From a178aa5d380de6d06083ebfd357ddd74a126d958 Mon Sep 17 00:00:00 2001 From: Boris Ning <41026275+boris-ning-usds@users.noreply.github.com> Date: Thu, 3 Oct 2024 09:52:10 -0400 Subject: [PATCH] Initial commit --- .gitattributes | 13 ++ .github/ISSUE_TEMPLATE/bug_report.md | 44 ++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++ .github/ISSUE_TEMPLATE/maintenance.md | 18 ++ .../pull_request_template.md | 23 ++ .../PULL_REQUEST_TEMPLATE/vulnerability.md | 14 ++ .vscode/settings.json | 8 + CONTRIBUTING.md | 38 ++++ DISCLAIMER.md | 23 ++ LICENSE | 201 ++++++++++++++++++ README.md | 75 +++++++ code-of-conduct.md | 103 +++++++++ open_practices.md | 126 +++++++++++ rules_of_behavior.md | 72 +++++++ thanks.md | 6 + 15 files changed, 784 insertions(+) create mode 100644 .gitattributes create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/ISSUE_TEMPLATE/maintenance.md create mode 100644 .github/PULL_REQUEST_TEMPLATE/pull_request_template.md create mode 100644 .github/PULL_REQUEST_TEMPLATE/vulnerability.md create mode 100644 .vscode/settings.json create mode 100644 CONTRIBUTING.md create mode 100644 DISCLAIMER.md create mode 100644 LICENSE create mode 100644 README.md create mode 100644 code-of-conduct.md create mode 100644 open_practices.md create mode 100644 rules_of_behavior.md create mode 100644 thanks.md diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..dcdf697 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,13 @@ +# Normal text let sit to auto +*.htm text +*.html text +*.css text +*.js text + +## Declare files that will always have LF (aka \n aka 10 aka 0x0a) line endings on checkout. +*.sh text eol=lf +*.md text eol=lf +*.json text eol=lf +*.yml text eol=lf +*.csv text eol=lf + diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..747e8aa --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,44 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what feature is not working. + +**Impact** +Please describe the impact this bug is causing to your program or organization. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Logs** +If applicable, please attach logs to help describe your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Smartphone (please complete the following information):** + - Device: [e.g. iPhone6] + - OS: [e.g. iOS8.1] + - Browser [e.g. stock browser, safari] + - Version [e.g. 22] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..bbcbbe7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/ISSUE_TEMPLATE/maintenance.md b/.github/ISSUE_TEMPLATE/maintenance.md new file mode 100644 index 0000000..179cb38 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/maintenance.md @@ -0,0 +1,18 @@ +--- +name: Maintenance +about: Questions and requests related to organizational support and maintenance +title: '' +labels: '' +assignees: '' + +--- + +**What type of help do you need?** + +* [ ] Question +* [ ] New Repo +* [ ] Delete Repo +* [ ] User Membership (please make sure new members are familiar with the [CDC open practices](https://github.com/CDCgov/template/blob/master/open_practices.md#profile-setup) and set up their profile with name and org info to help people collaborate with them) +* [ ] Other + +**Please describe how you'd like us to help.** diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md new file mode 100644 index 0000000..beeb255 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -0,0 +1,23 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' +--- + +**Please describe the bug this fixes or the feature this adds.** + +**Please describe how you tested this change. Include unit tests whenever possible.** + +**Did you create or modify any associated documentation with this change? If documentation is not included in PR, please link to related documentation.** + +**If you added or modified HTML, did you check that it was 508 compliant?** + +**Please tag any specific reviewers you would like to review this PR** + +**Please include the following checks for open source contributing?** + +* [ ] Did you check for sensitive data, and remove any? +* [ ] Are additional approvals needed for this change? +* [ ] Are there potential vulnerabilities or licensing issues with any new dependencies introduced? diff --git a/.github/PULL_REQUEST_TEMPLATE/vulnerability.md b/.github/PULL_REQUEST_TEMPLATE/vulnerability.md new file mode 100644 index 0000000..1a1879d --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/vulnerability.md @@ -0,0 +1,14 @@ +--- +name: Vulnerability Maintenance +about: Routine updates to address vulnerabilities. +title: '' +labels: '' +assignees: '' + +--- + +**What vulnerabilities does this PR remove or update?** + +**Have you tested to make sure these updates do not cause unintended consequences?** + +**Are these patch updates? minor? major?** diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..6b502cd --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,8 @@ +{ + "cSpell.words": [ + "ATSDR", + "CFPB", + "ISSO", + "cybersecurity" + ] +} \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..5638186 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,38 @@ +# Welcome! +Thank you for contributing to CDC's Open Source projects! If you have any +questions or doubts, don't be afraid to send them our way. We appreciate all +contributions, and we are looking forward to fostering an open, transparent, and +collaborative environment. + +Before contributing, we encourage you to also read our [LICENSE](LICENSE), +[README](README.md), and +[code-of-conduct](code-of-conduct.md) +files, also found in this repository. If you have any inquiries or questions not +answered by the content of this repository, feel free to [contact us](mailto:surveillanceplatform@cdc.gov). + +## Public Domain +This project is in the public domain within the United States, and copyright and +related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). +All contributions to this project will be released under the CC0 dedication. By +submitting a pull request you are agreeing to comply with this waiver of +copyright interest. + +## Requesting Changes +Our pull request/merging process is designed to give the CDC Surveillance Team +and other in our space an opportunity to consider and discuss any suggested +changes. This policy affects all CDC spaces, both on-line and off, and all users +are expected to abide by it. + +### Open an issue in the repository +If you don't have specific language to submit but would like to suggest a change +or have something addressed, you can open an issue in this repository. Team +members will respond to the issue as soon as possible. + +### Submit a pull request +If you would like to contribute, please submit a pull request. In order for us +to merge a pull request, it must: + * Be at least seven days old. Pull requests may be held longer if necessary + to give people the opportunity to assess it. + * Receive a +1 from a majority of team members associated with the request. + If there is significant dissent between the team, a meeting will be held to + discuss a plan of action for the pull request. diff --git a/DISCLAIMER.md b/DISCLAIMER.md new file mode 100644 index 0000000..63fa40c --- /dev/null +++ b/DISCLAIMER.md @@ -0,0 +1,23 @@ +# DISCLAIMER +Use of this service is limited only to **non-sensitive and publicly available +data**. Users must not use, share, or store any kind of sensitive data like +health status, provision or payment of healthcare, Personally Identifiable +Information (PII) and/or Protected Health Information (PHI), etc. under **ANY** +circumstance. + +Administrators for this service reserve the right to moderate all information +used, shared, or stored with this service at any time. Any user that cannot +abide by this disclaimer and Code of Conduct may be subject to action, up to +and including revoking access to services. + +The material embodied in this software is provided to you "as-is" and without +warranty of any kind, express, implied or otherwise, including without +limitation, any warranty of fitness for a particular purpose. In no event shall +the Centers for Disease Control and Prevention (CDC) or the United States (U.S.) +government be liable to you or anyone else for any direct, special, incidental, +indirect or consequential damages of any kind, or any damages whatsoever, +including without limitation, loss of profit, loss of use, savings or revenue, +or the claims of third parties, whether or not CDC or the U.S. government has +been advised of the possibility of such loss, however caused and on any theory +of liability, arising out of or in connection with the possession, use or +performance of this software. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..8dada3e --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..a3cae32 --- /dev/null +++ b/README.md @@ -0,0 +1,75 @@ +# CDCgov GitHub Organization Open Source Project Template + +**Template for clearance: This project serves as a template to aid projects in starting up and moving through clearance procedures. To start, create a new repository and implement the required [open practices](open_practices.md), train on and agree to adhere to the organization's [rules of behavior](rules_of_behavior.md), and [send a request through the create repo form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) using language from this template as a Guide.** + +**General disclaimer** This repository was created for use by CDC programs to collaborate on public health related projects in support of the [CDC mission](https://www.cdc.gov/about/organization/mission.htm). GitHub is not hosted by the CDC, but is a third party website used by CDC and its partners to share information and collaborate on software. CDC use of GitHub does not imply an endorsement of any one particular service, product, or enterprise. + +## Access Request, Repo Creation Request + +* [CDC GitHub Open Project Request Form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) _[Requires a CDC Office365 login, if you do not have a CDC Office365 please ask a friend who does to submit the request on your behalf. If you're looking for access to the CDCEnt private organization, please use the [GitHub Enterprise Cloud Access Request form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUQjVJVDlKS1c0SlhQSUxLNVBaOEZCNUczVS4u).]_ + +## Related documents + +* [Open Practices](open_practices.md) +* [Rules of Behavior](rules_of_behavior.md) +* [Thanks and Acknowledgements](thanks.md) +* [Disclaimer](DISCLAIMER.md) +* [Contribution Notice](CONTRIBUTING.md) +* [Code of Conduct](code-of-conduct.md) + +## Overview + +Describe the purpose of your project. Add additional sections as necessary to help collaborators and potential collaborators understand and use your project. + +## Public Domain Standard Notice +This repository constitutes a work of the United States Government and is not +subject to domestic copyright protection under 17 USC § 105. This repository is in +the public domain within the United States, and copyright and related rights in +the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). +All contributions to this repository will be released under the CC0 dedication. By +submitting a pull request you are agreeing to comply with this waiver of +copyright interest. + +## License Standard Notice +The repository utilizes code licensed under the terms of the Apache Software +License and therefore is licensed under ASL v2 or later. + +This source code in this repository is free: you can redistribute it and/or modify it under +the terms of the Apache Software License version 2, or (at your option) any +later version. + +This source code in this repository is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +PARTICULAR PURPOSE. See the Apache Software License for more details. + +You should have received a copy of the Apache Software License along with this +program. If not, see http://www.apache.org/licenses/LICENSE-2.0.html + +The source code forked from other open source projects will inherit its license. + +## Privacy Standard Notice +This repository contains only non-sensitive, publicly available data and +information. All material and community participation is covered by the +[Disclaimer](DISCLAIMER.md) +and [Code of Conduct](code-of-conduct.md). +For more information about CDC's privacy policy, please visit [http://www.cdc.gov/other/privacy.html](https://www.cdc.gov/other/privacy.html). + +## Contributing Standard Notice +Anyone is encouraged to contribute to the repository by [forking](https://help.github.com/articles/fork-a-repo) +and submitting a pull request. (If you are new to GitHub, you might start with a +[basic tutorial](https://help.github.com/articles/set-up-git).) By contributing +to this project, you grant a world-wide, royalty-free, perpetual, irrevocable, +non-exclusive, transferable license to all users under the terms of the +[Apache Software License v2](http://www.apache.org/licenses/LICENSE-2.0.html) or +later. + +All comments, messages, pull requests, and other submissions received through +CDC including this GitHub page may be subject to applicable federal law, including but not limited to the Federal Records Act, and may be archived. Learn more at [http://www.cdc.gov/other/privacy.html](http://www.cdc.gov/other/privacy.html). + +## Records Management Standard Notice +This repository is not a source of government records, but is a copy to increase +collaboration and collaborative potential. All government records will be +published through the [CDC web site](http://www.cdc.gov). + +## Additional Standard Notices +Please refer to [CDC's Template Repository](https://github.com/CDCgov/template) for more information about [contributing to this repository](https://github.com/CDCgov/template/blob/main/CONTRIBUTING.md), [public domain notices and disclaimers](https://github.com/CDCgov/template/blob/main/DISCLAIMER.md), and [code of conduct](https://github.com/CDCgov/template/blob/main/code-of-conduct.md). diff --git a/code-of-conduct.md b/code-of-conduct.md new file mode 100644 index 0000000..2633c7b --- /dev/null +++ b/code-of-conduct.md @@ -0,0 +1,103 @@ +# Creating a Culture of Innovation +We aspire to create a culture where people work joyfully, communicate openly +about things that matter, and provide great services globally. We would like our +team and communities (both government and private sector) to reflect on +diversity of all kinds, not just the classes protected in law. Diversity fosters +innovation. Diverse teams are creative teams. We need a diversity of perspective +to create solutions for the challenges we face. + +This is our code of conduct (adapted from [18F's Code of Conduct](https://github.com/18F/code-of-conduct)). +We follow all Equal Employment Opportunity laws and we expect everyone we work +with to adhere to the [GSA Anti-harassment Policy](http://www.gsa.gov/portal/directive/d0/content/512516), +even if they do not work for the Centers for Disease Control and Prevention or +GSA. We expect every user to follow this code of conduct and the laws and +policies mentioned above. + +## Be Empowering +Consider what you can do to encourage and support others. Make room for quieter +voices to contribute. Offer support and enthusiasm for great ideas. Leverage the +low cost of experimentation to support your colleagues' ideas, and take care to +acknowledge the original source. Look for ways to contribute and collaborate, +even in situations where you normally wouldn't. Share your knowledge and skills. +Prioritize access for and input from those who are traditionally excluded from +the civic process. + +## Rules of Behavior + * I understand that I must complete security awareness and records management + training annually in order to comply with the latest security and records + management policies. + * I understand that I must also follow the [Rules of Behavior for use of HHS Information Resources](http://www.hhs.gov/ocio/policy/hhs-rob.html) + * I understand that I must not use, share, or store any kind of sensitive data + (health status, provision or payment of healthcare, PII, etc.) under ANY + circumstance. + * I will not knowingly conceal, falsify, or remove information. + * I understand that I can only use non-sensitive and/or publicly available + data. + * I understand that all passwords I create to set up accounts need to comply + with CDC's password policy. + * I understand that the stewards reserves the right to moderate all data at any + time. + +## Boundaries +Create boundaries to your own behavior and consider how you can create a safe +space that helps prevent unacceptable behavior by others. We can't list all +instances of unacceptable behavior, but we can provide examples to help guide +our community in thinking through how to respond when we experience these types +of behavior, whether directed at ourselves or others. + +If you are unsure if something is appropriate behavior, it probably is not. Each +person we interact with can define where the line is for them. Impact matters +more than intent. Ensuring that your behavior does not have a negative impact is +your responsibility. Problems usually arise when we assume that our way of +thinking or behavior is the norm for everyone. + +### Here are some examples of unacceptable behavior + * Negative or offensive remarks based on the protected classes as listed in the + GSA Anti-harassment Policy of race, religion, color, sex, national origin, + age, disability, genetric information, sexual orientation, gender identity, + parental status, maritual status, and political affiliation as well as gender + expression, mental illness, socioeconomic status or backgrounds, + neuro(a)typicality, physical appearance, body size, or clothing. Consider + that calling attention to differences can feel alienating. + * Sustained disruption of meetings, talks, or discussions, including chatrooms. + * Patronizing language or behavior. + * Aggressive behavior, such as unconstructive criticism, providing correction + that do not improve the conversation (sometimes referred to as "well + actually's"), repeatedly interrupting or talking over someone else, feigning + surprise at someone's lack of knowledge or awareness about a topic, or subtle + prejudice. + * Referring to people in a way that misidentifies their gender and/or rejects + the validity of their gender identity; for instance by using incorrect + pronouns or forms of address (misgendering). + * Retaliating against anyone who files a formal complaint that someone has + violated these codes or laws. + +## Background +CDC Scientific Clearance is the process of obtaining approvals by appropriate +CDC officials before a CDC information product is released to the public or +CDC's external public health partners. Information products that require formal +clearance include print, electronic, or oral materials, that CDC employees +author or co-author, whether published by CDC or outside CDC. CDC contractors +developing content on behalf of CDC for the public or CDC's external public +health partners are also required to put their content through the formal +clearance process. The collaborative functions related to the projects include +blogs, wikis, forums, bug tracking sites, source control and +others deemed as necessary. + +For those individuals within the CDC, adherence to the following policies are +required: +* CDC ["Clearance of Information Products Disseminated Outside CDC for Public Use"](http://www.cdc.gov/maso/Policy/PublicUse.pdf) +* HHS ["Ensuring the Quality of Information Disseminated by HHS agencies"](http://aspe.hhs.gov/infoquality) + +All collaborative materials will be controlled by the rules contained within +this document. This will allow for the real-time collaboration opportunities +among CDC employees, CDC contractors and CDC public health partners. + +## Credit +This code of conduct was mainly adapted from [18F's Code of Conduct](https://github.com/18F/code-of-conduct) +and the [CDC's Informatics Innovation Unit R&D Lab's code of conduct.](https://www.philab.cdc.gov/index.php/code-of-conduct/) + +## Relevant Legal Considerations +* [Laws enforced by the Equal Employment Opportunity Commission](http://www.eeoc.gov/laws/statutes/index.cfm) +* [Types of discrimination prohibited by law](http://www.eeoc.gov/laws/types) +* [New and proposed regulations](http://www.eeoc.gov/laws/regulations/index.cfm) diff --git a/open_practices.md b/open_practices.md new file mode 100644 index 0000000..357ecbb --- /dev/null +++ b/open_practices.md @@ -0,0 +1,126 @@ +# CDC GitHub Practices for Open Source Projects + +**The [CDCGov organization on GitHub](https://github.com/CDCgov) is designated for use by CDC programs to publish open source code.** This is a set of practices to help programs release secure and compliant open source projects successfully. If you are interested in using GitHub for non-open source projects, please see information on our [enterprise organization](#cdc-enterprise). + +We designed these practices to be straightforward and helpful, and we [accept feedback](#support-and-feedback) from the community on updating them. For [Required Practices](#required-practices), Projects that don't adhere to the [Required Practices](#required-practices) could be subject to [archival or removal](#non-compliance-procedure). + +## Getting Started + +Before you can publish your project, you must request access to be added to the CDCgov organization. Complete these steps: + +1. Review the [Rules of Behavior](rules_of_behavior.md). +2. Confirm your [Github profile is setup](#profile-setup) properly. +3. Complete the [project request form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u). + * This will require your CDC login, so if you don't have a login, ask someone to request on your behalf, or [get in touch](#support-and-feedback). + +You should receive an email or notification when you are given access and your first repository should be setup for you. For subsequent projects, you will be able to create a repository in the organization using Github's interface. The [template repository](https://github.com/CDCgov/template) is maintained and an easy way to quick start your repository that complies with the guidelines. Once this is completed you're ready to follow the required guidelines to publish code. + +## Required Practices + +You must follow these practices before you publish real code into your repository. + +* [ ] **Get Clearance.** Always obtain clearance from your organization prior to setting up and publishing a repository. + * GitHub is a third party service used by CDC to collaborate with the public. Official CDC health messages will always be distributed through www.cdc.gov and through appropriate channels, so make sure to plan your project along with your official public health program on cdc.gov. +* [ ] **Naming.** Set a meaningful project name and short description for your project. The form to do this is in your repositories settings. + * [ ] Add [topics](https://help.github.com/en/github/administering-a-repository/classifying-your-repository-with-topics) to improve discovery and use of your project. For AI-related projects, the [Code.gov Implementation Guidance to Federal Agencies Regarding Enterprise Data and Source Code Inventories](https://code.gov/federal-agencies/compliance/inventory-code) must be followed when setting topics. +* [ ] **Create a README.** Add a `README.md` file at the root with the following: + * An overview of your project, including the purpose, goals and the team responsible. + * A description of your development process in the `README.md` file. If your project is no longer active, mark it as [archived](https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/archiving-repositories). + * Include the following notice sections. You can modify the verbiage and adapt as necessary based on your program need. + * [ ] [Public Domain Standard Notice](https://github.com/CDCgov/template#public-domain-standard-notice) + * [ ] [License Standard Notice](https://github.com/CDCgov/template#license-standard-notice) + * [ ] [Privacy Standard Notice](https://github.com/CDCgov/template#privacy-standard-notice) + * [ ] [Contributing Standard Notice](https://github.com/CDCgov/template#contributing-standard-notice) + * [ ] [Records Management Standard Notice](https://github.com/CDCgov/template#records-management-standard-notice) + * [ ] [Additional Standard Notices](https://github.com/CDCgov/template#additional-standard-notices) +* [ ] **Choose a license.** Assign an open source license based on program need. + * If you need help choosing a license, please review [this article](https://www.philab.cdc.gov/index.php/2012/03/27/open-source-development-for-public-health-informatics/), refer to existing CDCgov projects, or ask for consultation support in choosing a license. +* [ ] **Security scanning and review.** + * **This is the final step before publishing and the most critical.** + * All source code used within CDC systems must comply with all cybersecurity processes prior to production use, including static and dynamic scanning. The same applies to code published as open source. + * If you are unsure about compliance, reach out to your organization's security officers. + * Never commit sensitive information, including usernames, passwords, tokens, PII, PHI. To automate this, you can integrate pre-commit tools like [Clouseau](https://github.com/cfpb/clouseau) to systematically review material before committing. + * Make sure that the commit history of your Github repository also doesn't have these things. In many cases it's easier to start a new repository and push up the code that has all sensitive information removed as the first commit. + * Enable [GitHub automated security alerts](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies) and configure notification for the repo admin to see. +* [ ] **Setup your profile.** [Active project committers need to add profile info to help collaboration.](#profile-setup) + * [ ] **Two-factor authentication (2FA).** [Project admins must secure their account with two-factor-authentication.](https://docs.github.com/en/enterprise-server@2.21/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa) +* [ ] **Maintain your repository.** Once your repository is published, you must do the following to remain in compliance: + * [ ] **Respond to critical security issues and communication from administrators.** Ignoring security issues or not responding to communication from administrators can result in [archiving or removal](#non-compliance-procedure). + * [ ] **Archive old projects.** If you're no longer updating the project or have moved it's location, update your `README.md` file to let users know and [archive the repository](https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/archiving-repositories). + +## Recommended Practices + +Optional improvements to make your open source project more successful. + +* [ ] Establish pull request templates to make it easier for contributors to send pull requests. For example [SDP-V has a checklist for each PR to match their development practices.](https://github.com/CDCgov/SDP-Vocabulary-Service/blob/master/.github/PULL_REQUEST_TEMPLATE) +* [ ] Agree on project conventions and include them in your `README.md` file. Depending on what type of project, this includes folder structure for data, linters, editor configuration (eg, [MicrobeTrace's .editorconfig](https://github.com/CDCgov/MicrobeTrace/blob/master/.editorconfig)). This will help improve the quality of your project and make it easier for others to contribute to your project. +* [ ] Add support and community procedures. CDC does not provide warranty or official support for open source projects, but describing how you would like questions and issues will assist users of your project. If you use a wiki, or project board, or package manager, describe and link to that. Official contribution steps will make it easier for people outside of CDC to contribute to your project. +* [ ] Include references to publications, presentations, and sites featuring your project. +* [ ] Add an entry to [open.cdc.gov](https://open.cdc.gov) to the [data](https://open.cdc.gov/data.html), [code](https://open.cdc.gov/code.html), [api](https://open.cdc.gov/apis.html), or [event](https://open.cdc.gov/events.html) page to help people find your project on cdc.gov +* [ ] Add versions and tags describing major releases and milestones. For example, [open.cdc.gov's releases each time a new version is published to the web site](https://github.com/CDCgov/opencdc/releases/tag/v1.0.9) or [geneflow's changelog](https://github.com/CDCgov/geneflow/blob/master/CHANGELOG.md). +* [ ] Follow [Semantic Versioning 2.0.0](https://semver.org/) when creating versions for your project. +* [ ] Describe and test reproducible practices to install and build your project. For example, [injury_autocoding's code section on running the project's scripts](https://github.com/cdcai/injury_autocoding#code)). +* [ ] Recognize contributors and existing resources that have helped the project. For example, [fdns-ms-hl7-utils' AUTHORS file](https://github.com/CDCgov/fdns-ms-hl7-utils/blob/master/AUTHORS). +* [ ] Automate build and test procedures to reduce the effort of outside contributors to send pull requests (eg, [Travis CI](https://travis-ci.org/), [Circle CI](https://circleci.com/), [GitHub Actions](https://help.github.com/en/actions)) +* [ ] [Appropriately gather metrics](https://opensource.guide/metrics/) on how your project is used and incorporate this into your feature planning process. +* [ ] [Incorporate documentation into your development cycle](https://github.com/GSA/code-gov-open-source-toolkit/blob/master/toolkit_docs/documentation.md), and where possible, automate the generation of documentation so it is more likely to be up to date and useful to people interested in your project. + +## Guidance + +### Support and Feedback + +If you need additional support with your setting up project, or have any feedback or ideas about this guidance please [open an issue](https://github.com/CDCgov/template/issues) or send an email to [data@cdc.gov](mailto:data@cdc.gov). We also accept pull requests if you want to directly edit the guidance. + +### Non-Compliance Procedure + +Projects in this organization are reviewed occasionally for compliance with the [Required Practices](#required-practices). If your project is found to not be in compliance, you will be contacted by administrators to help bring your project into compliance. Projects that do not respond or that habitually fail to meet these practices will be archived or removed from the organization, depending on severity. + +### Profile Setup + +Please make sure your profile is set up properly to help us work better together. Specifically, keep your profile up to date with: + +* **Name:** Your first and last name. +* **Company:** Your government agency or contracting company. (If you also use GitHub for personal projects, consider specifying “CDC (work) + personal projects” to make it clear that some of your GitHub projects may be personal in nature.) +* **Location:** Your primary work location (city, state). +* **Photo:** A headshot photo, or an appropriate image that is unique to you. + +If you admin any projects, make sure to [secure your account with two-factor authentication (2FA)](https://docs.github.com/en/enterprise-server@2.21/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa). Although you probably already did this because you are smart. + +### Open Source Checklist + +So you've decided to set up an open source project at CDC. Here are the steps to do that, in the most common order. + +* [ ] Create a new project using the [template repo](https://github.com/CDCgov/template). +* [ ] Update your readme.md following the [CDC GitHub Practices for Open Source Projects](https://github.com/CDCgov/template/blob/master/open_practices.md) +* [ ] Choose a license. Most projects are ASL2, but license should meet public health program need. See for more info on choosing a license. +* [ ] Remove all sensitive info. +* [ ] Talk with your ADI, ADS, and ISSO for review and clearance. +* [ ] After approval, create a GitHub user. +* [ ] Fill out the [Request a Repo form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUNk43NzMwODJTRzA4NFpCUk1RRU83RTFNVi4u) for a new repo on [CDCGov](https://github.com/cdcgov) or [CDCai](https://github.com/cdcai). +* [ ] When you get an email or push alert that your repo is ready, push to GitHub +* [ ] Add an entry in [open.cdc.gov](https://open.cdc.gov) on their [code page](https://open.cdc.gov/code.html) to officially be linked from cdc.gov. This helps users find and use your project. +* [ ] Keep your project up to date, when you're finished flag it as [archived](https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/archiving-repositories). + +_This checklist was adapted from the CDC IT Guard Rail and put here to help people who don't have access to the intranet._ + +### CDC Enterprise + +Our [CDCent](https://github.com/cdcent/) organization is used for private, non-public projects so only CDC staff and approved outside collaborators work on these projects, you can request access through the [GitHub Enterprise Cloud form](https://forms.office.com/Pages/ResponsePage.aspx?id=aQjnnNtg_USr6NJ2cHf8j44WSiOI6uNOvdWse4I-C2NUQjVJVDlKS1c0SlhQSUxLNVBaOEZCNUczVS4u). + +### Reference Links + +These are helpful links from across the Federal Government regarding open sourcing code. + +* [CFPB Open Tech](https://cfpb.github.io/) +* [TTS Engineering Practices Guide](https://engineering.18f.gov/) +* [18F Open Source Policy](https://github.com/18F/open-source-policy) and [Practicing our open source policy](https://github.com/18F/open-source-policy/blob/master/practice.md) +* [GitHub and Government: How agencies build software](https://government.github.com/) +* [code.gov](https://code.gov) +* [Federal Source Code and Open Source Toolkit](https://github.com/GSA/code-gov-open-source-toolkit) +* [Federal Source Code Policy (M-16-21)](https://sourcecode.cio.gov/) +* [openCDC](https://open.cdc.gov) +* [Digital Services Playbook](https://playbook.cio.gov/) +* [CDC/ATSDR Policy on Public Health Research and Nonresearch Data Management and Access](https://www.cdc.gov/maso/policy/policy385.pdf) + * [CDC/ATSDR Policy on Releasing and Sharing Data](https://www.cdc.gov/maso/Policy/ReleasingData.pdf) (old version, but still a useful reference) +* [Clearance of Information Products Disseminated Outside CDC for Public Use](https://www.cdc.gov/os/policies/docs/CDC-GA-2005-06_Clearance_of_Information_Products_Disseminated_Outside_for_Public_Use.pdf) +* [Federal Source Code Toolkit](https://github.com/GSA/code-gov-open-source-toolkit) diff --git a/rules_of_behavior.md b/rules_of_behavior.md new file mode 100644 index 0000000..06b5716 --- /dev/null +++ b/rules_of_behavior.md @@ -0,0 +1,72 @@ +# Rules of Behavior and Posting Guidelines for the Use of GitHub as a Third-Party Web Application + +## Purpose + +These rules of behavior establish the privacy and information security requirements for the use of Third Party Web Applications (TPWAs) in conjunction with the CDC GitHub.com organizations established for open source projects. These rules of behavior were developed to ensure that CDC and its confidential information and technologies are not compromised, as well as protecting general CDC interests and services from risks associated with the use of TPWAs while allowing for the increased efficiencies and cost savings that come with appropriate use of third party services. + +## Scope + +These rules of behavior and its related guidance apply to federal employees, contractors, and all external collaborators who will access GitHub from CDC directly or use them with non-sensitive data obtained from CDC. All engagement with TPWAs related to the GitHub will be governed by these rules of behavior, as well as to the Rules of Behavior for the Use of HHS Information Services. + +## Ownership + +CDC assigns three stewards in charge of rules and policy compliance: a Business Steward, a Security Steward, and a Technical Steward. The business and security stewards are responsible for establishing policy and providing approval, while the technical steward fulfills requests from users. Users requesting access to GitHub that have not been approved yet need to assign a main and a backup point of contact (POC) with the business steward, as well as provide a justification to the security steward. + +The security steward is responsible for the security of the GitHub usage as a TPWA and its impact on the CDC network and compliance with CDC security policies. All users, including POCs, are responsible for adherence to this policy and associated processes. Where there is not a rule of behavior that provides explicit guidance, users must do their best to safeguard CDC and its network and services from security risks. + +## Rules of Behavior + +All new users of GitHub must read and acknowledge these rules before using any of the approved TPWAs. This acknowledgment must be completed annually, and establishes agreement from part of the user to adhere to these rules. + +* I understand that I must complete security awareness and records management training annually in order to comply with the latest security and records management policies. +* I understand that I must also follow the Rules of Behavior for use of HHS Information Resources. +* I understand that I must not use, share, or store any kind of sensitive data (health status, provision or payment of healthcare, pictures, PII, etc.) with TPWAs under ANY circumstance. +* I will not knowingly conceal, falsify or remove information.This includes editing or removing the template language provided when a Github repository is created. +* I understand that I can only use non-sensitive and/or publicly available data in GitHub. If you are unsure of what constitutes non-sensitive information, please see guidance below. +* I understand that all passwords I create to set up GitHub accounts need to comply with CDC’s password policy. +* I understand that the steward reserves the right to moderate all data at any time. +* I understand my responsibilities to protect systems and data as specified by CDC policies. + +## Guidance Regarding Non-Sensitive and Publicly Available Information + +In support of program collaboration in the use oF GitHub, portions of some GitHub projects are either currently open to the public or may become open to the public in the future. The following guidelines will inform and assist the user in determining that the information to be posted on GitHub is not sensitive. The bottom line is if the content you are posting is not appropriate to post for public access, it should not be posted on GitHub. + +Before posting information that involves other CDC programs, employees, etc. to GitHub, it is important that the poster ensures they receive approval by the relevant CDC entity to post the information. + +Questions to consider before posting information include: + +| Do I have reservations about anyone viewing this information? | Yes | Do not post. | +| Were individuals informed that this information would be posted on GitHub? | No | Do not post. | +| Does this information contain details or descriptions of CDC security systems or other sensitive infrastructures? | Yes | Do not post. | +| Does this information reflect program efforts to engage and inform external partners and the public? | No | Do not post. | + +Examples of information which has been deemed not sensitive and may be posted on GitHub include the following. + +* Source Code +* Use cases +* User stories/requirements +* Process flows +* Program pain points +* Software Service Descriptions + +Sensitive information, which should not be posted, includes (but is not limited to) the following. + +* Information directly attributed to an individual in a sensitive manner +* The names or pictures of individuals +* Protected health information +* Project management material. This includes posting or discussing security documentation, implementation plans, communications regarding project specifics, etc. +* Opinions related to programs or tools, specifically those that may have an adverse impact +* Non-public Links to CDC SharePoint or other internal references +* Non-public Details on CDC internal infrastructure + +If there’s any question on whether information may be sensitive (such as detailed interview notes or specific references provided during a program interview), further guidance should be sought from the security steward prior to posting the information on any GitHub. + +## Enforcement + +Users looking to use GitHub that are unable to follow these rules of behavior will not have authorization to do so. Any users that violate these rules of behavior or CDC security policies may be subject to action, up to and including revoking access to GitHub. Technical and security stewards have the right to enforce these rules of behavior based on violations at any time. + +## References + +* [Policy for Managing the Use of Third-Party Websites and Applications](https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/policy-social-media-technologies/index.html) +* [Rules of Behavior for Use of HHS Information Resources](http://www.hhs.gov/ocio/policy/hhs-rob.html) +* [Security and Awareness Training](http://sat.cdc.gov/) (requires login) diff --git a/thanks.md b/thanks.md new file mode 100644 index 0000000..0f135cb --- /dev/null +++ b/thanks.md @@ -0,0 +1,6 @@ +# Thanks and Acknowledgements + +Starting this file way too late, but wanted to recognize contributions made by people who helped this repo. There are many more than this, but I should have started this file years ago. + +* Chris Sandlin [@cssandlin](https://github.com/cssandlin) +* Drewry Morris [@drewry](https://github.com/drewry)