|
[1] | This Technology is currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. |
|
[2] | Enterprise Security Solutions Services (ESSS) conducted a pre-assessment and security requirements verification of PuTTY-CAC. It is advised that if this product is used within the Department of Veterans Affairs (VA), the following constraints be applied:
Terminal emulation software is used to access and manage IT resources such as servers and networking devices which contain sensitive information. All internal servers will use FIPS 140-2 (or its successor) validated server certificates for inter-server and server-to-user communications as stated in VA Handbook 6500, IA-3: Device Identification and Authentication control. In the event this product is used within VA due to specific mission requirement, a Risk Based Decision (RBD) must be submitted through established VA process for approval.
System owners should consider conducting a security review and audit of the PuTTY-CAC source code to ensure that otherwise unknown vulnerabilities are addressed or mitigated, if any exist. In addition, system owners should make every effort to use Attachmate, the VA standard emulation software, if technically possible.
|
|
[3] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. |
|
[4] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. |
|
[5] | Enterprise Security Solutions Services (ESSS) conducted a pre-assessment and security requirements verification of PuTTY-CAC. It is advised that if this product is used within the Department of Veterans Affairs (VA), the following constraints be applied:
Terminal emulation software is used to access and manage IT resources such as servers and networking devices which contain sensitive information. All internal servers will use Federal Information Processing Standard (FIPS) 140-2 (or its successor) validated server certificates for inter-server and server-to-user communications as stated in VA Handbook 6500, IA-3: Device Identification and Authentication control. In the event this product is used within VA due to specific mission requirement, a Risk Based Decision (RBD) must be submitted through established VA process for approval.
System owners must conduct a security review and audit of the PuTTY-CAC source code to ensure that otherwise unknown vulnerabilities are addressed or mitigated, if any exist. In addition, system owners must make every effort to use Attachmate, the VA standard emulation software, if technically possible.
|
|
[6] | Enterprise Security Solutions Services (ESSS) conducted a pre-assessment and security requirements verification of PuTTY-CAC. It is advised that if this product is used within the Department of Veterans Affairs (VA), the following constraints be applied:
Terminal emulation software is used to access and manage IT resources such as servers and networking devices which contain sensitive information. All internal servers will use Federal Information Processing Standard (FIPS) 140-2 (or its successor) validated server certificates for inter-server and server-to-user communications as stated in VA Handbook 6500, IA-3: Device Identification and Authentication control.
System owners must conduct a security review and audit of the PuTTY-CAC source code to ensure that otherwise unknown vulnerabilities are addressed or mitigated, if any exist. In addition, system owners must make every effort to use Attachmate, the VA standard emulation software, if technically possible.
|
|
[7] | Users should check with their supervisor, Information Security Office (ISO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations. |
|
[8] | This technology should only be used when required by a Veterans Affairs (VA) business partner for an approved VA Project. Use of this technology must comply with ESCCB requirements which include: Signed Interconnection Agreements/Memorandum of Understanding agreements (MOU/ISA) with each external business partner, compliance with VA Handbook 6500, and must implement appropriate National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) requirements for all devices interacting with this technology. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. As of January 27th, 2017, Risk-based Decisions (RBD) will be handled per VAIQ # 7769667. In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004, VA Directive 6517
and VA Directive 6513. The local ISO can advise on the ESCCB review process and ensure privacy of information compliance protections are in place. |
|
[9] | Version .74 is approved only for test and evaluation while the required baseline and/or hardening guide and other steps that are required for full production use in the Initial Product Review (IPR) are completed. More information follows and is in the referenced IPR.
In collaboration with Information Security Operations and Services (ITOPS), the
ISSE team recommends the following to address risks associated with PuTTY-CAC and are needed for full TRM production approval:
• Development of a clear policy on the use of open source software should be
prioritized to rein in issues related to open source vulnerabilities management
or incompatible licenses.
• Ownership for the review, version management, configuration, and usage
tracking of the software needs to be identified.
• Responsible entity will ensure only approved packages are installed, and
will collaborate with other teams to address any other security related
issues.
• Hardening Guide/Instructions or training on the proper installation and
configuration of PuTTY-CAC should be developed and maintained.
• Keep a complete and accurate inventory list of PuTTY-CAC software and
provide an authoritative source for downloading approved versions.
• Restrict requests to whitelist open source software(s) in TRM to authorized
personnel with a business justification for its use within the enterprise.
• Ensure patches to PuTTY are managed in accordance with VA enterprise
patch management processes.
• Prohibit the use of the traditional PuTTY which does not use PIV keys.
|
|
[10] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. |
|
[11] | In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004 , VA Directive 6517, and VA Directive 6513. The local ISO can advise on the ESCCB review process. |
|
[12] | Configuration baseline and deployment standards for this technology that are maintained by Infrastructure Operations in ITOPS must be followed and adhered to unless an appropriate waiver is granted. See the reference section for more information.
Users must only use the versions that have been approved via the IPR or Baseline. Any version prior to the latest approved version is unapproved and should not be used. |
|
[13] | This technology should only be used when required by a Veterans Affairs (VA) business partner for an approved VA Project. Use of this technology must comply with ESCCB requirements which include: Signed Interconnection Agreements/Memorandum of Understanding agreements (MOU/ISA) with each external business partner, compliance with VA Handbook 6500, and must implement appropriate National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) requirements for all devices interacting with this technology. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. As of January 27th, 2017, Risk-based Decisions (RBD) will be handled per VAIQ # 7769667. In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004, VA Directive 6517
and VA Directive 6513. The local ISO can advise on the ESCCB review process and ensure privacy of information compliance protections are in place. |
|
[14] | This technology should only be used when required by a Veterans Affairs (VA) business partner for an approved VA Project. Use of this technology must comply with ESCCB requirements which include: Signed Interconnection Agreements/Memorandum of Understanding agreements (MOU/ISA) with each external business partner, compliance with VA Handbook 6500, and must implement appropriate National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) requirements for all devices interacting with this technology. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. As of January 27th, 2017, Risk-based Decisions (RBD) will be handled per VAIQ # 7769667. In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004, VA Directive 6517
and VA Directive 6513. The local ISO can advise on the ESCCB review process and ensure privacy of information compliance protections are in place. |
|
[15] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. |
|
[16] | Configuration baseline and deployment standards for this technology that are maintained by Infrastructure Operations in ITOPS must be followed and adhered to unless an appropriate waiver is granted. See the reference section for more information.
Only the versions that have been approved via the IPR or Hardening Guide shall be used. See the reference section for information. |
|
[17] | Per the Initial Product Review, users must abide by the following constraints:
- PuTTY-CAC will require use of FIPS 140-2 (or its successor) certified encryption for network communication where applicable
- Solution Delivery Business Systems Engineering has created a hardening guide for PuTTY-CAC and must be used to configure the product.
https://vaww.vashare.oit.va.gov/sites/itops/svcs/sma/BCM/Supporting_Documents/Putty-CAC%20Security%20Hardening%20Guide.pdf#search=putty
- PuTTY-CAC is an open source software which may not include vendor support. It is imperative that the product be obtained from trusted sources. This product must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines.
|