3.3.x |
Divest [3, 10, 12, 13, 14] |
Divest [3, 10, 12, 13, 14] |
Divest [3, 10, 12, 13, 15] |
Divest [3, 10, 12, 13, 15] |
Unapproved |
Unapproved |
Approved w/Constraints [1, 3, 12, 13, 16, 17, 18, 19] |
Approved w/Constraints [1, 3, 12, 13, 16, 17, 18, 19] |
Approved w/Constraints [1, 3, 16, 17, 18, 19, 20, 21] |
Approved w/Constraints [1, 3, 16, 17, 18, 19, 20, 21] |
Divest [3, 16, 18, 20, 21, 22, 23] |
Divest [3, 16, 18, 20, 22, 23, 24] |
| | [1] | This Technology is currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. | | [2] | System operators or administrators initiating Eagle6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
The Neo4j graphical database stores network trace data that could be considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4j graphical database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled "FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)`. Unauthorized applications must not be installed or used on the VA network unless a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the Strategic Technology Alignment Team (STAT), has been granted to the project team or organization that wishes to use the technology. It is noted that data stored in Neo4j is frequently purged since enterprise data can quickly become overwhelming and bog down the response time of trace queries. The frequency of this data purging activity could be a factor in granting a waiver.
Eagle6 must be deployed locally (on-premises) on VA owned and managed servers. The requester for review of this product has voluntarily self-imposed such a constraint in its TRM submission. If future Eagle6 projects require outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [3] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [4] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [5] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [6] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [7] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [8] | System operators or administrators initiating Eagle6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
The Neo4j graphical database stores network trace data that could be considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4j graphical database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)`. Unauthorized applications must not be installed or used on the VA network unless a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the Strategic Technology Alignment Team (STAT), has been granted to the project team or organization that wishes to use the technology. It is noted that data stored in Neo4j is frequently purged since enterprise data can quickly become overwhelming and bog down the response time of trace queries. The frequency of this data purging activity could be a factor in granting a waiver.
Eagle6 must be deployed locally (on-premises) on VA owned and managed servers. The requester for review of this product has voluntarily self-imposed such a constraint in its TRM submission. If future Eagle6 projects require outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [9] | System operators or administrators initiating Eagle6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
The Neo4j graphical database stores network trace data that could be considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4j graphical database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)`. Unauthorized applications must not be installed or used on the VA network unless a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the Strategic Technology Alignment Team (STAT), has been granted to the project team or organization that wishes to use the technology. It is noted that data stored in Neo4j is frequently purged since enterprise data can quickly become overwhelming and bog down the response time of trace queries. The frequency of this data purging activity could be a factor in granting a waiver.
Eagle6 must be deployed locally (on-premises) on VA owned and managed servers. The requester for review of this product has voluntarily self-imposed such a constraint in its TRM submission. If future Eagle6 projects require outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [10] | Users must ensure that Oracle database is implemented within VA-approved baselines.
Per the Initial Product Review, users must abide by the following constraints:
1. System operators or administrators initiating Eagle6 MUMPS scanner must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
2. The Neo4J graphical database stores network trace data that could b considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4J graphical
database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)”. VA utilizes the risk-based decision process defined in the VA POA&M Management Guide and Accreditation Requirement Guide in accordance with VA Handbook 6500 - Risk Management Framework for VA Information Systems - Tier 3: VA Information Security Program. Please reach out to your ISSO, ISO and SS for pre-existing systems to enter a high or higher POA&M for the “TRM Unapproved technology”.
3. Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Project Special Forces (PSF), Enterprise Cloud Solution Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS/Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by PSF.
4. The product must remain patched and operated in accordance with Federal and
Department security and privacy policies and guidelines.
5. It is a requirement that VA sensitive data be properly protected in accordance
with VA Handbook 6500, Federal Information Security Management Act (FISMA),
and Federal Information Processing Standards (FIPS) 140-2.
6. In accordance with National Institute of Standards and Technology (NIST) SP
800-53 and SP 800-70, Information Security is an important business process
that should be considered in all phases of the acquisition process to ensure data
and information technology (IT) systems are adequately protected against risk of
loss, misuse, and unauthorized access. In accordance with FISMA, government
information or government IT systems require compliance with the agency IT
Security Policy. All information technology acquisitions must meet the
requirements outlined in the Federal Acquisition Regulation (FAR) Part 39.101
(d) policy ensuring the use of common security configuration checklists in the
management of risk.
Based on the IPR findings from Security Engineering and pending required VA security policy guidance from OIS DevSecOps on container and orchestrator technology, Docker is only approved for Development and Test systems usage. Production system use of Docker is considered TRM unapproved must have an approved TRM waiver (See TRM FAQ #53) to accept the risks of using this technology in production without required policy and configuration standards. This constraint will be revisited after VA determines relevant policy and creates configuration standard(s). See the reference section and the Baseline Configuration Management website for more information: https://vaww.vashare.oit.va.gov/sites/itops/svcs/sma/BCM/Pages/BCM.aspx | | [11] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [12] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [13] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [14] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [15] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (PSF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [16] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the VA OIT Product Engineering team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [17] | Users must ensure that Apache Tomcat and My Structured Query Language (MySQL) Database - Commercial Editions are implemented with VA-approved baselines. (Refer to the ‘Category’ tab under ‘Runtime Dependencies’)
Per the Initial Product Review, users must abide by the following constraints:
1. System operators or administrators initiating EAGLE6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
2. This technology or standard can be used only if a POA&M review is conducted and signed by the Authorizing Official Designated Representative (AODR) as designated by the Authorizing Official (AO) or designee and based upon a recommendation from the POA&M Compliance Enforcement, has been granted to the project team or organization that wishes to use the technology.
3. System administrators must ensure that they are using an approved version of Kafka.
4. EAGLE6 will require a 3rd party FIPS 140-2 certified solution for any data containing PHI/PII or VA sensitive information.
5. Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Digital Transformation Center (DTC), Enterprise Cloud Solutions Office (ECSO),
Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS or Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by DTC. | | [18] | If this product uses a MySQL database, the product must be configured with a commercial edition of the MySQL Database, which currently has TRM constraints limiting its use for intranet and non-sensitive data only due to its many known security issues. If a commercial edition of MySQL is selected for use with this product, these factors must be considered especially when an instance of this product will be considered a Moderate or High-Risk system. See MySQL Database – Commercial Edition TRM entry for more details. | | [19] | This Technology is currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. Contact your local CIO office if more information is needed in regards to the use of this technology. | | [20] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information System Security Officer (ISSO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [21] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | [22] | Users must ensure that Apache Tomcat and My Structured Query Language (MySQL) Database - Commercial Editions are implemented with VA-approved baselines. (Refer to the ‘Category’ tab under ‘Runtime Dependencies’)
Per the Initial Product Review, users must abide by the following constraints:
- System owners/administrators, initiating EAGLE6, must utilize VA approved multifactor authentication methods to prevent rogue, unauthorized, or casual
access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences
- System owners/administrators must ensure MariaDB is setup as a managed component of EAGLE6. Vendor documentation states “MariaDB is managed
as a component of the Eagle6 application – e.g., no logical/physical access for a DB admin to create user accounts”.
- System administrators must ensure that they are using an approved version of Apache Kafka.
- EAGLE6 will require a 3rd party FIPS 140-2 certified solution for any data containing PHI/PII or VA sensitive information.
- Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process
where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Digital
Transformation Center (DTC), Enterprise Cloud Solutions Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the
SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS or Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval
to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by DTC.
- EAGLE6 must be used with a VA approved container platform (e.g. Red Hat OpenShift) that has a Secure Configuration Baseline, consisting of specific
hardening guidance regarding the secure implementation of EAGLE6. Please reference the TRM for approved container orchestration solutions and the
Baseline Configuration Management website for more information.
| | [23] | The Federal Information Processing standards (FIPS) 140-2 certification status of this technology was not able to be verified. This technology will require a 3rd party FIPS 140-2 or 140-3 certified solution for any data containing PHI/PII or VA sensitive information, where applicable. More information regarding the Cryptographic Module Validation Program (CMVP) can be found on the NIST website. | | [24] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. |
|