Version 3720 |
Approved w/Constraints [11, 19, 20, 21] |
Approved w/Constraints [11, 19, 20, 21] |
Approved w/Constraints [11, 19, 20, 22] |
Approved w/Constraints [11, 19, 20, 22] |
Approved w/Constraints [11, 19, 20, 22] |
Approved w/Constraints [11, 19, 20, 23] |
Approved w/Constraints [11, 19, 20, 23] |
Divest [11, 20, 23, 24] |
Divest [11, 23, 25, 26] |
Divest [11, 23, 25, 26] |
Divest [11, 23, 25, 26] |
Divest [11, 23, 25, 27] |
| | [1] | Also, based on the TRM constraints placed on MySQL databases, Neopost LMS can only be used within the VA Intranet and must not be Internet-facing. (See the MySQL database TRM entry for more details)
As of this writing, this product lists dependencies on an older version of Java that will soon be unsupported by the vendor. The implementations of this product must comply with TRM guidance on Java including Java versions. See the appropriate Java TRM entry for more details. | | [2] | In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004 , VA Directive 6517, and VA Directive 6513. The local ISO can advise on the ESCCB review process. | | [3] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [4] | Due to potential information security risks, cloud based versions of this product are not permitted without a waiver signed by the Deputy CIO of ASD based upon a recommendation from the Architecture and Engineering Review Board (AERB). In addition, cloud based features of this software may not be used without an Enterprise Security Change Control Board (ESCCB) approval to ensure that confidential organization and/or PII/PHI data are not compromised (ref: VA Directive 6004, VA Directive 6517 and VA Directive 6513). Use of public cloud storage requires documented Federal Risk and Authorization Management Program (FedRAMP) compliance and a Memorandum of Understanding / Interconnection Security Agreement (MOU/ISA) between the vendor and VA prior to ESCCB review. | | [5] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [6] | Because of the TRM constraints on MySQL databases, Neopost WTS can only be used within the VA Intranet and must not be Internet-facing. See the MySQL database TRM entry for more details.
As of this writing, this product lists dependencies on an older version of Java that will soon be unsupported by the vendor. The implementations of this product must comply with TRM guidance on Java including Java versions. See the appropriate Java TRM entry for more details. | | [7] | Users must follow the constraints listed in the Initial Product Review (IPR):
- Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices. Database Management Systems (DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor) validated encryption as stated in Section SC-28: Protection of information at Rest of the VA Handbook 6500. If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled "FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`.
- Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
- WTS should be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require WTS cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA should clearly define the required security controls and document requirements as listed below:
- Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
- Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA.
- All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance.
| | [8] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [9] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [10] | Due to potential information security risks, cloud based technologies may not be used without the approval of the VA Enterprise Cloud Services (ECS) Group. This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [11] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [12] | Due to potential information security risks, cloud based technologies may not be used without the approval of the Enterprise Cloud Solution Office (ECSO). This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [13] | In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004 , VA Directive 6517, and VA Directive 6513. The local ISO can advise on the ESCCB review process. | | [14] | Users must abide by the constraints listed in the Initial Product Review:
Ensure use of a FIPS 140-2 validated cryptographic module to secure VAsensitive data in applications and devices. Database Management Systems(DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor)validated encryption as stated in Section SC-28: Protection of information at Restof the VA Handbook 6500. If FIPS 140-2 at the application level is not possibletechnically, FIPS 140-2 compliant full disk encryption (FOE) must beimplemented on the hard drive where the DBMS resides as stated in the May 5,2015 memo from the VA Deputy Assistant Secretary for Information Securitytitled `FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest inDatabase Management Systems (DBMS)`.
Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
WTS must be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require WTS cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA must clearly define the required security controls and document requirements as listed below.
Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA.
All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [15] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. | | [16] | Ensure use of a Federal Information Processing Standards (FIPS) 140-2 validated cryptographic module to secure VA sensitive data in applications and devices. Database Management Systems (DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor) validated encryption as stated in Section SC-28: Protection of information at Rest of the VA Handbook 6500. If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`.
Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
WTS must be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require WTS cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA must clearly define the required security controls and document requirements as listed below.
Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA.
All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [17] | This technology must use the latest version of Java Runtime Environment (JRE) - Oracle.
Per the Initial Product Review, users must abide by the following constraints:
- Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices. Database Management Systems (DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor) validated encryption as stated in Section SC-28: Protection of information at Rest of the VA Handbook 6500. If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`.
- Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
- Web Tracking System should be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require Web Tracking System cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA should clearly define the required security controls and document requirements as listed:Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance.
| | [18] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [19] | This technology must use the latest version of Java Runtime Environment (JRE) - Oracle.
Per the Initial Product Review, users must abide by the following constraints:
- Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in applications and devices. Database Management Systems (DBMS) used in VA will be encrypted using FIPS 140-2 (or its successor) validated encryption as stated in Section SC-28: Protection of information at Rest of the VA Handbook 6500. If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`.
- Proper adherence to VA server hardening standards / baseline is highly recommended to avoid unauthorized personnel access to VA sensitive data.
- Web Tracking System should be deployed locally (on-premise) on customer-owned and managed servers (i.e., VA servers), rather than as its cloud-based version. It is advised that if future projects require Web Tracking System cloud-based implementation, it must be deployed utilizing a FedRAMP compliant CSP. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. In such case, VA should clearly define the required security controls and document requirements as listed:Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Develop a document that summarizes security control ownership and indicates which controls are owned and managed by the Cloud Service Provider (CSP), and which controls are owned and managed by VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance.
Users must ensure that Firefox, Google Chrome and, Microsoft Internet Explorer (IE) are implemented with VA-approved baselines.
This technology must use the latest TRM-approved version of Java Runtime Environment (JRE) - Oracle. | | [20] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [21] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [22] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (PSF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [23] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the VA OIT Product Engineering team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [24] | This technology must use the latest version of Java Runtime Environment (JRE) - Oracle.
Per the Initial Product Review, users must abide by the following constraints:
-
Per vendor statement, WTS uses AES 256 encryption for customer data at rest if the feature is enabled. However, for a premise-based system, if users want to encrypt data in motion, it is advised by the vendor to use a self-signed SHA 256 certificate. Both of these protocols appear to comply with Federal Information Processing Standards (FIPS) 140-2 based on the following: link: http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf. But a protocol analyzer such as Ubiquia does not indicate any specific certification that is FIPS 140-2 supported and will secure communication between client and server. There is no indication that documents the product itself is FIPS 140-2 certified.
- There have been several reported vulnerabilities in versions of Oracle MySQL. For example, CVE-2016-5440 states, “Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier, and 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: RBR”.
- Web Tracking System (WTS) can be implemented as a cloud-based solution. Quadient is not listed as Federal Risk and Authorization Management Program (FedRAMP) authorized, ready, or in-process. Future implementation at VA would require a FedRAMP approved Cloud Service Provider (CSP) from a select list.
This technology must use the latest TRM-approved version of Java Runtime Environment (JRE) - Oracle. | | [25] | This technology must use the latest TRM-approved version of Java Runtime Environment (JRE) - Oracle.
Users must utilize approved internet browsers, as Microsoft Internet Explorer has reached End of Life status. See Category Tab for details.
Per the Initial Product Review, users must abide by the following constraints:
- WTS will require a 3rd party FIPS 140-2 certified solution for any data containing PHI/PII or VA sensitive information.
- Microsoft Internet Explorer, a dependency of this technology, is in End-of-Life status and must no longer be used.
- System owners must ensure they are using the most recent version of WTS and only VA approved versions of MySQL.
- Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Digital Transformation Center (DTC), Enterprise Cloud Solutions Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS or Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by DTC.
| | [26] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | [27] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. |
|