<Past |
Future> |
4.3.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.1.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.5.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.7.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.9.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.11.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.13.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.15.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.17.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.17.8+ |
Approved w/Constraints [4, 7, 14, 15, 16] |
Approved w/Constraints [4, 7, 14, 15, 16] |
Divest [4, 7, 14, 15, 16] |
Divest [4, 7, 14, 15, 16] |
Divest [4, 7, 14, 15, 16] |
Divest [4, 7, 14, 15, 16] |
Divest [4, 7, 15, 16, 17] |
Divest [4, 7, 15, 16, 17] |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.19.x |
Unapproved |
Unapproved |
Approved w/Constraints [4, 7, 14, 15, 16] |
Approved w/Constraints [4, 7, 14, 15, 16] |
Approved w/Constraints [4, 7, 14, 15, 16] |
Approved w/Constraints [4, 7, 14, 15, 16] |
Divest [4, 7, 15, 16, 17] |
Divest [4, 7, 15, 16, 17] |
Divest [16, 17, 18, 19, 20] |
Divest [16, 17, 18, 19, 20] |
Divest [16, 17, 18, 19, 20] |
Divest [16, 17, 19, 20, 21] |
5.21.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Approved w/Constraints [4, 7, 15, 16, 17] |
Approved w/Constraints [4, 7, 15, 16, 17] |
Approved w/Constraints [16, 17, 18, 19, 20] |
Approved w/Constraints [16, 17, 18, 19, 20] |
Divest [16, 17, 18, 19, 20] |
Divest [16, 17, 19, 20, 21] |
6.1.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Approved w/Constraints [16, 17, 18, 19, 20] |
Approved w/Constraints [16, 17, 19, 20, 21] |
6.3.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
| | [1] | The FTP features of this software may not be used as the FTP protocol, which is no longer approved for use on the VA network without a waiver. This product must remain patched to the latest available version to mitigate any possible future security vulnerabilities. | | [2] | The FTP features of this software may not be used as the FTP protocol is no longer approved for use on the VA network without a waiver. | | [3] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [4] | Users should check with their supervisor, Information Security Office (ISO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations. | | [5] | In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004 , VA Directive 6517, and VA Directive 6513. The local ISO can advise on the ESCCB review process. | | [6] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [7] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. | | [8] | The File Transfer Protocol (FTP) features of this software may not be used as the FTP protocol is no longer approved for use on the VA network without a waiver. See memo: Prohibited Use of File Transfer Protocol (FTP) and Telnet Services (VAIQ 7615193). | | [9] | The File Transfer Protocol (FTP) features of this software may not be used as the FTP protocol is no longer approved for use on the VA network without a waiver. See memo: Prohibited Use of File Transfer Protocol (FTP) and Telnet Services (VAIQ 7615193).
Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP.
When establishing a master password for the WinSCP, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following four (4) categories:
- English upper case characters
- English lower case characters
- Base-10 digits
- Non-alphanumeric special characters. Six of the characters must not occur more than once in the password.
| | [10] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [11] | The File Transfer Protocol (FTP) features of this software may not be used as the FTP protocol is no longer approved for use on the VA network without a waiver. See memo: Prohibited Use of File Transfer Protocol (FTP) and Telnet Services (VAIQ 7615193).
Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP
When establishing a master password for the WinSCP, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following four (4) categories:
- English upper case characters
- English lower case characters
- Base-10 digits
- Non-alphanumeric special characters. Six of the characters must not occur more than once in the password.
| | [12] | The File Transfer Protocol (FTP) features of this software may not be used as the FTP protocol is no longer approved for use on the VA network without a waiver. See memo: Prohibited Use of File Transfer Protocol (FTP) and Telnet Services (VAIQ 7615193).
Ensure use of a Federal Information Processing Standard (FIPS) 140-2 validated cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP
When establishing a master password for the WinSCP, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least eight (8) non-blank characters. They must contain characters from three (3) of the following four (4) categories: - English upper case characters
- English lower case characters
- Base-10 digits
- Non-alphanumeric special characters. Six of the characters must not occur more than once in the password.
| | [13] | The File Transfer Protocol (FTP) features of this software must not be used as the FTP protocol is prohibited for use on the VA network. (For further information see: VA Policy Memo VAIQ 7615193 on Prohibited Use of File Transfer Protocol (FTP) and Telnet Services).
Ensure use of a Federal Information Processing Standard (FIPS) 140-2 validated cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP
When establishing a master password for the WinSCP, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least eight (8) non-blank characters. They must contain characters from three (3) of the following four (4) categories: - English upper case characters
- English lower case characters
- Base-10 digits
- Non-alphanumeric special characters. Six of the characters must not occur more than once in the password.
| | [14] | Per the Initial Product Review, users must abide by the following constraints:
- The File Transfer Protocol (FTP) features of this software must not be used as the FTP protocol is prohibited for use on the VA network. (For further information see: VA Policy Memo VAIQ 7615193 on Prohibited Use of File Transfer Protocol (FTP) and Telnet Services).
- Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP.
- When establishing a master password for the WinSCP, ensure that VA password requirements are met with regard to length and complexity. Ensure that user passwords meet the mandate required by the VA Handbook 6500. It is advised the device to be tested to meet the minimum password-based complexity for VA as follows:
- Passwords must contain at least:
- fourteen (14) alpha-numeric characters
- one upper and lower case letter
- one special character (ex: ,!@#).
- The product must remain patched, updated and operated in accordance with Federal and Department security and privacy policies and guidelines.
| | [15] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [16] | This technology has received one or more VA security bulletins that provide specific guidance on vulnerability patching and mitigation. It is the responsibility of VA system owners to ensure that the appropriate mitigations are taken to address all known and future discovered vulnerabilities with this product. See the Reference tab for more information on security bulletins related to this product. | | [17] | Per the Initial Product Review, users must abide by the following constraints:
- Ensure use of a FIPS 140-2 certified cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP
- When establishing a master password for the WinSCP, ensure that VA password requirements are met with regard to length and complexity. Ensure that user passwords meet the mandate required by the VA Handbook 6500. It is advised the device to be tested to meet the minimum password-based complexity for VA as follows:
- Password must contain at least 14 non-blank characters.
- Password must contain at least fourteen (14) alpha-numeric characters with upper and lower case, numbers, and special characters (e.g. ,!@#).
- The product must remain patched, updated and operated in accordance with Federal and Department security and privacy policies and guidelines.
The File Transfer Protocol (FTP) features of this software must not be used as the FTP protocol is prohibited for use on the VA network. (For further information see: VA Policy Memo VAIQ 7615193 on Prohibited Use of File Transfer Protocol (FTP) and Telnet Services) | | [18] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | [19] | Users should check with their supervisor, Information System Security Officer (ISSO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations. | | [20] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISSO (Information System Security Officer) can provide assistance in reviewing the NIST vulnerabilities. | | [21] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. |
|
Note: |
At the time of writing, version 6.3.1 is the most current version, released 02/21/2024. |