<Past |
Future> |
2.6.x |
Unapproved |
Approved w/Constraints [1, 2, 3, 4] |
Approved w/Constraints [1, 2, 3, 4] |
Approved w/Constraints [1, 4, 5, 6] |
Approved w/Constraints [1, 4, 5, 6] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 8] |
Approved w/Constraints [4, 5, 6, 8] |
Divest [4, 5, 6, 8] |
3.2.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 7] |
Approved w/Constraints [4, 5, 6, 8] |
Approved w/Constraints [4, 5, 6, 8] |
Approved w/Constraints [4, 5, 6, 8] |
3.3.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
4.1.x |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
| | [1] | System operators or administrators initiating Eagle6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
The Neo4j graphical database stores network trace data that could be considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4j graphical database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled "FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)`. Unauthorized applications must not be installed or used on the VA network unless a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the Strategic Technology Alignment Team (STAT), has been granted to the project team or organization that wishes to use the technology. It is noted that data stored in Neo4j is frequently purged since enterprise data can quickly become overwhelming and bog down the response time of trace queries. The frequency of this data purging activity could be a factor in granting a waiver.
Eagle6 must be deployed locally (on-premises) on VA owned and managed servers. The requester for review of this product has voluntarily self-imposed such a constraint in its TRM submission. If future Eagle6 projects require outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [2] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [3] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [4] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [5] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [6] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | [7] | System operators or administrators initiating Eagle6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
The Neo4j graphical database stores network trace data that could be considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4j graphical database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)`. Unauthorized applications must not be installed or used on the VA network unless a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the Strategic Technology Alignment Team (STAT), has been granted to the project team or organization that wishes to use the technology. It is noted that data stored in Neo4j is frequently purged since enterprise data can quickly become overwhelming and bog down the response time of trace queries. The frequency of this data purging activity could be a factor in granting a waiver.
Eagle6 must be deployed locally (on-premises) on VA owned and managed servers. The requester for review of this product has voluntarily self-imposed such a constraint in its TRM submission. If future Eagle6 projects require outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. | | [8] | System operators or administrators initiating Eagle6 must have robust credentials to prevent rogue, unauthorized, or casual access. Separation of duties and continuous auditing procedures are necessary to mitigate chances of these types of occurrences.
The Neo4j graphical database stores network trace data that could be considered VA sensitive information. Ensure use of a FIPS 140-2 validated cryptographic module to secure VA sensitive data in the Neo4j graphical database. As stated in VA Handbook 6500 section SC-28: Protection of information at Rest, protections must be in place for VA information to be encrypted using FIPS 140-2 validated encryption (or its successor). If FIPS 140-2 at the application level is not possible technically, FIPS 140-2 compliant full disk encryption (FDE) must be implemented at the hard drive where the DBMS resides as stated in the May 5, 2015 memo from the VA Deputy Assistant Secretary for Information Security titled `FIPS 140-2 Validated Full Disk Encryption (F[D]E) for Data at Rest in Database Management Systems (DBMS)`. Unauthorized applications must not be installed or used on the VA network unless a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the Strategic Technology Alignment Team (STAT), has been granted to the project team or organization that wishes to use the technology. It is noted that data stored in Neo4j is frequently purged since enterprise data can quickly become overwhelming and bog down the response time of trace queries. The frequency of this data purging activity could be a factor in granting a waiver.
Eagle6 must be deployed locally (on-premises) on VA owned and managed servers. The requester for review of this product has voluntarily self-imposed such a constraint in its TRM submission. If future Eagle6 projects require outside Internet connections, a FedRAMP compliant CSP must be utilized. The FedRAMP approved impact level of the cloud service must be in compliance with VA requirements for the system being leveraged. If the cloud solution is used to satisfy a VA mission requirement, VA must clearly define the required security controls and document them in a VA approved Memorandum of Understanding and Interconnection Security Agreement (MOU/ISA) contract and other VA approved agreements (e.g., Data Use Agreement) as stated in VA Handbook 6500 and VA Directive 6513 - Secure External Connections. Further, only CSPs that have been approved TIC 2.0 compliant may be used within VA. All traffic to and from the CSP must traverse the VA Trusted Internet Connection (TIC) gateway. TIC compliance is a shared responsibility between the CSP and VA. The CSP is required to provide an architecture that supports TIC while VA enforces TIC routing and compliance. |
|
Note: |
At the time of writing, version 4.1 is the most current version. |