-
Notifications
You must be signed in to change notification settings - Fork 3
/
develop.html
488 lines (384 loc) · 27.1 KB
/
develop.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Planning for ATO at CMS</title>
<script src="assets/uswds-2.11.1/js/uswds-init.min.js"></script>
<link rel="stylesheet" href="assets/uswds-2.11.1/css/uswds.min.css" />
<meta http-equiv="refresh" content="10;url=https://security.cms.gov/learn/authorization-operate-ato"/>
</head>
<body>
<script src="assets/uswds-2.11.1/js/uswds.min.js"></script>
<a class="usa-skipnav" href="#main-content">Skip to main content</a>
<!--
<section class="usa-banner" aria-label="Official government website">
<div class="usa-accordion">
<header class="usa-banner__header">
<div class="usa-banner__inner">
<div class="grid-col-auto">
<img class="usa-banner__header-flag" src="assets/img/uswds-2.11.1/us_flag_small.png" alt="U.S. flag">
</div>
<div class="grid-col-fill tablet:grid-col-auto">
<p class="usa-banner__header-text">An official website of the United States government</p>
<p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p>
</div>
<button class="usa-accordion__button usa-banner__button"
aria-expanded="false" aria-controls="gov-banner">
<span class="usa-banner__button-text">Here’s how you know</span>
</button>
</div>
</header>
<div class="usa-banner__content usa-accordion__content" id="gov-banner">
<div class="grid-row grid-gap-lg">
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-dot-gov.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Official websites use .gov
</strong>
<br/>
A <strong>.gov</strong> website belongs to an official government organization in the United States.
</p>
</div>
</div>
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-https.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Secure .gov websites use HTTPS
</strong>
<br/>
A <strong>lock</strong> (
<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description" focusable="false"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h32v-9c0-6.075-4.925-11-11-11z"/></svg></span>
) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
</p>
</div>
</div>
</div>
</div>
</div>
</section>
-->
<div class="usa-overlay"></div>
<header class="usa-header usa-header--extended"><div class="usa-navbar">
<div class="usa-logo" id="extended-logo">
<em class="usa-logo__text"><a href="index.html" title="Home" aria-label="Home">CMS Security & Compliance Planning</a></em>
</div>
<button class="usa-menu-btn">Menu</button>
</div>
<!-- Redirection Notice -->
<section class="usa-site-alert usa-site-alert--emergency" aria-label="Site alert,">
<div class="usa-alert">
<div class="usa-alert__body">
<h3 class="usa-alert__heading">CMS ATO Notice</h3>
<p class="usa-alert__text">
CMS ATO information can now be found at <a class="usa-link" href="https://security.cms.gov">security.cms.gov</a>, along with other security and privacy resources.
</p>
<p class="usa-alert__text">
This website will be retired. You will be redirected in a moment.
</p>
</div>
</div>
</section>
<!-- End Redirection Notice -->
<nav aria-label="Primary navigation" class="usa-nav">
<div class="usa-nav__inner"><button class="usa-nav__close"><img src="assets/img/uswds-2.11.1/usa-icons/close.svg" role="img" alt="close"></button>
<ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item" style="display: none">
<button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-nav-section-one"><span>CMS Rapid ATO</span></button>
<ul id="extended-nav-section-one" class="usa-nav__submenu">
<li class="usa-nav__submenu-item">
<a href="rato.html" class=""> What is CMS Rapid ATO</a>
</li>
<li class="usa-nav__submenu-item">
<a href="overview.html" class=""> Background</a></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-two"><span>ATO Phases</span></button>
<ul id="extended-nav-section-two" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="overview-phases.html" class=""> Overview</a>
</li><li class="usa-nav__submenu-item">
<a href="initiate.html" class=""> Initiate</a>
</li><li class="usa-nav__submenu-item">
<a href="develop.html" class=""> Develop and Assess</a>
</li><li class="usa-nav__submenu-item">
<a href="operate.html" class=""> Operate</a>
</li>
<li class="usa-nav__submenu-item">
<a href="retire.html" class=""> Retire</a>
</li></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-three"><span>Resources</span></button>
<ul id="extended-nav-section-three" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="types.html" class=""> Authorizations & Agreements </a>
</li>
<li class="usa-nav__submenu-item">
<a href="roles.html" class=""> Key Roles & Stakeholders</a>
</li>
<li class="usa-nav__submenu-item">
<a href="tools.html" class=""> Tools & Services </a>
</li>
</ul></li></ul>
</div>
</nav>
</header>
<main id="main-content">
<div class="usa-section">
<div class="grid-container">
<div class="grid-row grid-gap">
<div class="usa-layout-docs__sidenav desktop:grid-col-3">
<nav aria-label="Secondary navigation">
<ul class="usa-sidenav">
<li class="usa-sidenav__item">
<a href="types.html" class="usa-current"> Develop and Assess </a>
<li class="usa-sidenav__item">
<a href="#dev" class="">Design, Develop & Deploy</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#define" class="">Define the Accreditation Boundary</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#imp" class="">Implement Controls</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#system" class="">System Test Development</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#onboard" class="">Onboarding to Continuous Diagnostics and Mitigation (CDM) </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#tier" class="">Complete Tier 1-3 Artifacts</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#ready" class="">Readiness Review</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#pen" class="">PenTest</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#act" class="">ACT</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#508" class="">508 Compliance</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#ato" class="">ATO </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#risk" class="">Managing Identified Risks </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#poa" class="">POA&Ms </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#atoreview" class="">ATO Review and Certification </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
</ul>
</nav>
</div>
<main class="usa-layout-docs__main desktop:grid-col-9 usa-prose usa-layout-docs" id="main-content">
<h1> Develop and Assess </h1>
<h3><strong>Overview</strong></h3>
<p>The Develop and Access phase creates user stories or requirements, designs and develops the solution, deploys to a non-production environment, and tests for compliance with the requirements and CMS standards so that it is production-ready.</p>
<p>This is when the system is actually built, deployed and assessed for security and compliance. This includes documenting all controls and implementing necessary controls, finalizing required Artifacts and supplemental documentation, and completing testing and assessments.</p>
<img src="imgs/Develop.png"/>
<p>This phase of the CMS <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/TLC">Target Life Cyle</a> (TLC) framework is document heavy and requires inputs from many stakeholders. To minimize costly delays, each project should have a communication plan in place to ensure all parties are in the loop throughout the process. The plan should include all relevant points of contact, including:</p>
<ul>
<li>Information System Security Officer (ISSO)</li>
<li>ISSO Contracting Support (ISSOCS)</li>
<li>Cyber Risk Advisor (CRA)</li>
<li>Business Owner (BO)</li>
<li>Penetration (Pen) Test Coordinator</li>
<li>Information Security and Privacy Group (ISPG) Adaptive Capabilities Testing (ACT) team</li>
<li>System Developer and Maintainer (SDM)</li>
<li>Privacy Subject Matter Expert (PSME)</li>
<li>Technical Review Board (TRB)</li>
</ul>
<h3 id="design"><strong>Design, Develop & Deploy</strong></h3>
<p>Design and development is managed by the BO and project team. The TLC requires only a small set of artifacts, and specific methodologies are determined by the BO and team. All initiatives should follow best practices in development and Program Management. Typically, the project team will work with the CMS Cloud Services team to provision the different environments, such as development, implementation and production. As the system is developed, the project team should also move forward with documentation and other compliance activities. </p>
<p>Once the system is designed and developed, it is deployed in a non-production environment. It is tested for compliance with requirements and CMS standards. Everything must all comply with CMS Technical Reference Architecture (TRA) and meet security, privacy and accessibility standards before it is production ready. For more information, see the <a href="https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/117_Systems_Security_MAC_ARS.pdf">CMS Acceptable Risk Safeguards (ARS). </a></p>
<h3 id="define"><strong>Define the Accreditation Boundary</strong></h3>
<p>When defining the accreditation boundary, the CMS cloud service provider provides and supports assets. Additionally, the Application Developer Owner (ADO) provides and supports components. Each project team is responsible for maintaining those assets within the accreditation boundary
</p>
<p>The ISSO works with the project team to define the boundary according to the CMS TRB three tier architecture. If the system is hosted in the CMS Amazon Web Service (AWS) cloud GSS, it can access and use approved templates to simplify the process</p>
<h3 id="imp"><strong>Implement Controls</strong></h3>
<p>The Accreditation Boundary creates an inventory of all system components that will require security controls. A system may be able to inherit controls based on its hosting, platform, data center, and other variables, which can greatly ease the process. With the boundary established, the ISSO will start documenting all <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-31-Publication">ARS 3.1 security controls</a> in CFACTS, starting with any inheritable controls available.</p>
<p>Implementing controls often involves conversations between the ISSO and project team, especially technical stakeholders, as well as a CRA. To minimize back-and-forth, all relevant stakeholders should be engaged and prepared to participate. </p>
<h3><strong>System Test Development</strong></h3>
<p>With all components documented and controls in CFACTS, it’s time for a system test. The purpose of a system test is to evaluate the end‐to‐end system specifications. This test validates the complete and fully integrated software product, and involves the full project team. </p>
<h3><strong>Onboarding to Continuous Diagnostics and Mitigation (CDM) </strong></h3>
<p>The Cybersecurity and Infrastructure Security Agency (CISA) works with partners across government and the private sector to secure national infrastructure. A big part of this effort—the <a href="https://www.cisa.gov/cdm">Continuous Diagnostics and Mitigation (CDM)</a> program—is strengthening the cybersecurity of federal networks and systems. </p>
<p>As part of the ATO process, the ISSO onboards each system to CDM through three stages:</p>
<ul>
<li>Stage 1: Engage Data Center assessment</li>
<li>Stage 2: Implement and integrate required capabilities</li>
<li>Stage 3: Validate and verify data</li>
</ul>
<p>The system is also onboarded to the CMS Cloud Environment for cloud hosting (if applicable), and the CMS Security Operation Center (CCIC) for security monitoring, event management and incident handling.</p>
<h3 id="tier"><strong>Complete Tier 1-3 Artifacts</strong></h3>
<p>As seen in the Initiate Phase, all systems require Tier 1 Artifacts. Based on the boundary and controls, they may also require additional documentation. The project team should work with their ISSO and CRA to determine which documentation is required for their system and upload it to CFACTS. </p>
<h3><strong>Readiness Review</strong></h3>
<p>Once all controls, Artifacts and additional documentation are in CFACTS, the ISSO and project team will review the information before the project formally moves to the assessment phase. The ISSO and project team set the timing for the required PenTest and ACT, the ISSO reaches out to the <a href="mailto:[email protected]">PenTest mailbox</a> and the <a href="mailto:[email protected]">ACT mailbox</a> to schedule the assessments. As the team works, the timeline and schedule should be shared with the CRA.</p>
<h3 id="pen"><strong>PenTest</strong></h3>
<p>A PenTest helps determine the security of a system by attempting to exploit vulnerabilities. To start the process: </p>
<ol>
<li>The ISSO emails the <a href="mailto:[email protected]">PenTest mailbox</a> to request an intake form and schedule a test.</li>
<li>The PenTest coordinator will work with the ISSO and project team to fill out the intake form. </li>
<li>The PenTest team will then arrange a meeting to discuss the process and inform the ISSO and Business Owner of what to expect. </li>
</ol>
<p>After the test: </p>
<ol>
<li>The PenTest team will notify the project team of any issues.</li>
<li>The team mitigates the issues within 25 days. If an issue is not sufficiently resolved/mitigated within the 25-day window, the team is issued a Plan of Action and Milestones (POA&Ms) to manage it. </li>
<li>When the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties. </li>
<li>The CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS.</li>
</ol>
<p>To avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the ATO deadline. </p>
<h3 id="test"><strong>Adaptive Capabilities Testing (ACT)</strong></h3>
<p>The ACT program was created to improve the Security Controls Assessment (SCA) process by introducing risk-based security assessment for CMS systems. Instead of emphasizing technical findings and compliance with Controls (which are still important), ACT facilitates and encourages risk-based decision making. </p>
<p>ACT focuses on the Core Controls that pose the highest risk to CMS and defines mission-oriented security objectives. ACT reports incorporate plain language, relevant findings and actionable results and conclusions to aid project teams’ risk-based decision making. <a href="https://saf.cms.gov/#/">Read more about ACT</a>.</p>
<p>To fulfill the ACT requirement, the ISSO emails the <a href="mailto:[email protected]">ACT mailbox</a> to request an intake form. The lSSO works with the project team to complete the intake form and with the ACT team to create and complete an assessment plan. Once it is complete, the ACT Final Package will also be uploaded to CFACTS.</p>
<p>The project team should also reach out to the ACT team at least 3 months before the ATO deadline to schedule an ACT assessment.</p>
<h3 id="508"><strong>508 Compliance</strong></h3>
<p>Section 508 of the Rehabilitation Act requires all federal systems to be accessible to people with disabilities. To ensure the system is accessible to all users, the project team should consider 508 accessibility compliance throughout design, development and deployment. Before approval, the system is required to meet all applicable 508 guidelines.<strong> <br /></strong></p>
<h3><strong>Managing Identified Risks</strong></h3>
<p>All information systems include some level of risk. An ATO is designed to document and manage risk, not eliminate it. Once the PenTest and ACT assessment identify risks, the ISSO will work with the project team and CRA to create a Plan of Action and Milestones (POA&M).</p>
<h3 id="poam"><strong>POA&Ms</strong></h3>
<p><a href="https://csrc.nist.gov/glossary/term/Plan_of_Action_and_Milestones">Plan of Action and Milestones (POA&Ms)</a> are high-level statements that describe how a team will address security weaknesses identified for their system. All federal systems must document POA&Ms to track and mitigate findings identified during the PenTest and ACT assessment process.</strong> As indicated in the name, a POA&M includes a plan, the resources needed to accomplish the plan, milestones, and scheduled completion dates. For example, a POA&M to mitigate a vulnerability could be: </p>
<ol>
<li>Contact the vendor </li>
<li>Download the patch </li>
<li>Apply the patch in the next maintenance window.</li>
</ol>
<p>The ISSO coordinates with the team to manage, remediate, and (if necessary) accept the risk of open POA&Ms.</p>
<h3 id="atoreview"><strong>ATO Review and Certification</strong></h3>
<p>With all aforementioned documentation and assessments completed and uploaded to CFACTS, the ISSO can now complete an <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-System-ATO-Request-Form">ATO Certification Form</a>. The form is submitted through ServiceNow, a tool that manages the tracking and approval for all relevant stakeholders. The CRA initiates the process for the CRA to create the ATO. </p>
<p>The complete ATO package is reviewed by the CRA, ISSO, BO and ISPG. Once approved by ISPG, the package is submitted to the CISO and CIO for final approval. Once approved by the CISO and CIO, an ATO letter is sent to the BO and ISSO. The CRA uploads the approved ATO package to CFACTS and notifies all relevant parties, including <a href="https://www.fedramp.gov/">FedRAMP</a>. </p>
<p>The system now officially has an ATO—” the authority to operate decision that culminates from the security authorization process of an information technology system in the US federal government." With a completed and approved ATO, the system officially moves into the <em>Operate Phase </em>of the TLC. </p>
</main>
</div>
</div>
</div>
</main>
<footer class="usa-footer usa-footer--slim">
<div class="grid-container usa-footer__return-to-top">
<!--- <a href="#">Return to top</a>-->
</div>
<div class="usa-footer__primary-section">
<div class="usa-footer__primary-container grid-row">
<div class="mobile-lg:grid-col-8">
<!-- <nav class="usa-footer__nav" aria-label="Footer navigation">
<ul class="grid-row grid-gap">
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
</ul>
</nav>-->
</div>
<div class="mobile-lg:grid-col-4">
<address class="usa-footer__address">
<div class="grid-row grid-gap">
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="tel:1-800-555-5555"></a>
</div>
</div>
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="mailto:[email protected]"></a>
</div>
</div>
</div>
</address>
</div>
</div>
</div>
<div class="usa-footer__secondary-section">
<div class="grid-container">
<div class="usa-footer__logo grid-row grid-gap-2">
<div class="grid-col-auto">
<img class="usa-footer__logo-img" src="assets/img/uswds-2.11.1/logo-img.png" alt="">
</div>
<div class="grid-col-auto">
<p class="usa-footer__logo-heading"></p>
</div>
</div>
</div>
</div>
</footer>
</body>
</html>