|
<Past |
Future> |
| 4.3.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.1.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.5.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.7.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.9.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.11.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.13.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.15.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.17.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.17.8+ |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.19.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 5.21.x |
DIVEST
[16, 17, 19, 20, 21, 22] |
DIVEST
[16, 17, 19, 20, 21, 22] |
DIVEST
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints (DIVEST)
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 6.1.x |
DIVEST
[16, 17, 19, 20, 21, 22] |
DIVEST
[16, 17, 19, 20, 21, 22] |
DIVEST
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints (DIVEST)
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints (DIVEST)
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
| 6.3.x |
Approved w/Constraints
[16, 17, 19, 20, 21, 22] |
Approved w/Constraints
[16, 17, 19, 20, 21, 22] |
Approved w/Constraints
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints
[16, 17, 19, 20, 21, 22] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (DIVEST)
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints (POA&M) |
| 6.5.x |
Unapproved |
Unapproved |
Unapproved |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints (POA&M) |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
Authorized w/ Constraints
[16, 19, 20, 21, 22, 23] |
| Note: |
At the time of writing, version 6.5 is the most current version, released 03/31/2025. |
| | | | [16] | This technology has received one or more VA security bulletins that provide specific guidance on vulnerability patching and mitigation. It is the responsibility of VA system owners to ensure that the appropriate mitigations are taken to address all known and future discovered vulnerabilities with this product. See the Reference tab for more information on security bulletins related to this product. | | | [17] | Per the Initial Product Review, users must abide by the following constraints:
- Ensure use of a FIPS 140-2 certified cryptographic module to secure VA sensitive data in applications and devices that utilize WinSCP
- When establishing a master password for the WinSCP, ensure that VA password requirements are met with regard to length and complexity. Ensure that user passwords meet the mandate required by the VA Handbook 6500. It is advised the device to be tested to meet the minimum password-based complexity for VA as follows:
- Password must contain at least 14 non-blank characters.
- Password must contain at least fourteen (14) alpha-numeric characters with upper and lower case, numbers, and special characters (e.g. ,!@#).
- The product must remain patched, updated and operated in accordance with Federal and Department security and privacy policies and guidelines.
The File Transfer Protocol (FTP) features of this software must not be used as the FTP protocol is prohibited for use on the VA network. (For further information see: VA Policy Memo VAIQ 7615193 on Prohibited Use of File Transfer Protocol (FTP) and Telnet Services) | | | [19] | Users should check with their supervisor, Information System Security Officer (ISSO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not authorized and the user should take the proper steps to decline those installations. | | | [20] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISSO (Information System Security Officer) can provide assistance in reviewing the NIST vulnerabilities. | | | [21] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with both VA Handbook 6500 and VA Directive 6500. | | | [22] | The Federal Information Processing standards (FIPS) 140-2 certification status of this technology was not able to be verified. This technology will require a 3rd party FIPS 140-2 or 140-3 certified solution for any data containing PHI/PII or VA sensitive information, where applicable. More information regarding the Cryptographic Module Validation Program (CMVP) can be found on the NIST website. | | | [23] | The File Transfer Protocol (FTP) features of this software must not be used as the FTP protocol is unauthorized for use on the VA network. (For further information see: VA Policy Memo VAIQ 7615193 on Prohibited Use of File Transfer Protocol (FTP) and Telnet Services)
Users must not utilize the Secure Sockets Layer (SSL) protocol, as it requires a POA&M.
Users must not utilize PuTTY, as it, at the time of writing, requires a POA&M.
Per the Security Assessment Review, users must abide by the following constraints:
- A vulnerability exists because WinSCP has the ability to generate session
URL/code where the user ID and password can be saved in plain text for use
in scripting connections. To mitigate, administrators shall instruct users to never
generate scripts with authentication credentials stored in plain text. More
information on protecting credentials used for automation can be found on the
vendor’s website at the address listed below:
https://winscp.net/eng/docs/guide_protecting_credentials_for_automation
- A vulnerability exists because WinSCP has the option under
Preferences/Updates to “allow anonymous usage statistics” that is enabled by
default. To mitigate, administrators must ensure that they uncheck the box to
allow anonymous usage statistics before using the application.
- A vulnerability exists because WinSCP v6.x utilizes commercial cloud
computing services. To mitigate, the ISSO shall educate and prohibit users
from using the integrated cloud service capability until the VA Cloud Security
Requirements have been met and the affected A&A package has been
appropriately updated.
- A vulnerability exists because WinSCP version 6.x provides automatic/user
configurable checks for updates. To mitigate, the administrator shall control the
versioning of WinSCP version 6.x software and not allow users to install
unapproved versions. To disable, set the Automatic update period to Never.
- A vulnerability exists because WinSCP has the ability to use the FTP protocol,
which was prohibited within the VA effective January 1, 2016. To mitigate, the
administrator shall instruct users to only utilize protocols that offer encryption
for data in transit or configure the application to disable unsecure protocols and
force encryption. (i.e. SFTP 22/tcp, SCP 22/tcp, FTP-TLS 990/tcp, HTTPS
443/tcp).
- A vulnerability exists because WinSCP installs PuTTY SSH authentication
agent and PuTTY key generation utility v0.78, which are unapproved on the VA
TRM. To mitigate, the VA enterprise approved solution, Reflection FTP Client,
should be used. WinSCP may only be used if a POA&M review is conducted
and signed by the Authorizing Official Designated Representative (AODR) as
designated by the Authorizing Official (AO) or designee and based upon a
recommendation from the POA&M Compliance Enforcement, has been
granted to the project team or organization that wishes to use the technology.
- A vulnerability exists because WinSCP v6.x is Open Source Software (OSS).
To mitigate, WinSCP v6.x must be included on the list of applications for
continuous monitoring for published vulnerabilities, updates, and patches.
- A vulnerability exists because WinSCP version 6.x saved passwords are stored
in a manner that they can be easily recovered. It is not possible to securely
encrypt passwords in a way that still allows for automatic use. To mitigate,
administrators must follow the instruction in the links provided above to ensure
that the use saved passwords is disabled.
- A vulnerability exists because a master password can be configured for
WinSCP v6.x. The application does not enforce a length or complexity for this
password. To mitigate, WinSCP v6.x shall be configured to meet minimum
password-based authentication standards per VA Knowledge Service Control
IA-5(1).
|
|
