Review and apply all applicable security controls from our ATO to the system

[chelsgr]

Summary

When the CyHy system was established, there were heavy time drivers which did not allow for a full review to ensure all applicable security controls were fully implemented.

Motivation and context

A review should be conducted to ensure the appropriate security controls apply, e.g. in the areas of Identity Management, Access Control, Authentication, centralized logging, etc. The system should adhere to the same controls established for the COOL meeting our Authority to Operate (ATO) requirements. These requirements are defined in DHS 4300A and NIST 800-53.

There was also interest in supporting contextual information to justify a shared (COOL/CyHy) ATO and detail regarding shared controls applicable to CyHy. More specifically, that administrative access controls for the CyHy system match the ATO requirements previously established for the COOL. The recommendation provided was for users requiring access to the data to coordinate with enterprise service providers for authentication via their solutions.

Acceptance criteria

• Document architecture to define current CyHy VS system #84
• Audit log groups are organized and configured for ingestion by the appropriate security groups.

[chelsgr]

This ticket is intended to track a subset of work for the ATO renewal, tracked in: https://github.com/cisagov/cool-system-internal/issues/129