VA Technical Reference Model v 25.5

The following reference(s) are associated with this entry:

Note: This list may not be complete. No component, listed or unlisted, may be used outside of the technology in which it is released. The usage decision for a component is found in the Decision and Decision Constraints.

• macOS - Authorized w/ Constraints
• Windows Client - Authorized w/ Constraints
• Windows Server - Authorized w/ Constraints

Runtime Dependencies:

• Visual C++ Redistributable Package - Authorized w/ Constraints

Optional Dependencies:

• Microsoft Edge. - Authorized w/ Constraints
• Safari - Authorized w/ Constraints

Comparable Technologies:

• No comparable entries have been identified.

Companion Technologies/Supported Standards:

• Comma-Separated Values (CSV) Format - Authorized
• Hypertext Transfer Protocol (HTTP) - Authorized w/ Constraints
• Open Secure Socket Layer (OpenSSL) - Authorized w/ Constraints
• Virtualization and Consolidation of Servers (Server Virtualize First) - Authorized w/ Constraints

Adoption Benefits

• At the time of writing, no National Institute of Standards and Technology (NIST) vulnerabilities had been reported and no VA Cyber Security Operations Center (CSOC) bulletins had been issued for the latest versions of this technology.
• This is a well-documented technology.
• The use of this technology may help improve the security posture of the organization.

Adoption Risks

• IPR/SAR Adoption Risk - A vulnerability exists because Intrado Location Manager includes/utilizes commercial cloud computing services. An MOU-ISA was completed with the OIS ECSD team, and they stated an ATO is not required for the vendors cloud solution as no VA owned data is being physically stored. The connection is documented in the Enterprise Call Session Control (ECSC) Assessing ATO.
• IPR/SAR Adoption Risk - A vulnerability exists because, Intrado Location Manager uses Open-Source Software (OSS) and OpenSSL. To mitigate, OSS may be used if there is adequate maintenance and support. As a condition of certification, Sponsor/Software admin personnel shall maintain and monitor the distribution of all OSS. The software shall be physically stored in Sponsor/Software admin software library for quality control.
• IPR/SAR Adoption Risk - A vulnerability exists because Intrado Location Manager uses the following additional dependencies with multiple published vulnerabilities. To mitigate, System owners should use the latest version of the products and monitor both the Common Vulnerabilities Exposure (CVE) Details and NIST National Vulnerability Database (NVD) websites for any new security vulnerabilities.
• IPR/SAR Adoption Risk - Intrado Location Manager has the potential to utilize Artificial Intelligence (AI). To mitigate, the use of AI is increasing, and guidance is still developing. Users must check the most recent VA guidance before using AI technologies and solutions. Consideration should be given to the source of any initial data for the AI tool, if any VA data will be collected and ingested into the data set, where that data will be stored, and what rights the VA has to that data. “No web-based, publicly available generative AI service has been approved for use with VA-sensitive data. Examples of these include OpenAI’s ChatGPT and GPT4, Google’s Bard, Anthropic’s Claude, and Microsoft’s new Bing. VA follows existing federal requirements and processes to ensure VA data is protected. When users enter information into an unapproved web-based tool, VA loses control of the data.
• This technology may transmit data over the VA Wide Area Network (WAN).
• There is no indication based on either the vendor documentation or the Cryptographic Module Validation Program (CMVP) that this technology is Federal Information Processing Standard (FIPS) 140-2 compliant.
• The potential exists to store Personally Identifiable Information (PII), Protected Health Information (PHI) and/or VA Sensitive data and proper security standards must be followed in these cases.
• Due to the rapid release schedule of this technology, the VA may be unable to update to the most recent patch and may require a deployment model requiring the use of specific versions.
• The technology requires the purchase of licenses from vendor, which could potentially lead to vendor lock-in.
• The potential of vendor lock exists when utilizing proprietary vendor technology.

Architectural Benefits

• This technology is portable as it runs on multiple TRM-authorized operating systems.
• This technology is compatible with virtual machines, therefore consistent with the enterprise Server Virtualize First Policy (VAIQ 7266972 08-27-2012).

Architectural Risks

• This technology includes cloud-based functionality which has potential information security risks.