| 7.x |
Approved w/Constraints
[2, 12, 13, 14] |
Approved w/Constraints
[2, 12, 13, 14] |
Approved w/Constraints
[2, 12, 13, 14] |
Approved w/Constraints
[2, 12, 13, 15] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
Approved w/Constraints
[2, 13, 15, 16] |
| | | | [1] | Security Engineering (SE) conducted a pre-assessment and security requirements verification of Aeonix Contact Center (ACC). It is advised that if this product is used within the Department of Veterans Affairs (VA) that the following constraints be applied:
1. VA requires Federal Information Processing Standards (FIPS) 140-2 compliant for data at rest or in transit.
2. Currently, the VA-approved file sharing and collaboration solution is Microsoft Lync/Skype, which may include capabilities for mobile device integration. It is important to reach out for guidance from pertinent teams within the Office of Information Technology (OI&T), specifically the Architecture Strategy and Design (ASD) team to ensure new product selections are aligned with VA technology
directions.
3. ACC should be configured to meet all VA password requirements with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters.
4. ACC should be deployed locally (on-premise) on customer-owned and
managed servers (i.e., VA servers), rather than as its cloud-based version or a third Party Cloud.
a) Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
b) Develop a document that summarizes security control ownership and
indicates which controls are owned and managed by the Cloud Service
Provider (CSP), and which controls are owned and managed by VA.
IPR ` Aeonix Contact Center November 13, 2017 For Internal VA Use Only Page 5 of 9.
c) All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | | [2] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | | [3] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [4] | Security Engineering (SE) conducted a pre-assessment and security requirements verification of Aeonix Contact Center (ACC). It is advised that if this product is used within the Department of Veterans Affairs (VA) that the following constraints be applied:
1. VA requires Federal Information Processing Standards (FIPS) 140-2 compliant for data at rest or in transit.
2. Currently, the VA-approved file sharing and collaboration solution is Microsoft Lync/Skype, which may include capabilities for mobile device integration. It is important to reach out for guidance from pertinent teams within the Office of Information Technology (OI&T), specifically the Architecture Strategy and Design (ASD) team to ensure new product selections are aligned with VA technologydirections.
3. ACC should be configured to meet all VA password requirements with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters.
4. ACC should be deployed locally (on-premise) on customer-owned andmanaged servers (i.e., VA servers), rather than as its cloud-based version or a third Party Cloud.
a) Complete a Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) for the external connection to take place as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections.
b) Develop a document that summarizes security control ownership andindicates which controls are owned and managed by the Cloud ServiceProvider (CSP), and which controls are owned and managed by VA.IPR ` Aeonix Contact Center November 13, 2017 For Internal VA Use Only Page 5 of 9.
c) All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | | [5] | Per the Initial Product Review, users must abide by the following constraints:
VA requires Federal Information Processing Standards (FIPS) 140-2 compliant for data at rest or in transit.
Currently, the VA-approved file sharing and collaboration solution is Microsoft Lync/Skype, which may include capabilities for mobile device integration. It is important to reach out for guidance from pertinent teams within the Office of Information Technology (OI&T), specifically the Architecture Strategy and Design (ASD) team to ensure new product selections are aligned with VA technology directions. In addition, to ensure the solution can be integrated.
ACC should be configured to meet all VA password requirements with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following four (4) categories:o English upper-case characterso English lower-case characterso Base-10 digitso Non-alphanumeric special charactersSix of the characters must not occur more than once in the password. It is strongly advisable that users should not use VA credentials or weak passwords to non-VA IT systems and vice versa.
Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), EnterpriseProgram Management Office Information Assurance (EPMO IA), Project Special Forces (PSF), Enterprise Cloud Solutions Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS/Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by PSF. | | | [6] | Due to potential information security risks, cloud based technologies may not be used without the approval of the Enterprise Cloud Solution Office (ECSO). This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [7] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [8] | Per the Initial Product Review, users must abide by the following constraints:
- VA requires Federal Information Processing Standards (FIPS) 140-2 compliant for data at rest or in transit.
- The VA should only consider technologies if currently approved solutions do not meet VA needs or requirements.
- ACC should be configured to meet all VA password requirements with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 14 non-blank characters. They must contain characters from three (3) of the following four (4) categories:
English upper-case characters; English lower-case characters; Base-14 digits; and, Non-alphanumeric special characters. Six of the characters must not occur more than once in the password. It is strongly advisable that users should not use VA credentials or weak passwords to non-VA IT systems and vice versa.
- Due to potential information security risks, Software as a Service (SaaS)/Platform as a Service (PaaS) solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Project Special Forces (PSF), Enterprise Cloud Solutions Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS/Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and sustainment provided by PSF.
| | | [9] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [10] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [11] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (PSF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [12] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the VA OIT Product Engineering team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [13] | Per the Initial Product Review, users must abide by the following constraints:
- Aeonix Contact Center will require a 3rd party FIPS 140-2 certified solution for any data containing PHI/PII or VA sensitive information.
- The VA should only consider technologies if currently approved solutions do not meet VA needs or requirements.
- ACC should be configured to meet all VA password requirements with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 14 non-blank characters. They must contain characters from three (3) of the following four (4) categories:
- English upper-case characters
- English lower-case characters
- Base-14 digits
- Non-alphanumeric special characters
Six of the characters must not occur more than once in the password. It is strongly advisable that users should not use VA credentials or weak passwords to non-VA IT systems and vice versa.
- Due to potential information security risks, SaaS/PaaS solutions must complete the Veterans-Focused Integration Process Request (VIPR) process where a collaborative effort between Demand Management (DM), Enterprise Program Management Office Information Assurance (EPMO IA), Digital Transformation Center (DTC), Enterprise Cloud Solutions Office (ECSO), Chief Technology Officer (CTO), and stakeholders determines the SaaS/PaaS category during the Discovery Phase. All SaaS and Non-AWS or Azure (VAEC) PaaS assets are routed to EPMO IA for Analysis and Approval to Operate (ATO) with technical oversight, acquisition, production, and
sustainment provided by DTC.
| | | [14] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | | [15] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. | | | [16] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request, visit the Product Marketplace.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). |
|
