- [cloud.gov `cg-site` repository](https://github.com/cloud-gov/cg-site/) +- [Cloud Foundry API v3 reference](http://v3-apidocs.cloudfoundry.org/version/3.126.0/index.html) +- [Control Freak, an unofficial reference for NIST 800-53 controls](https://controlfreak.risk-redux.io) +- [GSA IT Software Approval standards](https://sites.google.com/a/gsa.gov/it_standards/software-approvals) -[cg-dashboard]: https://dashboard.fr.cloud.gov/ -[cg-drive-folder]: https://drive.google.com/drive/folders/0Bx6EvBXVDWwheUtVckVnOE1pRzA +## Business Development -[github-cloud-gov-cg]: https://github.com/search?utf8=✓&q=org%3Acloud-gov+cg-&type=Repositories&ref=searchresults -[github-cloud-gov-cg-deploy]: https://github.com/search?utf8=✓&q=org%3Acloud-gov+cg-deploy-&type=Repositories&ref=searchresults +- Add items here, if it's useful! -### Historical/context docs +## Historical/context docs - ["cloud.gov: What is it?"](https://docs.google.com/presentation/d/1nCcti3dXG9TVGW3OqaWtnf96oXX8U8SBTM_WePFO_dg/edit#slide=id.p) a rundown of what cloud.gov is and does (specifically slides 1-37; the rest are somewhat outdated) -- [January 2016 cloud.gov "Executive Business Case" document](https://docs.google.com/document/d/138OcG0Lt6gr9J0wM0TzzPNyTROmYAwfLIDujtweiwGw/edit#) greater context about cloud.gov's potential impact in government. +- [January 2016 cloud.gov "Executive Business Case" document](https://docs.google.com/document/d/138OcG0Lt6gr9J0wM0TzzPNyTROmYAwfLIDujtweiwGw/edit) greater context about cloud.gov's potential impact in government. - [House Oversight and Government Reform Committee (July 12 2017) document](https://docs.google.com/document/d/1kDJdaPw7DSBPSa-XH-YsQpJVOmRKSK8sAghNhPFpegE/edit) official answers to important questions such as "Why would agencies use cloud.gov instead of building their own?" +- [A collaborative combined cultural history of TTS](https://docs.google.com/document/d/1TZNX3G86G4zY56YVJCXW4L9GKL6_nfsTPSL-SDxmSVs/edit#heading=h.8y88hrufdsp) diff --git a/import_bookmarks.html b/import_bookmarks.html index d4a71d2..b5bc941 100644 --- a/import_bookmarks.html +++ b/import_bookmarks.html @@ -6,33 +6,38 @@ Bookmarks

Bookmarks

-

Cloud.Gov

+

cloud.gov

General Links

-

Project Board +
Roadmap Board +
Team Board +
All Staff +
Fed Only
Cloud.gov Github
prod-dashboard cloud.gov
beta-dashboard cloud.gov
cloud.gov cg-site repo

-

Slack Channels

-

-

Program Channel #cg-support -
Support Channel -
Business Development Channel -
Compliance Channel -
Platform Operations Channel -

-

Platform Operations

+

cloud.gov system

+

+

Dashboard +
Logs +
API Endpoint +

+

Engineering

-

Developer Documentation GDrive -
zendesk support tickets +
Internal Documentation +
ZenDesk support tickets
AWS Commercial Console
AWS GovCloud Console -
Concourse GovCloud -
cloud.gov repositories +
Concourse CI +
cloud.gov git repositories
cloud.gov deployment repositories +
cg-site repository +
CF v3 API Reference +
Control Freak +
IT Software Approvals