Produced by Araxis Merge on 9/9/2019 5:41:56 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | Webvram-v4.zip\20190725-webvram-source.zip\Documents | Web_VistA_Remote_Access_Management_WebVRam_Assessing_AO_Requirements_to_Achieve_Continuous_Monitoring.docx | Wed Sep 4 14:12:43 2019 UTC |
2 | Webvram-v4.zip\20190725-webvram-source.zip\Documents | Web_VistA_Remote_Access_Management_WebVRam_Assessing_AO_Requirements_to_Achieve_Continuous_Monitoring.docx | Thu Sep 5 19:40:35 2019 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 1 | 46 |
Changed | 1 | 4 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | System Na me: | |
2 | Web VistA Remote Acc ess Manage ment (WebV Ram) Asses sing | |
3 | Authorizin g Official : | |
4 | John P. Ev erett | |
5 | System Own er: | |
6 | Curtis Cla y | |
7 | ATO Grante d Date: | |
8 | July 12, 2 019 | |
9 | Items to A ddress: | |
10 | Within 60 days of AT O issuance , the syst em require s the foll owing acti ons: | |
11 | • Nessus S can – Cont inue to re ceive mont hly Nessus scans. Al l findings should be mitigated and/or ha ve a docum ented reme diation st rategy wit h expected mitigatio n date upl oaded to t he Documen ts tab wit hin RiskVi sion. Ensu re the POA &M is upda ted with t he latest remediatio n progress . | |
12 | • Security Configura tion Compl iance Data (SCCD) – Continue t o receive quarterly reports. A ll failing results m ust have a documente d mitigati on plan wi th an expe cted mitig ation date uploaded to the Doc uments tab within Ri skVision a long with the SCCD r eport. A P OA&M must be created to track the remedi ation prog ress. | |
13 | • WASA/Pen etration T est – Cont inue to re mediate th e remainin g unresolv ed WASA an d Penetrat ion Test f indings. A ll finding s should b e mitigate d and/or h ave a docu mented rem ediation s trategy wi th expecte d mitigati on date up loaded to the Docume nts tab wi thin RiskV ision. Ens ure the PO A&M is upd ated with the latest remediati on progres s. | |
14 | • Secure C ode Review – All fin dings shou ld be miti gated and/ or have a documented remediati on strateg y with exp ected miti gation dat e uploaded to the Do cuments ta b within R iskVision. Ensure th e POA&M is updated w ith the la test remed iation pro gress. | |
15 | • Quality Code Revie w – All fi ndings sho uld be mit igated and /or have a documente d remediat ion strate gy with ex pected mit igation da te uploade d to the D ocuments t ab within RiskVision . Ensure t he POA&M i s updated with the l atest reme diation pr ogress. | |
16 | • Enterpri se Discove ry Scan (E DS) – An E DS against all insta nces of th e operatin g system a nd desktop configura tions must be conduc ted for al l internal VA system s. All fin dings shou ld be miti gated and/ or have a documented remediati on strateg y with exp ected miti gation dat e uploaded to the Do cuments ta b within R iskVision. Refer to the Author ization Re quirements SOP for d etailed in structions on meetin g this req uirement. If EDS is not applic able, uplo ad a word document t o the Docu ments tab within Ris kVision ex plaining w hy EDS is not applic able. | |
17 | ||
18 | Within 135 days of A TO issuanc e, this sy stem requi res the fo llowing ac tions: | |
19 | • Security Documenta tion – Ens ure all sy stem secur ity docume ntation is completed and uploa ded to Ris kVision in accordanc e with the Authoriza tion Requi rements wi thin the A uthorizati on SOP, to include e vidence fo r the secu rity contr ols. Ensur e the RA a nd SSP wit hin RiskVi sion are a dequately completed through th e tool, an d the SSP addresses how the se curity con trols are implemente d. If cont rols are n ot fully i mplemented work to c lose the r espective findings i n RiskVisi on. Also, ensure tha t all find ings and r isks have a response provided for them w ithin Risk Vision, al ong with t he details on financ ial/person nel resour ces requir ed to reso lve the fi nding. Ref er to the POA&M Mana gement Gui de located on the OI S Portal f or detaile d instruct ions on cr eating and managing POA&Ms in RiskVision . Ensure c urrent/acc urate vers ions of th e remainin g security documenta tion, incl uding the Secure Des ign Review , are uplo aded to Ri skVision a nd approve d by the a ppropriate parties. | |
20 | • Continuo us Monitor ing Requir ement – En sure all a pplicable scans are completed in accorda nce with t he VA Auth orization Requiremen ts SOP. o Database s can – Ensu re a new D atabase sc an is comp leted by F ebruary 20 20 to sati sfy the an nual requi rement; un less a maj or change occurs pri or to Febr uary 2020. | |
21 | ||
22 | ||
23 | Contact In formation: | |
24 | PII | |
25 | PII |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.