<Past |
Future> |
Version 3146 |
Approved w/Constraints [1, 2, 3, 4, 5] |
Approved w/Constraints [4, 5, 6] |
Approved w/Constraints [4, 5, 6] |
Divest [4, 5, 6] |
Divest [4, 5, 6] |
Divest [4, 5, 6] |
Divest
|
Divest [2, 7, 8, 9, 10, 11] |
Divest [7, 8, 9, 11, 12, 13] |
Unapproved |
Unapproved |
Unapproved |
Version 3523 |
Unapproved |
Approved w/Constraints [4, 5, 6] |
Approved w/Constraints [4, 5, 6] |
Approved w/Constraints [4, 5, 6] |
Approved w/Constraints [4, 5, 6] |
Approved w/Constraints [4, 5, 6] |
Divest
|
Approved w/Constraints [2, 7, 8, 9, 10, 11] |
Approved w/Constraints [7, 8, 9, 11, 12, 13] |
Divest [7, 8, 9, 11, 12, 13] |
Divest [8, 9, 12, 14, 15] |
Divest [8, 9, 12, 14, 15] |
Version 3720 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Approved w/Constraints [2, 7, 8, 9, 10, 11] |
Approved w/Constraints [7, 8, 9, 11, 12, 13] |
Approved w/Constraints [7, 8, 9, 11, 12, 13] |
Approved w/Constraints [8, 9, 12, 14, 15] |
Approved w/Constraints [8, 9, 12, 14, 15] |
Version 2.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
| | [1] | Also, based on the TRM constraints placed on MySQL databases, Neopost LMS can only be used within the VA Intranet and must not be Internet-facing. (See the MySQL database TRM entry for more details)
As of this writing, this product lists dependencies on an older version of Java that will soon be unsupported by the vendor. The implementations of this product must comply with TRM guidance on Java including Java versions. See the appropriate Java TRM entry for more details. | | [2] | In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004 , VA Directive 6517, and VA Directive 6513. The local ISO can advise on the ESCCB review process. | | [3] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [4] | Due to potential information security risks, cloud based versions of this product are not permitted without a waiver signed by the Deputy CIO of ASD based upon a recommendation from the Architecture and Engineering Review Board (AERB). In addition, cloud based features of this software may not be used without an Enterprise Security Change Control Board (ESCCB) approval to ensure that confidential organization and/or PII/PHI data are not compromised (ref: VA Directive 6004, VA Directive 6517 and VA Directive 6513). Use of public cloud storage requires documented Federal Risk and Authorization Management Program (FedRAMP) compliance and a Memorandum of Understanding / Interconnection Security Agreement (MOU/ISA) between the vendor and VA prior to ESCCB review. | | [5] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [6] | Because of the TRM constraints on MySQL databases, Neopost WTS can only be used within the VA Intranet and must not be Internet-facing. See the MySQL database TRM entry for more details.
As of this writing, this product lists dependencies on an older version of Java that will soon be unsupported by the vendor. The implementations of this product must comply with TRM guidance on Java including Java versions. See the appropriate Java TRM entry for more details. | | [7] | Users must follow the constraints listed in the Initial Product Review (IPR):
- Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices. Database Management Systems (DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor) validated encryption as stated in Section SC-28: Protection of information at Rest of the VA Handbook 6500. If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled "FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`.
- Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
- WTS should be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require WTS cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA should clearly define the required security controls and document requirements as listed below:
- Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
- Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA.
- All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance.
| | [8] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [9] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [10] | Due to potential information security risks, cloud based technologies may not be used without the approval of the VA Enterprise Cloud Services (ECS) Group. This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [11] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [12] | Due to potential information security risks, cloud based technologies may not be used without the approval of the Enterprise Cloud Solution Office (ECSO). This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [13] | In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004 , VA Directive 6517, and VA Directive 6513. The local ISO can advise on the ESCCB review process. | | [14] | Users must abide by the constraints listed in the Initial Product Review:
Ensure use of a FIPS 140-2 validated cryptographic module to secure VAsensitive data in applications and devices. Database Management Systems(DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor)validated encryption as stated in Section SC-28: Protection of information at Restof the VA Handbook 6500. If FIPS 140-2 at the application level is not possibletechnically, FIPS 140-2 compliant full disk encryption (FOE) must beimplemented on the hard drive where the DBMS resides as stated in the May 5,2015 memo from the VA Deputy Assistant Secretary for Information Securitytitled `FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest inDatabase Management Systems (DBMS)`.
Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
WTS must be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require WTS cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA must clearly define the required security controls and document requirements as listed below.
Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA.
All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [15] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. |
|
Note: |
At the time of writing, the vendor confirmed that 2.79 is the latest version, released 02/28/2023. Please note that the versioning schema has changed do to an acquisition. |