| 2.x |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
Approved w/Constraints
[4, 17, 18, 19, 20] |
| | | | [1] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [2] | Security Engineering (SE) conducted a pre-assessment and security requirements verification of EMDAT ShadowLink. It is advised that if this product is used within the Department of Veterans Affairs (VA) that the following constraints be applied:
- Ensure use of a FIPS 140-2 validated cryptographic module leveraged off of systems interfacing with EMDAT. Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO), `FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`, and in accordance with Federal requirements and VA policy specified in VA Handbook 6500 SC 28: Protection of Information at Rest, system owners must ensure that FIPS 140-2 compliant encryption is employed at all times.
- Caution must be exercised to enforce user access and security levels for least privilege and appropriate separation of duties to maintain patients` privacy and security of PHI. Authentication mechanism must utilize two-factor Authentication (2FA) in accordance with VA Handbook 6500.
| | | [3] | Due to potential information security risks, cloud based technologies may not be used without an Enterprise Security Change Control Board (ESCCB) approval. This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [4] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | | [5] | Due to potential information security risks, cloud based technologies may not be used without the approval of the VA Enterprise Cloud Services (ECS) Group. This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [6] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [7] | Due to potential information security risks, cloud based technologies may not be used without the approval of the Enterprise Cloud Solution Office (ECSO). This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [8] | The Secure Sockets Layer (SSL) standard must not be used with this technology. Other comparable approved TRM standards must be used in place of SSL.
Per the Initial Product Review, the following constraints must be followed:
Ensure use of a FIPS 140-2 validated cryptographic module leveraged off of systems interfacing with EMDAT. Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO), `FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`, and in accordance with Federal requirements and VA policy specified in VA Handbook 6500 SC 28: Protection of Information at Rest, system owners must ensure that FIPS 140-2 compliant encryption is employed at all times.
Caution must be exercised to enforce user access and security levels for least privilege and appropriate separation of duties to maintain patients` privacy and security of PHI. Authentication mechanism must utilize two-factor Authentication (2FA) in accordance with VA Handbook 6500.
If EMDAT is deployed as a cloud solution SaaS requiring outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance.
In accordance with National Institute of Standards and Technology (NIST) SP 800-53 and SP 800-70, Information Security is an important business process that should be considered in all phases of the acquisition process to ensure data and information technology (IT) systems are adequately protected against risk of loss, misuse, and unauthorized access. In accordance with FISMA, government information or government IT systems require compliance with the agency IT Security Policy. All information technology acquisitions must meet the requirements outlined in the Federal Acquisition Regulation (FAR) Part 39.101(d) policy ensuring the use of common security configuration checklists in the management of risk.
| | | [9] | The Secure Sockets Layer (SSL) standard must not be used with this technology. Other comparable approved TRM standards must be used in place of SSL.
Per the Initial Product Review, the following constraints must be followed:
Ensure use of a FIPS 140-2 validated cryptographic module leveraged off of systems interfacing with EMDAT. Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO), `FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS)`, and in accordance with Federal requirements and VA policy specified in VA Handbook 6500 SC 28: Protection of Information at Rest, system owners must ensure that FIPS 140-2 compliant encryption is employed at all times.
Caution must be exercised to enforce user access and security levels for least privilege and appropriate separation of duties to maintain patients` privacy and security of PHI. Authentication mechanism must utilize two-factor Authentication (2FA) in accordance with VA Handbook 6500.
If EMDAT is deployed as a cloud solution SaaS requiring outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance.
In accordance with National Institute of Standards and Technology (NIST) SP 800-53 and SP 800-70, Information Security is an important business process that should be considered in all phases of the acquisition process to ensure data and information technology (IT) systems are adequately protected against risk of loss, misuse, and unauthorized access. In accordance with FISMA, government information or government IT systems require compliance with the agency IT Security Policy. All information technology acquisitions must meet the requirements outlined in the Federal Acquisition Regulation (FAR) Part 39.101(d) policy ensuring the use of common security configuration checklists in the management of risk.
| | | [10] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [11] | Users much ensure that Microsoft .NET Framework and Microsoft Internet Explorer are implemented with VA-approved baselines. (refer to the ‘Category’ tab under ‘Runtime Dependencies’)
Per the Initial Product Review (IPR):
Ensure use of a FIPS 140-2 validated cryptographic module is leveraged from systems interfacing with EMDAT.
Caution must be exercised to enforce user access and security levels for least privilege and appropriate separation of duties to maintain patients’ privacy and security of PHI. Authentication mechanism must utilize two-factor Authentication (2FA) in accordance with VA Handbook 6500.
If EMDAT is deployed as a cloud solution SaaS requiring outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Project Special Forces (PSF), Enterprise
Cloud Solutions Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS/Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by PSF. | | | [12] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [13] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [14] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (PSF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [15] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the VA OIT Product Engineering team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [16] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | | [17] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. | | | [18] | Per the Initial Product Review (IPR):
- EMDAT ShadowLink will require a 3rd party FIPS 140-2 (or its successor)
certified solution for any data containing PHI/PII or VA sensitive information.
- Caution must be exercised to enforce user access and security levels for least privilege and appropriate separation of duties to maintain patients’ privacy and security of PHI. Authentication mechanism must utilize two-factor Authentication (2FA) in accordance with VA Handbook 6500.
-
Due to potential information security risks, SaaS/PaaS solutions must complete
the Veterans-Focused Integration Process Request (VIPR) process where a
collaborative effort between Demand Management (DM), Enterprise Program
Management Office Information Assurance (EPMO IA), Digital Transformation
Center (DTC), Enterprise Cloud Solutions Office (ECSO), Chief Technology
Officer (CTO), and stakeholders determines the SaaS/PaaS category during
the Discovery Phase. All SaaS and Non-AWS or Azure (VAEC) PaaS assets
are routed to EPMO IA for Analysis and Approval to Operate (ATO) with
technical oversight, acquisition, production, and sustainment provided by DTC.
| | | [19] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request, visit the Product Marketplace.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [20] | The Federal Information Processing standards (FIPS) 140-2 certification status of this technology was not able to be verified. This technology will require a 3rd party FIPS 140-2 or 140-3 certified solution for any data containing PHI/PII or VA sensitive information, where applicable. More information regarding the Cryptographic Module Validation Program (CMVP) can be found on the NIST website. |
|
