| 5.x |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
Approved w/Constraints
[3, 7, 13, 14, 15] |
| | | | [1] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [2] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | | [3] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | | [4] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [5] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | | [6] | Per the Initial Product Review, users must ensure that they adhere to the following constraints:
1. The application must not be used to process, store or transmit sensitive data including Personally Identifiable Information (PII)/Protected Health Information (PHI).
2. The initial use case calls for the tracking of equipment. Additional use cases, particularly those involving tracking of people, will require an additional evaluation.
3. The product must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines. It is a requirement that VA sensitive data is properly protected in accordance with VA Handbook 6500, Federal Information Security Management Act (FISMA), and Federal Information Processing Standards (FIPS) 140-2.
4. In accordance with National Institute of Standards and Technology (NIST) SP 800-53 and SP 800-70, Information Security is an important business process that should be considered in all phases of the acquisition process to ensure data and information technology (IT) systems are adequately protected against risk of loss, misuse, and unauthorized access. In accordance with FISMA, government information or government IT systems require compliance with the agency IT Security Policy. All information technology acquisitions must meet the requirements outlined in the Federal Acquisition Regulation (FAR) Part 39.101 (d) policy ensuring the use of common security configuration checklists in the management of risk.
As this technology is not Federal Information Processing Standards (FIPS) 140-2 compliant it must not be used to handle Personally Identifiable Information (PII), Protected Health Information (PHI), or other sensitive VA data. | | | [7] | Users must ensure that Microsoft Structured Query Language (SQL) Server is implemented with VA-approved baselines. (refer to the ‘Category’ tab under ‘Runtime Dependencies’)
Per the Initial Product Review, users must abide by the following constraints:
- If the Intelligent Insites Platform will be used to process, store or transmit sensitive data including Personally Identifiable Information (PII)/Protected Health Information (PHI), FIPS 140-2 validated encryption is required for both data at rest and in transit.
- All mobile devices processing and transmitting VA data must adhere to the following:
• Must be GFE and on the Mobile Technology and Endpoint Security Engineering approved device list.
• All applications developed and used must store and transmit data using a FIPS 140-2 (or its successor) validated application (or the application data resides in a container-based encryption solution) and must be listed in VA’s TRM.FIPS 140-2 is required for data at rest and data in transit when it contains PII/PHI/sensitive information. There are two methods for this. One is the device itself provides full-device encryption for all storage and have a protected connection back to VA; the other is the application must be `wrapped` by a FIPS 140-2 validated solution. This would protect the information on a device that does not have data protected any other way.
- The database server and its components must be approved for use on the VA TRM and adhere to VA Baseline Configuration Standards. In addition, the following security measures will help ensure the data is secured and protected.
• Ensure connections between ONDB components (e.g., clients, application server, data store) are encrypted using Transport Layer Security (TLS).
• Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) 150505-005R-Full_Disk_Encryption_FIPS_140-2_Data-at-Rest_Expectations and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FDE) must be implemented on the hard drive where the DBMS resides.
• Employ security authorization controls, least privileges and separation of duties to prevent unauthorized access to VA sensitive data
• Deploy a VA-approved web application firewall (WAF) and database firewall to add layers of security to the database system
• Perform end-to-end security testing of ONDB and all components to ensure security holes that could be exploited are addressed prior to implementation
• Log all computer-readable data extracts from databases holding sensitive information and verify each extract as stated in VA Handbook 6500
• Continuous vulnerability scanning, monitoring and auditing of the database system.
This technology must use the latest version of Java Development Kit (JDK) - Oracle. | | | [8] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [9] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [10] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). | | | [11] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (SPF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [12] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the Project Special Forces (PSF) team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [13] | Due to potential information security risks for cloud-based technologies, users should coordinate closely with their facility ISSO for guidance and assistance on cloud products. If further guidance is needed contact the Enterprise Cloud Solution Office (ECSO), which is the body responsible for new software development in and migration of existing systems to the VA Enterprise Cloud (VAEC) and ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised within the VAEC. For information about Software as a Service (SaaS) products or to submit a SaaS product request with the VA OIT Product Engineering team, please use their online form.
(Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | | [14] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | | [15] | Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information System Security Officer (ISSO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). |
|
