Date: June 30, 2026 Prepared by: Andres Restrepo Target milestone: Knox boundary cutover complete — July 27, 2026
53% complete (249 of 469 engineering story points Done). Five of eight sprints are closed. Engineering execution has been on schedule. The remaining work is blocked on one external dependency: the Knox contract has not been signed.
All major technical implementation work is done through Sprint 5:
- Identity & Access: Firebase authentication fully replaced with AWS Cognito (FedRAMP-authorized). Admin dashboard and bastion access hardened with MFA.
- Infrastructure: Frontend migrated off Vercel to S3+CloudFront inside compliant boundary. KMS/CMK encryption enforced on all PII stores. mTLS transit encryption enabled. WAF deployed on all public endpoints.
- PII Handling: Mapbox integration remediated — no PII (addresses, GPS) sent to non-authorized services.
- Security Controls: Full configuration management baseline (STIGs/CIS Level 2), backup automation, DNSSEC, DKIM/DMARC, input validation, session controls — all complete.
- Decisions Closed: IdP selected (Cognito), Mapbox architecture decided (redact), Knox scope confirmed, CRM Tab 2 integrated.
Engineering (Andres):
- Architecture boundary diagrams + internal connection documentation (feeds SSP)
- Alternate storage and DR site design (CP-6/CP-7)
Governance / Policy (Hannah's team) — must start this week:
- SSP scaffolding and drafting
- Contingency Plan, IR Plan, CP Plan, CM Plan documents
- PIA, Rules of Behavior, 7 additional policies, AT-2/AT-3 training content
| Work Item | Blocked On |
|---|---|
| Knox SIEM detection rules | Contract signature |
| App log emission into Knox | Contract signature |
| GitHub deploy pipeline → Knox accounts | Contract signature |
| EDR/Wiz for ECS | Contract signature |
| Knox workload cutover (Sprint 7) | Contract signature |
Knox has confirmed in writing (Christy O'Glee, June 10): no onboarding materials, accounts, or credentials will be delivered until after the contract is signed. The DPA is in legal review on both sides. Knox has no TIM assigned yet.
At risk. The window is narrow but not closed.
Two things must happen in parallel for July 27 to hold:
- Knox contract must sign by ~July 14 — Knox needs time post-signature to provision managed AWS accounts before cutover work can begin. (Exact provisioning lead time should be confirmed with Casey Jones.)
- Hannah's team must complete all drafts by July 13 — the policy/plan documents feed the Sprint 7 sign-off milestones. If drafts aren't done by end of Sprint 6, the sign-offs slip into Sprint 8 and the ATO window moves regardless of what Knox does.
If either condition fails: July 27 is not achievable. ATO slides to late November at earliest.
gantt
title FedRAMP ATO Timeline — Path A vs Path B
dateFormat YYYY-MM-DD
axisFormat %b %d
section Today
Sprint 6 starts (Jun 30) : milestone, 2026-06-30, 0d
section Hannah — Docs (deadline Jul 13)
SSP draft (AF-257) : active, h1, 2026-06-30, 14d
CP Plan draft (AF-267) : active, h2, 2026-06-30, 14d
IR Plan draft (AF-270) : active, h3, 2026-06-30, 14d
PIA draft (AF-269) : active, h4, 2026-06-30, 14d
CM Plan draft (AF-281) : active, h5, 2026-06-30, 14d
Rules of Behavior (AF-316) : active, h6, 2026-06-30, 14d
7 Policies + Training (AF-294, AF-292) : active, h7, 2026-06-30, 14d
⚠️ Hannah deadline — all drafts due : milestone, crit, 2026-07-13, 0d
section Path A — Contract signs by Jul 14
Sprint 6 · Engineering diagrams + DR design : active, a0, 2026-06-30, 14d
Knox contract signed ✅ : milestone, 2026-07-14, 0d
Sprint 7 · Knox Cutover + Plan sign-offs : a2, 2026-07-14, 13d
SSP sign-off (needs cutover done) : a3, 2026-07-20, 7d
Cutover complete ✅ : milestone, 2026-07-27, 0d
All plans signed off ✅ : milestone, 2026-07-27, 0d
Sprint 8 · Evidence + Pre-assessment : a4, 2026-07-28, 14d
Engineering handoff to Knox : milestone, 2026-08-11, 0d
Knox 90-day 3PAO window : a5, 2026-08-11, 90d
ATO 🎯 : milestone, 2026-11-09, 0d
section Path B — Either condition fails
Sprint 6 · Partial work : crit, b1, 2026-06-30, 14d
Sprint 7 · BLOCKED or incomplete : crit, b2, 2026-07-14, 14d
Jul 27 missed ❌ : milestone, crit, 2026-07-27, 0d
Slipped cutover + sign-offs : crit, b3, 2026-07-28, 14d
Slipped Sprint 8 · Evidence : b4, 2026-08-11, 14d
Engineering handoff (slipped) : milestone, 2026-08-25, 0d
Knox 90-day 3PAO window (slipped) : b5, 2026-08-25, 90d
ATO slipped 🔴 : milestone, crit, 2026-11-23, 0d
What this shows:
- Hannah's deadline is July 13 — all 8 doc items must be in draft-complete state by end of Sprint 6. Sprint 7 sign-offs cannot happen without them.
- Path A (contract by Jul 14 + Hannah done by Jul 13): Knox cutover and all plan sign-offs close Sprint 7 → ATO ~November 9
- Path B (either condition misses): Sprint 7 stalls → ATO ~November 23+
- Both owners have independent deadlines on the same date. Jonathan: contract. Hannah: drafts. If either slips, the path diverges.
All 8 items must reach draft-complete by July 13 to feed Sprint 7 sign-offs:
| Ticket | Document | Sprint 7 Gate It Feeds | Status |
|---|---|---|---|
| AF-257 | SSP scaffolding + drafting | AF-297 SSP v1 sign-off (also needs Knox cutover) | To Do |
| AF-267 | CP-2 Contingency Plan | AF-300 CP Plan v1 sign-off | To Do |
| AF-269 | PIA draft | AF-298 PIA v1 sign-off | To Do |
| AF-270 | IR Plan v0 | AF-299 IR Plan v1 sign-off | To Do |
| AF-281 | CM Plan draft | AF-301 CM Plan v1 sign-off | To Do |
| AF-316 | Rules of Behavior + Access Agreements | AF-320 signatures collected | To Do |
| AF-294 | 7 additional policies | Sprint 7 governance review | To Do |
| AF-292 | AT-2/AT-3 training content | AF-326 training records filed | To Do (unassigned) |
Sprint 7 sign-offs (July 14–27) — these all close in Sprint 7 once drafts land:
| Ticket | Sign-off | Owner |
|---|---|---|
| AF-298 | PIA v1 | Hannah |
| AF-299 | IR Plan v1 | Hannah + Andres |
| AF-300 | CP Plan v1 | Hannah + Andres |
| AF-301 | CM Plan v1 | Hannah + Andres |
| AF-297 | SSP v1 (needs cutover complete first) | Hannah + Andres |
| AF-320 | RoB signatures collected | Hannah |
Sprint 8 (July 28 – Aug 11):
| Ticket | Work | Owner |
|---|---|---|
| AF-305 | CP Plan tabletop / recovery test | Hannah + Andres |
| AF-306 | IR Plan tabletop exercise | Hannah + Andres |
| Scenario | Contract Signed | Hannah Drafts Done | July 27 Cutover | ATO Target |
|---|---|---|---|---|
| Path A — Best case | By ~Jul 14 | By Jul 13 ✅ | ✅ On track | ~November 9, 2026 |
| Path B — Either slips | Jul 28+ or late | Incomplete | ❌ Misses | ~November 23, 2026+ |
| Risk | Severity | Owner | Status |
|---|---|---|---|
| Knox contract not signed | Critical | Jonathan | DPA in legal review; no TIM assigned at Knox |
| July 27 cutover window | Critical | Jonathan + Andres | ~2 weeks to save the date |
| Hannah's 8 doc items not started | Critical | Hannah | Sprint 6 just started — deadline July 13 |
| Post-contract engineering backlog | Medium | Andres | Clears within 1–2 weeks once contract signs |
| Action | Owner | Deadline |
|---|---|---|
| Sign the Knox contract | Jonathan | Immediately |
| Confirm Knox account provisioning lead time with Casey Jones | Jonathan | This week |
| Begin all 8 doc drafts (SSP, CP, IR, PIA, CM, RoB, policies, training) | Hannah | Today — due Jul 13 |
| Assign AF-292 (training content) to Hannah | Andres/Jonathan | Today |
| Begin architecture diagrams (AF-293) | Andres | Today |
Data source: Live Jira (AF2 project) as of June 30, 2026. Story point totals verified against planning CSV. Sprint dates and ATO projections verified by Python date arithmetic.