Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.

VA Technical Reference Model v 18.12

Microsoft SQL Server
Microsoft SQL Server Technologyassociated with a locked category

General InformationGeneral Information help

Technologies must be operated and maintained in accordance with Federal and Department security and privacy policies and guidelines. More information on the proper use of the TRM can be found on the TRM Proper Use Tab/Section.

Website: Go to site
Description: Microsoft SQL Server is Microsoft`s relational database management system designed for the enterprise environment.

Microsoft offers several editions of Structured Query Language (SQL) Server, including Business Intelligence, Enterprise, Standard, Workgroup and Express. All editions are included in this entry.

Microsoft SQL Server has many components and add-ons that are included with this entry. See the component tab for more details.

Additionally, only certain editions of SQL Server support Transparent Data Encryption (TDE) which may be needed to protect sensitive data at rest in some situations.
Technology/Standard Usage Requirements: Users must ensure their use of this technology/standard is consistent with VA policies and standards, including, but not limited to, VA Handbooks 6102 and 6500; VA Directives 6004, 6513, and 6517; and National Institute of Standards and Technology (NIST) standards, including Federal Information Processing Standards (FIPS). Users must ensure sensitive data is properly protected in compliance with all VA regulations. Prior to use of this technology, users should check with their supervisor, Information Security Officer (ISO), Facility Chief Information Officer (CIO), or local Office of Information and Technology (OI&T) representative to ensure that all actions are consistent with current VA policies and procedures prior to implementation.
Section 508 Information: This technology has not been assessed by the Section 508 Office. The Implementer of this technology has the responsibility to ensure the version deployed is 508-compliant. Section 508 compliance may be reviewed by the Section 508 Office and appropriate remedial action required if necessary. For additional information or assistance regarding Section 508, please contact the Section 508 Office at
Decision: View Decisions
Decision Constraints: Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500.

Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities.

Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Security Officer (ISO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP).

This technology should only be used when required by a Veterans Affairs (VA) business partner for an approved VA Project. Use of this technology must comply with ESCCB requirements which include: Signed Interconnection Agreements/Memorandum of Understanding agreements (MOU/ISA) with each external business partner, compliance with VA Handbook 6500, and must implement appropriate National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) requirements for all devices interacting with this technology. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. As of January 27th, 2017, Risk-based Decisions (RBD) will be handled per VAIQ # 7769667. In cases where the technology is used for external connections, a full Enterprise Security Change Control Board (ESCCB) review is required in accordance VA Directive 6004, VA Directive 6517 and VA Directive 6513. The local ISO can advise on the ESCCB review process and ensure privacy of information compliance protections are in place.

VA has a License Agreement in place for this technology. All license needs for this technology must be coordinated through the Technology Innovation Program (TIP). Refer to the license section of this entry for more details.

Configuration and deployment standards for SQL Server images and their host Windows Server images are defined and maintained by the Core Systems Engineering organization within VA Solution Delivery (SD) and must be followed and adhered to unless an appropriate waiver is granted. Detailed information can be found at the following location:

At this time there is no VA baseline for SQL Server 2017. Until a baseline has been created and published on the BCM website, SQL Server 2017 is unapproved. Users may use SQL Server 2012, 2014, and 2016 following all listed constraints.

SQL Server 2000, 2005, and 2008 are unapproved. Therefore, use of SQL Server 2000, 2005, and 2008 must be limited to only solid business cases where the benefit outweighs the risks of operating to the newer SQL Server 2012, 2014, or 2016 baselines. In order to use older versions of SQL Server, the DISA STIG for SQL Server 2012, 2014, or 2016 must be applied and this exception reviewed and approved via the STAT waiver process.

Windows Internal Database (WID) is a variant of SQL Server Express 2005-2012 that is included with Windows Server and other free Microsoft products released after 2007 that require a SQL Server database backend. Windows Internal Database (WID) is authorized only for use by the Microsoft products that include it by design and must not be used by any end-user applications.

Decision Source: TRM Mgmt Group
Decision Process: One-VA TRM v18.12
Decision Date: 12/19/2018
Aliases: MS SQL Server; Attunity Connectors for Oracle and Teradata; Windows Internal Database (WID); Microsoft SQL Server Express; SQL Express
Introduced By: TRM Analysis
Vendor Name: Microsoft
- The information contained on this page is accurate as of the Decision Date (12/19/2018).