Enterprise 8.0.x |
Approved w/Constraints [1, 3, 6, 7] |
Approved w/Constraints [1, 3, 6, 7] |
Approved w/Constraints [1, 3, 7, 8] |
Approved w/Constraints [3, 7, 8, 9] |
Approved w/Constraints [3, 7, 8, 9] |
Approved w/Constraints [3, 7, 9, 10] |
Approved w/Constraints [3, 7, 9, 10] |
Approved w/Constraints [3, 7, 9, 10] |
Approved w/Constraints [10, 11, 12, 13] |
Approved w/Constraints [10, 11, 12, 13] |
Approved w/Constraints [10, 11, 12, 13] |
Approved w/Constraints [10, 11, 13, 14] |
| | [1] | Configuration and deployment standards for databases and their host server images are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE) and must be followed and adhered to unless an appropriate waiver is granted. Detailed information can be found at the following location: https://vaww.sde.portal.va.gov/svcs/sma/BCM/SitePages/Home.aspx VA has Enterprise License Agreements (ELAs) in place for preferred RDBMS technologies (Microsoft SQL Server and Oracle DB). Customers must get their licenses through these channels, not via independent, uncoordinated small procurements. Detailed information can be found at the following location: https://dvagov.sharepoint.com/sites/OITSoftwareCategoryManagement/default.aspx Until VA completes an Enterprise Configuration Baseline, this product may only be used for Intranet applications. Use of this product to store Protected Heath Information (PHI), Personally Identifiable Information (PII) or VA-sensitive information is unapproved until VA develops and approves a security configuration baseline to meet VA`s security requirements for PHI/PII/VA-sensitive information. See the VA baseline website site referenced above for more information. Any use of this product for PHI/PII/VA-sensitive information must be waivered for use. Users of this technology are responsible to document the risk of operating without a VA security baseline in their official risk documentation and have it reviewed by their Information Security Office (ISO). Note: As of this writing, Defense Information Systems Agency (DISA) is in the process of developing a Security Technical Implementation Guide (STIG) for the Enterprise 8.0.x version of the product. Once the STIG is complete, VA has committed to developing a security configuration baseline for that same version and edition of the product. Once the baseline is complete, TRM plans to approve Enterprise 8.0.x for full use following that VA baseline. See the BCM site referenced above for more information. | | [2] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [3] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. | | [4] | Due to potential information security risks, cloud based technologies may not be used without the approval of the Enterprise Cloud Solution Office (ECSO). This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [5] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [6] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [7] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [8] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (PSF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [9] | At the time of writing, the current standard baseline configuration of this technology supports solely Red Hat Enterprise Linux (RHEL) implementations of this technology. Other operating systems are unapproved for use with this technology.
Configuration and deployment standards for databases and their host server images are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE) and must be followed and adhered to unless an appropriate waiver is granted. Detailed information can be found at the following location: https://vaww.sde.portal.va.gov/svcs/sma/BCM/SitePages/Home.aspx
VA has Enterprise License Agreements (ELAs) in place for preferred RDBMS technologies (Microsoft SQL Server and Oracle DB). Customers must get their licenses through these channels, not via independent, uncoordinated small procurements. Detailed information can be found at the following location: https://dvagov.sharepoint.com/sites/OITSoftwareCategoryManagement/default.aspx
Per the Initial Product Review, users must abide by the following constraints:
- The Oracle MySQL v8.0 for Linux - Secure Configuration Baseline must be followed.
- Although there are known vulnerabilities for this technology at this time, it is frequently updated by the vendor. System Owners/Administrators should verify that the latest released version of the software is being used.
| | [10] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the VA OIT Product Engineering team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [11] | At the time of writing, the current standard baseline configuration of this technology supports solely Red Hat Enterprise Linux (RHEL) implementations of this technology. Other operating systems are unapproved for use with this technology.
Configuration and deployment standards for databases and their host server images are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE) and must be followed and adhered to unless an appropriate waiver is granted. Detailed information can be found at the following location: https://vaww.sde.portal.va.gov/svcs/sma/BCM/SitePages/Home.aspx
VA has Enterprise License Agreements (ELAs) in place for preferred RDBMS technologies (Microsoft SQL Server and Oracle DB). Customers must get their licenses through these channels, not via independent, uncoordinated small procurements. Detailed information can be found at the following location: https://dvagov.sharepoint.com/sites/OITSoftwareCategoryManagement/default.aspx | | [12] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | [13] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISSO (Information System Security Officer) can provide assistance in reviewing the NIST vulnerabilities. | | [14] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. |
|