<Past |
Future> |
5.7.0 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.7.1 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.7.2 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.7.3 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
5.8.x |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
5.9.x |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
Approved w/Constraints [1, 2, 3, 4, 5, 6] |
| | [1] | Per the Initial Product Review/Security Assessment Review, users must abide by the following constraints:
- Net-SNMP will require a 3rd party FIPS 140-2 certified solution or its successor FIPS 140-3 for any data containing PHI/PII or VA sensitive information.
- System owners should use the latest version of this product and monitor both the CVE Details and NIST National Vulnerability Database websites for any new security vulnerabilities.
- SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or
replay attack.
- Net-SNMP downloads are blocked by the VA TIC when obtained from an insecure site. A secure VA provided software repository should only be used when obtaining this software.
| | [2] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. | | [3] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [4] | Use of this technology is limited to VA staff charged with ensuring the security of the VA network infrastructure. VA staff performing analysis with this technology need to work closely with system owners and agree on security scanning rules, such as the assets scanned, along the schedule and frequency of those scans. | | [5] | This technology has received one or more VA security bulletins that provide specific guidance on vulnerability patching and mitigation. It is the responsibility of VA system owners to ensure that the appropriate mitigations are taken to address all known and future discovered vulnerabilities with this product. See the Reference tab for more information on security bulletins related to this product. | | [6] | The Federal Information Processing standards (FIPS) 140-2 certification status of this technology was not able to be verified. This technology will require a 3rd party FIPS 140-2 or 140-3 certified solution for any data containing PHI/PII or VA sensitive information, where applicable. More information regarding the Cryptographic Module Validation Program (CMVP) can be found on the NIST website. |
|
Note: |
At the time of writing, version 5.9.4 is the most current version and released 08/15/2023. |