Produced by Araxis Merge on 9/9/2019 5:41:46 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | Webvram-v4.zip\20190725-webvram-source.zip\Documents | Authorization Requirements SOP Guide.doc | Tue Jul 23 23:11:38 2019 UTC |
2 | Webvram-v4.zip\20190725-webvram-source.zip\Documents | Authorization Requirements SOP Guide.doc | Thu Sep 5 19:22:49 2019 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 68 | 1528 |
Changed | 68 | 193 |
Inserted | 0 | 0 |
Removed | 1 | 2 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | Office of | ||||
2 | informatio n | ||||
3 | securityAu thorizatio n Requirem ents | ||||
4 | Standard O perating P rocedures | ||||
5 | Version 3. 16March 1, 2018Table of Conten ts | ||||
6 | 11. | ||||
7 | Purpose | ||||
8 | |||||
9 | |||||
10 | 12. | ||||
11 | Scope | ||||
12 | |||||
13 | |||||
14 | 13. | ||||
15 | Authorizat ion Prereq uisites | ||||
16 | |||||
17 | |||||
18 | 24. | ||||
19 | Assessment & Authori zation (A& A) Require ments | ||||
20 | |||||
21 | |||||
22 | 34.1 | ||||
23 | Registrati on Require ments | ||||
24 | |||||
25 | |||||
26 | 34.1.1 | ||||
27 | Applicatio n Registra tion | ||||
28 | |||||
29 | |||||
30 | 34.2 | ||||
31 | Security D ocumentati on Require ments | ||||
32 | |||||
33 | |||||
34 | 44.2.1 | ||||
35 | System Sec urity Plan (SSP) | ||||
36 | |||||
37 | |||||
38 | 44.2.2 | ||||
39 | Minor Appl ication Se lf-Assessm ent | ||||
40 | |||||
41 | |||||
42 | 44.2.3 | ||||
43 | Signatory Authority | ||||
44 | |||||
45 | |||||
46 | 54.2.4 | ||||
47 | Risk Asses sment (RA) | ||||
48 | |||||
49 | |||||
50 | 54.2.5 | ||||
51 | Configurat ion Manage ment Plan (CMP) | ||||
52 | |||||
53 | |||||
54 | 64.2.6 | ||||
55 | Incident R esponse Pl an (IRP) | ||||
56 | |||||
57 | |||||
58 | 74.2.7 | ||||
59 | Informatio n Security Contingen cy Plan (I SCP) | ||||
60 | |||||
61 | |||||
62 | 84.2.8 | ||||
63 | Disaster R ecovery Pl an (DRP) | ||||
64 | |||||
65 | |||||
66 | 84.2.9 | ||||
67 | Privacy Im pact Asses sment (PIA ) | ||||
68 | |||||
69 | |||||
70 | 94.2.10 | ||||
71 | Interconne ction Secu rity Agree ment (ISA) /Memorandu m of Under standing ( MOU) | ||||
72 | |||||
73 | |||||
74 | 104.2.11 | ||||
75 | Secure Des ign Review | ||||
76 | |||||
77 | |||||
78 | 114.3 | ||||
79 | Technical/ Testing Re quirements | ||||
80 | |||||
81 | |||||
82 | 114.3.1 | ||||
83 | Nessus Sca n / [Disco very Scan (part of N essus scan )] | ||||
84 | |||||
85 | |||||
86 | 134.3.1.1 | ||||
87 | Database S can | ||||
88 | |||||
89 | |||||
90 | 134.3.2 Qu ality Code Review | ||||
91 | |||||
92 | |||||
93 | 154.3.3 | ||||
94 | Secure Cod e Review | ||||
95 | |||||
96 | |||||
97 | 164.3.4 | ||||
98 | Penetratio n Test / A pplication Assessmen t | ||||
99 | |||||
100 | |||||
101 | 174.3.5 | ||||
102 | Security C onfigurati on Complia nce Data | ||||
103 | |||||
104 | |||||
105 | 194.3.6 | ||||
106 | Security C ontrol Ass essment (S CA) | ||||
107 | |||||
108 | |||||
109 | 194.3.7 Co ntrol Impl ementation Evidence | ||||
110 | |||||
111 | |||||
112 | 204.4 | ||||
113 | Closing | ||||
114 | |||||
115 | |||||
116 | 1Appendix A – FedRAM P/Cloud – VA Require ments | ||||
117 | |||||
118 | |||||
119 | 1Appendix B – Author ization Re quirements Quick Ref erence Gui de | ||||
120 | |||||
121 | |||||
122 | 1Appendix C – Job Ai d: Securit y Informat ion | ||||
123 | |||||
124 | |||||
125 | 1Appendix D – Minor Applicatio ns Self-As sessment S OP | ||||
126 | |||||
127 | |||||
128 | 1Appendix E – A&A Sy stem/Facil ity DRP an d ISCP Req uirements | ||||
129 | |||||
130 | |||||
131 | 1Appendix F – Links/ URLs/E-Mai l Addresse s | ||||
132 | |||||
133 | |||||
134 | |||||
135 | |||||
136 | Document R evision Hi story | ||||
137 | Revision D ateSummary of Change sVersionAu thorJanuar y 2014Init ial versio n of SOP1. 0OCSApril 2014Update s made to Nessus Sca n, Secure Code Revie w, and Sec urity Conf iguration Compliance Data Requ irements1. 1OCSJune 2 014Added S ecurity In formation Job Aid to Appendix C of SOP1. 2OCSOctobe r 2014Impl emented re ference, m ethodology and termi nology cha nges; and removed th e IV&V Sec ure Code r eview requ irement1.3 OCSMarch 2 015Added s ection 3.1 .6 Control Implement ation Evid ence1.4OCS April 2015 Updated se ction 3.1. 3 Continuo us Monitor ing Requir ement1.5OC SJuly 2015 Updated se ction 3.2. 10 to incl ude refere nces to gu idance mat erials on the RBD pr ocess1.6OC SAugust 20 15Added Ap pendix A: Cloud/FedR AMP Recipr ocity ATO Process1.7 OCSAugust 2015Update d new comp liance sca n ‘Report’ request p rocess loc ation1.8OC SSeptember 2015Updat ed the IRP , ISCP, an d DRP sect ions by re moving ISC PA tool re ferences.1 .9OCSOctob er 2015Upd ated the I RP, ISCP, and DRP se ctions wit h minor ch anges.2.0O CSOctober 2015Update d SOP to a dd in Sect ion 3.1, R egistratio n Requirem ents2.0OCS November 2 015Added A ppendix D – A&A Syst em/Facilit y DRP and ISCP Requi rements. U pdated the ISCP and DRP sectio ns based o n new OBC guidelines .2.0OCSDec ember 2015 Updated SC A section and added location f or ISA/MOU latest te mplates2.1 OCSDecembe r 2015Re-A dded Secti on 3.1, Re gistration Requireme nts which was remove d accident ly2.2OCSJa nuary 2016 Updated se ction 3.3. 5 (IRP). O BC is not responsibl e for IRPs . Removed OBC refere nces from IRP sectio n.2.3OCSMa y 2016Adde d VASI ref erence to Section 3. 1.1 Applic ation Regi stration2. 4OCSJune 2 016Replace d http:// URL /xxx links with func tional lin ks2.5OCSJu ne 2016Edi ts through out the do cument and integrate d cloud-ba sed VA app lications and cloud- based thir d-party sy stems requ irements2. 6OISJuly 2 016Added A ppendix E, NSOC Scan ning Quest ionnaire i nformation , and POA& M Manageme nt Guide r eference; removed br oken link from SCCD section2.7 OCSSeptemb er 2016Upd ated Code Review Con tinuous Mo nitoring r equirement s2.8OCSOct ober 2016A dded Minor Applicati on Self-As sessment S OP 2.9OCSD ecember 20 16Added DB scan requ irement fo r HQ syste ms3.0OCSJa nuary 2017 Added sect ion 3.2.11 : Secure D esign Revi ew; remove d RBD sect ion3.1OCSJ anuary 201 7Updated C MP and IRP sections; also upda ted the PO A&M Manage ment Guide link.3.2O CSFebruary 2017Updat ed the DB scan requi rement and Security Configurat ion Compli ance Data requiremen t sections 3.3OCSFebr uary 2017R emoved R6 VAKN/CDN A ssessing r eference f rom Append ix E3.3OCS March 2017 Updated Se ction 3: S ecurity Pa ckages sub mission 45 days prio r to ATO e xpiration date | ||||
138 | Updated Ap pendix A: Added new section - Other Fede ral Agency (Non-FedR AMP) ATO A cceptance3 .4OCSMarch 2017Added note to A ppendix A and added ISO and SO assignmen t requirem ent3.5OCSM arch 2017A dded NEWT/ REEF Repor ting to se ction 3.3. 13.6OCSApr il 2017Upd ated secti on 4.2.10 (ISA/MOU) 3.7OCSApri l 2017Upda ted sectio n 4.3.6 (S CA)3.8OCSA pril 2017A dded Scope statement 3.9OCSMay 2017Update d section 4.2.11 Sec ure Design Review; U pdated the TOC to sh ow the DB scan secti on 4.3.1.1 3.10OCSJu ne 2017Upd ated secti on 4.1.1; included C OTS produc ts registr ation requ irement. A dded a new section 4 .3.2: Qual ity Code R eview3.11O CSJuly 201 7Updated l inks to re quest tech nical scan s under se ction 4.33 .12OCSOcto ber 2017Ad ded a note to Sectio n 4; Added more deta ils on fin dings reme diation ti meline. 3 .13OCSDece mber 2017C hanged tit le to Auth orization Requiremen ts SOP Gui de. | ||||
139 | Replaced “ Accreditat ion” with “Authoriza tion” thro ughout the document. | ||||
140 | Added link for Nessu s scan req uests in s ection 4.3 .1 Step 2. 3.14OCSJan uary 2018U pdated Sec urity Conf iguration Compliance Data (SCC D) guidanc e in secti on 4.3.5, Appendix B , and Appe ndix F | ||||
141 | Updated ve rbiage in Section 4. 3 requirin g SOs/Dele gates to u pload an e xplanation for any t echnical r equirement that’s co nsidered n ot applica ble3.15OCS March 2018 Updated ve rbiage in section 3. 3 indicati ng SO or d elegate sh ould work with ISO t o review a uthorizati on require ments | ||||
142 | Added link for new M ajor Chang e Notifica tion Form requiremen t under se ction 43.1 6OCSPurpos e | ||||
143 | To obtain and mainta in a VA Au thority-to -Operate ( ATO), the authorizat ion requir ements inc luded with in the con tents of t his docume nt must be completed . RiskVis ion, VA’s Governance , Risk and Complianc e (GRC) to ol is the authoritat ive manage ment tool for the VA Assessmen t and Auth orization (A&A) proc ess and Ri sk Managem ent Framew ork. All systems wi ll be asse ssed in Ri skVision b y an OCS r epresentat ive [Certi fication A gent (CA)] for an au thorizatio n recommen dation to be submitt ed to the OIS Chief Informatio n Security Officer ( CISO) and VA Chief I nformation Officer ( CIO) [Auth orizing Of ficial] fo r final AT O consider ation. | ||||
144 | RiskVision guidance documentat ion can be found on the Office of Inform ation Secu rity (OIS) Portal. The Assess ment & Aut horization Requireme nts sectio n of this document o utlines th e technica l/testing and securi ty documen tation req uirements necessary to support an author ization de cision. I n addition to the de scriptions and proce dures in t his docume nt, the au thorizatio n requirem ents are l isted in t he Authori zation Req uirements Quick Link Reference Guide loc ated on th e OIS Port al and in Appendix A of this d ocument. | ||||
145 | This is a living doc ument base d on curre nt federal and VA se curity pol icies, sta ndards and guidance, and is su bject to c hange. | ||||
146 | Scope | ||||
147 | These proc edures app ly to syst ems that a re require d to obtai n an Autho rity to Op erate (ATO ). It doe s not appl y to sandb ox environ ments, non -VA networ ks, or dev elopment n etworks no t otherwis e connecte d to the V A network. Those en vironments will be e xcluded fr om the pro cedures id entified i n this SOP . They wi ll not be entered in to GRC and thus any documentat ion to inc lude POAMs would not be loaded into GRC and GRC wo uld not be the appro priate tra cking mech anisms for deficienc ies. | ||||
148 | Authorizat ion Prereq uisites | ||||
149 | The follow ing steps need to be followed once a sys tem is ide ntified as needing a VA author ization de cision: | ||||
150 | Designate an ISO to the projec t. If an ISO is not yet assig ned, compl ete the fo llowing st eps: | ||||
151 | System Own er or dele gate compl etes the R equest For Informati on Securit y Officer Support Fo rm and e-m ail to HYPE R LINK "PII " PII . | ||||
152 | The FSS IS O work gro up will co ordinate a n ISO assi gnment to help the p roject tea m assist w ith author ization re quirements and parti cipate wit h informat ion securi ty require ments thro ughout the System De velopment Life Cycle (SDLC). | ||||
153 | Create a R iskVision entry of t he Applica tion or Sy stem by co mpleting t he followi ng steps: | ||||
154 | System Ow ner or del egate comp letes the RV System Inventory Checklist vX.X (avai lable upon request) provided b y the ISO or from th e RiskVisi on Working Group (RV WG) HYPE R LINK "PII " PII . | ||||
155 | The RVWG will inclu de the App lication/S ystem for discussion on the we ekly meeti ng agenda, scheduled Thursdays at 12:00p m EST. Du ring the m eeting, RV WG can app rove or de ny the App lication/S ystem or r equest add itional in formation before a d ecision. | ||||
156 | Once RVWG approves the Applic ation/Syst em for a R iskVision entry, the System Ow ner or del egate will be notifi ed by OCS via e-mail from the GRC Servic e Desk ( HYPE R LINK "PII " PII ) stating access to the applic able insta nce of Ris kVision: | ||||
157 | National Release GR C Instance : https:// | ||||
158 | |||||
159 | HYPERLINK "https://u rls/290/" | ||||
160 | URL | ||||
161 | Enterpris e Operatio ns GRC Ins tance: htt ps:/ URL s
|
||||
162 | Once the a pplicable parties ha ve access to RiskVis ion and th e system r esides in the tool, the System Owner or delegate s hall conta ct their I SO to revi ew the aut horization requireme nts and de termine if certain r equirement s are not applicable based on the type o f system i n question . | ||||
163 | The applic able syste m POCs mus t have the ir authori zation pac kage compl eted and u ploaded to RiskVisio n no less than 45 ca lendar day s prior to the date they want their auth orization decision t o be made. | ||||
164 | Assessment & Authori zation (A& A) Require ments | ||||
165 | The VA A&A requireme nts includ e technica l/testing, security documentat ion, and s ecurity co ntrol comp liance req uirements. Details a bout the v arious req uirements are in the following sections. Authoriza tion packa ges must b e complete d and uplo aded to Ri skVision n o less tha n forty-fi ve (45) ca lendar day s prior to ATO decis ion consid eration de adline. If a require d security control i s not impl emented, t he project team must create a POA&M/Find ing in Ris kVision to keep trac k of the r emediation effort. | ||||
166 | Note: Only completed , required A&A secur ity artifa cts includ ing the te chnical sc an results and remed iation str ategies sh ould be up loaded to Documents tab within RiskVisio n. Documen ts tab is not the pl ace to upl oad eviden ce. | ||||
167 | If a syste m undergoe s a signif icant (maj or) change (as defin ed below) after an A TO determi nation is made, it i s required to re-com plete the A&A requir ements, in cluding up dating all security documentat ion to ref lect the c hange. Add itionally, the Major Change No tification Form, whi ch can be found here , must be completed and upload ed to Risk Vision 45 days prior to the im plementati on of the major chan ge. | ||||
168 | Significan t Change D efinition: Per the c urrent ‘dr aft’ VA Ha ndbook 650 0.3, Asses sment, Aut horization , And Cont inuous Mon itoring of VA Inform ation Syst ems, the d efinition of ‘signif icant chan ge’ is as follows: A signific ant (major ) change t o an infor mation sys tem or env ironment o f operatio n is a cha nge that i s likely t o affect t he securit y state of the infor mation sys tem. Sign ificant ch anges to a n informat ion system may inclu de, but ar e not limi ted to, fo r example: (i) inst allation o f a new or upgraded operating system, mi ddleware c omponent, or applica tion; (ii) modificat ions to sy stem ports , protocol s, or serv ices; (iii ) installa tion of a new or upg raded hard ware platf orm; (iv) modificati ons to cry ptographic modules o r services ; or (v) m odificatio ns to secu rity contr ols. Exam ples of si gnificant changes to the envir onment of operation may includ e, but are not limit ed to, for example: (i) movin g to a new facility; (ii) addi ng new cor e missions or busine ss functio ns; (iii) acquiring specific a nd credibl e threat i nformation that the organizati on is bein g targeted by a thre at source; or (iv) e stablishin g new/modi fied laws, policies, or regula tions. Sou rce: SP 8 00-37 Rev 1 [VA Adop ted]. | ||||
169 | Registrati on Require ments | ||||
170 | The follow ing sectio n provides details o n each of the regist ration req uirements including a descript ion of the requireme nts and th e parties/ OIS organi zation(s) that will assist in the comple tion of th e requirem ents. | ||||
171 | Applicatio n Registra tion | ||||
172 | Custom dev eloped and COTS VA a pplication s are requ ired to be registere d with the VA Softwa re Assuran ce Program Office. R egistratio n is neces sary to ma intain an inventory of the tot al populat ion of VA custom and COTS appl ications, by type an d business line acco rding to t he VA Comm on Applica tion Enume ration (CA E) at Comm on Applica tion Enume ration to ensure app lication-l evel secur ity consid erations a re taken i nto accoun t when det ermining r eadiness a nd perform ance. | ||||
173 | For detail ed instruc tions on t he registr ation proc ess, refer ence the V A Software Assurance Program O ffice proc edures tha t can be f ound on th e VA Softw are Assura nce Develo per Suppor t Site. Mo re informa tion regar ding syste m registra tion in VA Systems I nventory ( VASI) can be found i n VA Direc tive 6404 | ||||
174 | Note: Appl ication re gistration is requir ed before either a S ecure Code Review Va lidation o r a Penetr ation Test / Applica tion Asses sment can be schedul ed for all applicati ons subjec t to secur e code rev iew author ization re quirements . Also not e that Sof tware as a Service ( SaaS) shou ld follow COTS regis tration pr ocedures. | ||||
175 | Continuous Monitorin g Requirem ent – Appl ication re gistration is requir ed when re quested by OCS and/o r NSOC. | ||||
176 | Security D ocumentati on Require ments | ||||
177 | The follow ing sectio n provides details o n each of the requir ed securit y artifact s includin g the docu ment requi rements, r eferences, and the p arties/OIS organizat ion(s) tha t can prov ide additi onal guida nce for ea ch artifac t. | ||||
178 | Templates for the ap plicable s ecurity ar tifacts/do cuments me ntioned be low are av ailable on the OIS P ortal at A &A Home Do cuments. C ontact you r ISO for questions on how to complete t he documen tation. | ||||
179 | Note: (App licable to EO system s only) Ar tifact tha t is gener ated throu gh RiskVis ion and is part of t he Authori zation pac kage, and gets revie wed / appr oved by th e ISO/SO i n RiskVisi on workflo w as part of the Aut horization Package m ay not req uire signa ture(s) or is valid without si gnature(s) . | ||||
180 | System Sec urity Plan (SSP) | ||||
181 | SSP guidan ce is prov ided below : | ||||
182 | SSP guidan ce is foun d in NIST SP 800-18 and VA Han dbook 6500 .3. | ||||
183 | Additional guidance for comple tion of th e SSP can be provide d by OCS. | ||||
184 | The SSP is developed within Ri skVision a nd a word document/t emplate is no longer necessary . | ||||
185 | All requir ed diagram s and conf irmation o f the secu rity autho rization b oundary to include a ll devices and suppo rting soft ware archi tecture sh ould be in cluded. | ||||
186 | All contro ls must be addressed . A findin g will nee d to be cr eated in R iskVision for every control th at is not in place. | ||||
187 | SSP comple tion steps : | ||||
188 | The System Steward c ompletes t he assessm ents in Ri skVision a nd develop s findings and respo nses in th e Findings tab for c ontrols no t in place . | ||||
189 | The ISO va lidates in formation added by t he System Steward in RiskVisio n. | ||||
190 | The ISO, S ystem Owne r or deleg ate/System Steward e xports the SSP from RiskVision and uploa ds the doc ument to t he Documen ts tab in RiskVision . | ||||
191 | Continuous Monitorin g Requirem ent – The SSP must b e complete d on an an nual basis or when a significa nt change in the sys tem or a m ajor chang e in the d ata occurs . | ||||
192 | Minor Appl ication Se lf-Assessm ent | ||||
193 | All minor applicatio ns are req uired to c omplete th e Minor Ap plication Self-Asses sment and upload it to Documen ts reposit ory within RiskVisio n as an Ap pendix to GSS/MA SSP . Complete instructi ons on com pleting th e Minor Ap plication Self-Asses sment can be found i n Minor Ap plication Self-Asses sment SOP attached a s Appendix D. The Mi nor Applic ation Self -Assessmen t Workbook can be fo und at A&A Home Docu ments. | ||||
194 | Signatory Authority | ||||
195 | Signatory Authority guidance i s provided below: | ||||
196 | The Signat ory Author ity must b e signed a nd dated b y the appr opriate pa rties. | ||||
197 | Additional guidance for comple tion of th e Signator y Authorit y can be p rovided by OCS. | ||||
198 | Signatory Authority completion steps: | ||||
199 | System Own er or dele gate compl etes the S ignatory A uthority u sing the t emplate pr ovided at A&A Home D ocuments. | ||||
200 | System Own er, ISO or delegate/ System Ste ward uploa ds the Sig natory Aut hority to the Docume nts tab in RiskVisio n. | ||||
201 | Continuous Monitorin g Requirem ent – The Signatory Authority must be co mpleted on an annual basis or when a sig nificant c hange in t he system or a major change in the data occurs. | ||||
202 | Risk Asses sment (RA) | ||||
203 | RA guidanc e is provi ded below: | ||||
204 | System and facilitie s are resp onsible fo r conducti ng the RA. | ||||
205 | RA guidanc e is found in NIST S P 800-30. | ||||
206 | Additional guidance for comple tion of th e RA can b e provided by the Of fice of Ri sk Managem ent and In cident Rep orting (RM IR)/OCS. | ||||
207 | The RA is developed within Ris kVision an d a word d ocument/te mplate is no longer necessary. | ||||
208 | RA complet ion steps: | ||||
209 | The System Steward c ompletes t he assessm ent in Ris kVision. | ||||
210 | The ISO va lidates in formation added by t he System Steward in RiskVisio n. | ||||
211 | The ISO, S ystem Owne r or deleg ate/System Steward e xports the RA from R iskVision and upload s the docu ment to th e Document s tab in R iskVision. | ||||
212 | Continuous Monitorin g Requirem ent – The RA must be updated o n an annua l basis or when a si gnificant change in the system or a majo r change i n the data occurs. | ||||
213 | Configurat ion Manage ment Plan (CMP) | ||||
214 | CMP guidan ce is prov ided below : | ||||
215 | Facilities are respo nsible for completin g the CMP (pending c larificati on on requ irement fo r systems) | ||||
216 | CMP guidan ce can be found in N IST SP 800 -128 and V A Handbook 6500. | ||||
217 | Additional guidance for comple tion of th e CMP can be provide d by OCS. | ||||
218 | The CMP sh ould inclu de process es for man aging conf iguration and change managemen t. | ||||
219 | The CMP sh ould inclu de infrast ructure de vices and baseline c onfigurati ons (e.g., switches, routers, firewalls) . | ||||
220 | The CMP sh ould inclu de a confi guration f ile for ea ch operati ng system( s), databa se(s), app lication(s ), and net work devic e(s) to va lidate com pliance wi th baselin e configur ation. | ||||
221 | CMP comple tion steps : | ||||
222 | System Own er or dele gate compl etes the C MP using t he templat e provided at A&A Ho me Documen ts. | ||||
223 | ISO, Syste m Owner or delegate/ System Ste ward uploa ds the CMP to the Do cuments ta b in RiskV ision. | ||||
224 | Continuous Monitorin g Requirem ent – The CMP must b e updated on an annu al basis o r when a s ignificant change in the syste m or a maj or change in the dat a occurs. | ||||
225 | Incident R esponse Pl an (IRP) | ||||
226 | IRP guidan ce is prov ided below : | ||||
227 | Facilities are respo nsible for completin g the IRP | ||||
228 | An IRP is necessary for rapidl y detectin g incident s, minimiz ing loss a nd destruc tion, miti gating the weaknesse s that wer e exploite d, and res toring com puting ser vices. | ||||
229 | IRP guidan ce can be found in N IST SP 800 -61. | ||||
230 | Tools and websites t hat can be useful in IRP creat ion: | ||||
231 | Agiliance RiskVision Enterpris e Operatio ns GRC Ins tance | ||||
232 | Agiliance RiskVision National Release GR C Instance | ||||
233 | Office of Cyber Secu rity (OCS) Portal | ||||
234 | The System Owner wor ks with th e assigned ISO to cr eate the I RP. | ||||
235 | Once compl eted and t ested, the System Ow ner or des ignee uplo ads the si gned IRP i nto RiskVi sion. | ||||
236 | Each site is respons ible for d eveloping local leve l procedur es incorpo rating VA- NSOC areas of respon sibility. | ||||
237 | IRP comple tion steps : | ||||
238 | The follow ing inputs must be u sed in IRP creation: | ||||
239 | RA | ||||
240 | SSP | ||||
241 | Must meet the follow ing standa rds in IRP creation: | ||||
242 | Informati on Access and Privac y Program | ||||
243 | NIST Spec ial Public ation 800- 61 - Compu ter Securi ty Inciden t Handling Guide | ||||
244 | VA Handbo ok 6500.3, Certifica tion and A uthorizati on of Fede ral Inform ation Syst ems | ||||
245 | Continuous Monitorin g Requirem ent – The IRP must b e tested a nd updated on an ann ual basis or when a significan t change i n the syst em or a ma jor change in the da ta occurs. | ||||
246 | Informatio n Security Contingen cy Plan (I SCP) | ||||
247 | ISCP guida nce is pro vided belo w: | ||||
248 | ISCP plan is expecte d for each “Assessin g” entity as identif ied in GRC | ||||
249 | ISCP plan is also ex pected for all LAN e ntities (t he term “L AN” speaks to the fa cility bou ndary) wit hin each f acility in cluding PB X (may onl y apply to certain f acilities with wired PBX) and/ or MA (may only appl y to facil ities that house and manage th e MA) | ||||
250 | In accorda nce with t he FY16 ac tion item, all sites are requi red to upd ate their ISCPs, and plans mus t be teste d | ||||
251 | Contingenc y planning refers to interim m easures to recover i nformation system se rvices aft er a disru ption | ||||
252 | All plans must refle ct the cur rent envir onment and must be c ompleted u sing the a pproved FY 16 OBC tem plate | ||||
253 | The System Owner or delegate d evelops or revises t he Informa tion Syste m Continge ncy Plan. | ||||
254 | The System Owner or designee u ploads the Informati on System Contingenc y Plan int o RiskVisi on. | ||||
255 | Additional guidance for comple tion of th e ISCP can be provid ed by the OBC or by visiting B usiness Co ntinuity P ortal. | ||||
256 | Tools and websites t hat can be useful in ISCP crea tion: | ||||
257 | Agiliance RiskVision Enterpris e Operatio ns GRC Ins tance | ||||
258 | Agiliance RiskVision National Release GR C Instance | ||||
259 | Business C ontinuity Portal | ||||
260 | Office of Cyber Secu rity (OCS) Portal | ||||
261 | Technical Services P roject Rep ository (T SPR) | ||||
262 | ISCP compl etion step s: | ||||
263 | The ISCP t emplate ca n be found here. | ||||
264 | The follow ing inputs must be u sed in the ISCP crea tion: | ||||
265 | Prelimina ry Informa tion Syste m Continge ncy Plan | ||||
266 | Primary S ite System Security Plan | ||||
267 | Backup Si te System Security P lan | ||||
268 | Must meet the follow ing standa rds in ISC P creation : | ||||
269 | NIST Spe cial Publi cation 800 -34 Rev. 1 - Conting ency Plann ing Guide for Federa l Informat ion System s | ||||
270 | Office o f Informat ion Securi ty, Author ization Re quirements Guide Sta ndard Oper ating Proc edures | ||||
271 | VA Handb ook 6500.8 , Informat ion System Contingen cy Plannin g | ||||
272 | Continuous Monitorin g Requirem ent – The ISCP must be tested and update d on an an nual basis or when a significa nt change in the sys tem or a m ajor chang e in the d ata occurs . | ||||
273 | Disaster R ecovery Pl an (DRP) | ||||
274 | DRP guidan ce is prov ided below : | ||||
275 | A DRP is r equired fo r each fac ility host ing the sy stem compo nents | ||||
276 | For Region 1 – 6 , f acility DR Ps (collec tively) co ver the Re gion DRP r equirement | ||||
277 | For Region Other, ea ch “Assess ing” entit y must hav e a DRP | ||||
278 | In accorda nce with t he FY16 ac tion item, all sites are requi red to upd ate their DRPs, and plans must be tested . | ||||
279 | All plans must refle ct the cur rent envir onment and must be c ompleted u sing the a pproved FY 16 OBC tem plate. | ||||
280 | The System Owner or designee d evelops th e DRP as t he entry p oint for t he creatio n of both the facili ty and dat a center p lans. | ||||
281 | Once compl eted (and tested), t he System Owner or d esignee up loads the DRP into R iskVision. | ||||
282 | Additional guidance for comple tion of th e DRP can be provide d by OBC o r by visit ing Busine ss Continu ity Portal . | ||||
283 | Tools and websites t hat can us eful in DR P creation : | ||||
284 | Agiliance RiskVision Enterpris e Operatio ns GRC Ins tance | ||||
285 | Agiliance RiskVision National Release GR C Instance | ||||
286 | Business C ontinuity Portal | ||||
287 | Office of Cyber Secu rity (OCS) Portal | ||||
288 | DRP comple tion steps : | ||||
289 | The DRP te mplate can be found here. | ||||
290 | The follow ing inputs must be u sed in DRP creation: | ||||
291 | Primary S ite System Security Plan | ||||
292 | Backup Si te System Security P lan | ||||
293 | Must meet the follow ing standa rd in DRP creation: | ||||
294 | Office o f Informat ion Securi ty, Author ization Re quirements Guide Sta ndard Oper ating Proc edures | ||||
295 | Continuous Monitorin g Requirem ent – The DRP must b e tested a nd updated on an ann ual basis or when a significan t change i n the syst em or a ma jor change in the da ta occurs. | ||||
296 | Privacy Im pact Asses sment (PIA ) | ||||
297 | PIA guidan ce is prov ided below : | ||||
298 | |||||
299 | A complete PIA must have: | ||||
300 | A previous ly complet ed Privacy Threshold Analysis (PTA). | ||||
301 | Been compl eted in th e most up- to-date an d Privacy Services a pproved te mplate for both the PTA and PI A. The PTA and PIA t emplate ca n be found at A&A Ho me Documen ts. | ||||
302 | Been compl eted in co ordination with the VA Privacy Services Office. | ||||
303 | Been signe d by the S ystem Owne r, Privacy Officer, and ISO. | ||||
304 | Been re-su bmitted wh enever the re are sig nificant ( major) cha nges to th e system o r within 3 years. | ||||
305 | Authority is found i n E-Govern ment Act o f 2002, OM B Circular 03-22, VA Directive 6502, VA Directive 6508, and VA Handboo k 6508.1. | ||||
306 | Additional guidance for comple tion of th e PIA/PTA can be pro vided by t he Privacy Services Office. Any questi ons may be sent to HY P ERL I NK "PII " PII . | ||||
307 | |||||
308 | PIA comple tion steps : | ||||
309 | |||||
310 | System Own er, Privac y Officer, and ISO w ork togeth er to subm it a PTA, which is r eviewed by the Priva cy Service s Office. | ||||
311 | After revi ew and det ermination by analys ts, the PT A must be signed by the System Owner, Pr ivacy Offi cer, ISO, and any ot her releva nt stakeho lders and re-submitt ed to the Privacy Se rvices Off ice via HY P ERL I NK "PII " PII . | ||||
312 | If a PIA i s required as an out come of th e PTA anal ysis by th e Privacy Services O ffice, a P IA must be completed and submi tted to th e Privacy Services O ffice and then comme nts by the analysts, if any, m ust be inc orporated. | ||||
313 | Once the P IA is veri fied as co mplete by Privacy Se rvices, re -submit th e PIA as a PDF file with the s ignatures of the Sys tem Owner, Privacy O fficer, IS O, and any other rel evant stak eholders t o HY P ERL I NK "PII " PII . | ||||
314 | The PIA mu st then be uploaded into the G RC tool as an artifa ct. System Owner or delegate/S ystem Stew ard upload s the PIA to the Doc uments tab in RiskVi sion. | ||||
315 | Continuous Monitorin g Requirem ent – A PT A must be submitted every year . The PIA is valid f or 3 years if there are no sig nificant c hanges to the system . | ||||
316 | Interconne ction Secu rity Agree ment (ISA) /Memorandu m of Under standing ( MOU) | ||||
317 | ISA/MOU gu idance is provided b elow: | ||||
318 | Before an external c onnection can be gra nted, a Me morandum o f Understa nding (MOU ) and an I nterconnec tion Secur ity Agreem ent (ISA) are requir ed to auth orize a co nnection b etween inf ormation s ystems tha t do not s hare the s ame Author izing Offi cial. | ||||
319 | An ISA/MOU must be p rovided fo r all exte rnal inter connection s. | ||||
320 | ISA/MOU gu idance can be found in NIST SP 800-47 an d VA Handb ook 6500. | ||||
321 | Additional guidance for comple tion of th e ISA/MOU can be fou nd in the Field Secu rity Servi ce (FSS) B ulletin # 269 or by contacting the Healt h Informat ion Securi ty Divisio n at PII or the OIT Enterpris e Risk Man agement (E RM) CRISP Team at PII . | ||||
322 | ISA/MOU co mpletion s teps: | ||||
323 | System Own er in coor dination w ith the en tities ide ntified in NIST SP 8 00-47 will complete the ISA/MO U using th e latest t emplate pr ovided at: OIS Port al or A&A Home Docum ents. | ||||
324 | ISO will u pload all final draf t MOU/ISA documents to the MOU /ISA Revie w Submissi ons ShareP oint site for a revi ew prior t o requesti ng signatu res. | ||||
325 | A VA revie w team wil l assess t he documen ts against a checkli st for qua lity and c ontent. | ||||
326 | The review er and the ISO will work colla boratively to correc t deficien cies found in the do cumentatio n. | ||||
327 | The review er will no tify the I SO via ema il informi ng them th at the doc ument is r eady for s ignatures. | ||||
328 | The ISO wi ll process the docum ent for si gnature. | ||||
329 | Upon recei pt of the completed and signed MOU/ISA d ocument, t he ISO wil l upload t he documen t to the E nterprise Document S harePoint. | ||||
330 | The finali zed docume nt should also be ad ded to the existing A&A artifa cts in Ris kVision. | ||||
331 | Continuous Monitorin g Requirem ent – The ISA/MOU Re view Sheet must be c ompleted o n an annua l basis. I f there is a signifi cant chang e, which i mpacts the architect ure, pleas e contact the Health Informati on Securit y Division at HYPERLINK "PII " PII to determi ne if an u pdate to t he ISA/MOU is necess ary. | ||||
332 | Secure Design Rev iew | ||||
333 | Secure Des ign Review (Applicat ion Threat Modeling) guidance is provide d below: | ||||
334 | Se cure Desig n Review g uidance is found in VA Secure Design Rev iew SOP. | ||||
335 | Ad ditional g uidance fo r performi ng Secure Design Rev iew are po sted on th e VA Softw are Assura nce (SwA) Program Of fice Resou rce Site | ||||
336 | Al l required diagrams and analys is of pote ntial thre ats to inc lude all a pplicable technologi es/librari es utilize d by the c ustom appl ication. | ||||
337 | Al l potentia l threats must be an alyzed. A finding wi ll need to be create d in RiskV ision for every pote ntial thre at that is not analy zed. | ||||
338 | Secure Des ign Review completio n steps: | ||||
339 | 1. The s teps to re quest the developmen t of an in itial thre at model t o analyze can be fou nd here. | ||||
340 | 2. Must meet the following standards in perform ing this a ctivity: | ||||
341 | VA Secure De sign Revie w SOP | ||||
342 | 3. The I SO, System Owner or delegate/S ystem Stew ard upload s the anal yzed threa t model to the Docum ents tab i n RiskVisi on. | ||||
343 | Continuous Monitorin g Requirem ent – The Secure Des ign Review must be u pdated on an annual basis or w hen a sign ificant ch ange in th e system o r a major change in the applic ation arch itecture o ccurs. | ||||
344 | Technical/ Testing Re quirements | ||||
345 | The follow ing sectio n provides details o n each of the techni cal/testin g requirem ents inclu ding a des cription o f the requ irements a nd the par ties/OIS o rganizatio n(s) that will assis t in the c ompletion of the req uirements. If a tec hnical/tes ting requi rement is not applic able, then the Syste m Owner/De legate nee ds to uplo ad a word document t o the Docu ments tab within Ris kVision ex plaining w hy the spe cific tech nical/test ing requir ement is n ot applica ble. | ||||
346 | The links to NSOC Su pplemental Scan Requ est (Vulne rability a nd Complia nce), NSOC Database Scan Quest ionnaire, and NSOC P enetration Test & WA SA Questio nnaire can be found at NSOC Sc an Documen ts. Additi onally, th e necessar y informat ion and st ep-by-step instructi on for dev eloping, m aintaining , reportin g and moni toring wea knesses as it relate s to a spe cific syst em can be found in t he POA&M M anagement Guide. | ||||
347 | Findings i dentified in each te chnical sc an should be mitigat ed within the remedi ation time frame spec ified in t he VA Hand book 6500, (i.e.) Cr itical – 3 0 days; Hi gh – 60 da ys; Modera te – 90 da ys; Low – determined by the Sy stem Owner ; Emergent – ASAP. O ne finding should be created i n RiskVisi on for eac h of the a pplicable scans to t rack the r emediation progress. In additi on, well d ocumented remediatio n strategy with expe cted remed iation dat e and stat us of each finding s hould also be upload ed to Docu ments tab within Ris kVision fo r each of the applic able scan. | ||||
348 | Nessus Sca n / [Disco very Scan (part of N essus scan )] | ||||
349 | A credenti aled vulne rability s can agains t all inst ances of t he operati ng system and deskto p configur ations mus t be condu cted to id entify sec urity flaw s. When co nducting t he Nessus Scan, a di scovery sc an to iden tify all a ssets with in the aut horization boundary must be co nducted as a part of the vulne rability s can (a dis covery sca n will not enumerate any vulne rabilities ). All Cri tical and High defic iencies sh ould be mi tigated wi th documen ted mitiga tion evide nce provid ed, and Mo derate and Low defic iencies sh ould be mi tigated or have a do cumented m itigation plan. Thi s mitigati on plan sh ould inclu de a timet able for m itigation of Moderat e and Low deficienci es. | ||||
350 | If a syste m’s Nessus Scan data is not cu rrently di splayed in the Threa t & Vulner ability Ma nager (TVM ) within R iskVision, refer to the TVM gu idance mat erial loca ted on the OIS porta l at Train ing and Br own Bag Ma terials si te for det ailed info rmation on how to ac cess TVM. | ||||
351 | The follow ing steps must be pe rformed to meet the Nessus Sca n requirem ent (if th e Nessus S can data i s included in TVM, s kip to Ste p 3): | ||||
352 | If the sys tem receiv es a month ly predict ive Nessus vulnerabi lity scan from NSOC and the IP addresses that make up the sy stem are a ll Windows based the n please p rovide the IP Ranges to the CP O at HY P ERLINK "PI I " PII , so the a pplicable Nessus dat a can be p rovided in TVM withi n RiskVisi on, then p roceed to Step 3. | ||||
353 | If the sys tem receiv es a month ly predict ive Nessus vulnerabi lity scan from NSOC, and the I P addresse s that mak e up the s ystem are not all Wi ndows base d, then pr oceed step 2, as all necessary Operating System in formation will not b e captured in the pr edictive s cans from NSOC that are filter ed into TV M. | ||||
354 | If the IP addresses that make up a syste m are outs ide of the VA networ k (Managed Services) and/or th e system d oes not cu rrently re ceive a mo nthly pred ictive Nes sus vulner ability sc an from NS OC, then p roceed to Step 2. | ||||
355 | System Own er or dele gate can r equest a N essus scan using thi s link. Once the r equest is completed, CPO will work with NSOC to de termine if a separat e suppleme ntal vulne rability s can shall be conduct ed or auth entication informati on for the non-Windo ws devices be added to the exi sting mont hly predic tive scan. If a separ ate supple mental sca n is decid ed on by C PO/NSOC, u pload the results to the Docum ents tab w ithin Risk Vision whe n results are sent t o you or i f its deci ded that t he authent ication in formation can be add ed for the non-Windo ws devices to the mo nthly pred ictive sca ns conduct ed by NSOC then plea se provide the IP Ra nges to th e HY P ERLINK "PI I " PII , so the a pplicable Nessus dat a can be p rovided in TVM withi n RiskVisi on. | ||||
356 | Note: NSO C must con duct an in dependent Nessus Sca n for all VA owned s ystems and Managed S ervices. N SOC has vi sibility i nto Enterp rise Opera tions (EO) systems a nd has the ability t o perform Nessus sca ns in coor dination w ith system personnel if needed . External systems / Managed S ervices mu st have a recent NSO C Nessus s can conduc ted either via remot e connecti on or by u tilizing N SOC staff on-site to perform s cans, when necessary . | ||||
357 | Once the s ystem’s Ne ssus Scan data is ac curately s hown in TV M within R iskVision, System Ow ner or del egate foll ows these steps: | ||||
358 | Browse to Nessus Ent erprise We b Tool (NE WT) and us e the Reme diation Ef fort Entry Form (REE F) to docu ment your manual rem ediation e ffort. For each defi ciency ide ntified fr om the sca n, the Sys tem Owner or delegat e creates a response within RE EF for mit igating th e deficien cies and / or provid es evidenc e that the deficienc ies have b een mitiga ted. Also , include the schedu led comple tion date and status of each d eficiency within REE F. | ||||
359 | Once all m anual reme diation ha s been doc umented wi thin REEF, run this report htt ps:// URL /sites/FOD W_PVT/Prog ress%20Rep orts/Progr ess_Report byRegion_C hart.rdl w ithin NEWT . | ||||
360 | Export the report by going to the upper left side of the scr een select the Actio ns Menu. C hoose Expo rt and sel ect Excel. Save the file. | ||||
361 | System Ow ner or del egate then uploads t he report from step 3 above to the Docum ents tab w ithin Risk Vision. M itigation informatio n can also be provid ed in the Vulnerabil ities tab within Ris kVision. | ||||
362 | Within the uploaded mitigation strategy, each syst em should conduct an analysis on the res ults of th e vulnerab ility scan s to deter mine and d ocument th ose findin gs that ar e false po sitives, n ot applica ble to the system, o r otherwis e mitigate d. Additio nally, fin dings that must be r emediated through or from the vendor sho uld also b e document ed as part of this a nalysis. | ||||
363 | Note: If Nessus Sca n data is not curren tly provid ed in TVM for the sy stem and i nstead raw Nessus Sc an results exist fro m NSOC, th e System O wner or de legate sha ll upload the actual Nessus Sc an results to the Do cuments ta b in RiskV ision; alo ng with a mitigation strategy for each f inding. Al so, within NEWT, if the ISO/Sy stem Owner does not have an op tion to pu ll a repor t for thei r FISMA re portable s ystem, the n contact the VA GRC Service D esk to pro vide the I P address range of t he system authorizat ion bounda ry to add it to NEWT to pull t he report. | ||||
364 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the Ness us scan to serve as a reminder to resolv e the defi ciencies. | ||||
365 | Note: A fo llow-up Ne ssus scan may be req uested by OIS to ens ure defici encies hav e been mit igated and new defic iencies do not exist as part o f the ongo ing author ization pr ocess. | ||||
366 | Continuous Monitorin g Requirem ent – NSOC conducts predictive Nessus vu lnerabilit y scans on a monthly basis. A supplemen tal scan i s required for A&A p urposes wh en request ed by OCS, NSOC, and /or when n ew vulnera bilities p otentially affecting the syste m/applicat ions are i dentified and report ed. To mai ntain the authorizat ion decisi on, the sy stem must meet this continuous monitorin g requirem ent. | ||||
367 | Database S can | ||||
368 | Both HQ an d EO syste ms must re quest a da tabase sca n if the p roject hos ts a datab ase to sto re and pro cess infor mation. A database s can must b e conducte d at least on an ann ual basis. In order to maintai n the auth orization decision f or the sys tem, any f indings mu st be reme diated wit hin the ap proved tim elines for the sever ity of the findings, and a POA &M must be created i n RiskVisi on to keep track of the remedi ation effo rt. Databa se scans c an be requ ested by v isiting th is link. T he databas e scanning team can also be re ached at PII for more informatio n. If a da tabase sca n is not a pplicable, upload a word docum ent to the Documents tab withi n RiskVisi on explain ing why a database s can is not applicabl e. | ||||
369 | 4.3.2 Qual ity Code R eview | ||||
370 | Quality co de reviews of custom developed VA applic ations usi ng the app roved VA s tatic code analysis tool shoul d be condu cted to id entify cod e quality issues wit hin VA app lications. Applicatio ns written in langua ges that a re not sup ported, su ch as MUMP S, shall b e targeted for manua l review o f testing with other applicabl e tools; n otify the VA Softwar e Assuranc e (SwA) Pr ogram Offi ce if this is the ca se at: HYPERL I NK "PII " PII . If a Qua lity Code Review is not applic able, uplo ad a word document t o the Docu ments tab within Ris kVision ex plaining w hy a Quali ty Code Re view is no t applicab le. | ||||
371 | For detail ed instruc tions on t he code re views proc ess, refer ence the V A Quality Code Revie w SOP and guidance m aterials, which are posted on the VA SwA Program O ffice Reso urce Site. An overvi ew of the quality co de review instructio ns are pro vided belo w. | ||||
372 | Verificati on & Valid ation (V&V ) Quality Code Revie ws | ||||
373 | V&V qualit y code rev iews are c onducted d uring the developmen t or maint enance of a VA appli cation by the VA App lication D evelopment team. Clo se coopera tion betwe en OIS and the Offic e of Infor mation Tec hnology (O IT), inclu ding suppo rting cont ractors, i s critical to achiev ing qualit y code rev iew object ives and i ncreasing the level of confide nce that s oftware de veloped fo r use at t he VA robu st and mai ntainable. The goals of perfor ming quali ty code re views incl udes makin g sure tha t unpredic table beha vior due t o poor cod e quality is minimiz ed and tha t V&Vs per formed by VA softwar e develope rs are don e correctl y and cons istently, according to minimum standards prescribe d by the V A. | ||||
374 | The follow ing steps must be pe rformed to meet the V&V qualit y code rev iew requir ement: | ||||
375 | 1. VA Ap plication Developers open a NS D ticket [ (855) NSD- HELP] to r equest VA static cod e analysis tools in order to p erform sca ns accordi ng to the procedures in the VA Quality C ode Review SOP and g uidance ma terials. | ||||
376 | 2. VA Ap plication Developers scan thei r own appl ication so urce code. | ||||
377 | 3. VA Ap plication Developers open a NS D ticket [ (855) NSD- HELP] to r equest val idation of a final V &V quality code revi ew. | ||||
378 | 4. VA Applica tion Devel opers deli ver the sc an results to the VA SwA Progr am Office at: HYPERLINK "PII " PI I
|
||||
379 | a) The s can result s are revi ewed to en sure that minimum VA standards have been met. The VA SwA Pro gram Offic e determin es whether additiona l analysis is needed , and work s with the VA Applic ation Deve lopers to ensure tha t they und erstand ho w to meet the standa rds requir ed. | ||||
380 | 5. Syste m Owner or delegate uploads fu ll test re sults to t he Documen ts tab in RiskVision . | ||||
381 | 6. For e ach defici ency ident ified from the V&V q uality cod e review, System Own er or dele gate creat es a respo nse for mi tigating t he deficie ncies and/ or provide s evidence that the deficienci es have be en mitigat ed. Also, include th e schedule d completi on date an d status o f each def iciency. I nformation should be provided in Excel o r Word for mat; refer to the OC S preferre d template located o n the OIS Portal at A&A Home D ocuments. System Own er or dele gate uploa ds the afo rementione d document to the Do cuments ta b in RiskV ision. | ||||
382 | 7. Syst em Owner o r delegate creates o ne finding and a res ponse in t he Finding s tab with in RiskVis ion for th e V&V qual ity code r eview to s erve as a reminder t o resolve the defici encies. | ||||
383 | Note: See also the SwA Blog f or future related A& A requirem ent announ cements. | ||||
384 | Continuous Monitorin g Requirem ent – A V& V Quality Code Revie w is requi red annual ly once th e applicat ion is in sustainmen t OR upon discovery that the a pplication has alrea dy been de ployed to production and has n ot gone th rough the process, e .g. older applicatio ns in sust ainment OR upon ever y major re lease OR w hen reques ted by OCS and/or NS OC. | ||||
385 | Secure Cod e Review | ||||
386 | Secure cod e reviews of custom developed VA applica tions usin g the appr oved VA st atic code analysis t ool should be conduc ted to ide ntify vuln erabilitie s, coding, and desig n flaws wi thin VA ap plications . Applicatio ns written in langua ges that a re not sup ported, su ch as MUMP S, shall b e targeted for manua l review o f testing with other applicabl e tools; n otify the VA Softwar e Assuranc e (SwA) Pr ogram Offi ce if this is the ca se at: HYPERL I NK "PII " PII . If a Sec ure Code R eview is n ot applica ble, uploa d a word d ocument to the Docum ents tab w ithin Risk Vision exp laining wh y a Secure Code Revi ew is not applicable . | ||||
387 | For detail ed instruc tions on t he code re views proc ess, refer ence the V A Secure C ode Review SOP and g uidance ma terials, w hich are p osted on t he https:/URL display/OI S SW A / O IS+So f twar e +As s
|
||||
388 | Note: Succ essful com pletion of the secur e code rev iew author ization re quirements is requir ed before a Penetrat ion Test / Applicati on Assessm ent can be scheduled for Major Applicati ons. | ||||
389 | Verificati on & Valid ation (V&V ) Secure C ode Review s | ||||
390 | V&V secure code revi ews are co nducted du ring the d evelopment or mainte nance of a VA applic ation by t he VA Appl ication De velopment team. Clos e cooperat ion betwee n OIS and the Office of Inform ation Tech nology (OI T), includ ing suppor ting contr actors, is critical to achievi ng secure code revie w objectiv es and inc reasing th e level of confidenc e that sof tware deve loped for use at the VA is fre e from vul nerabiliti es. The go als of per forming se cure code reviews in cludes mak ing sure t hat risk-b ased activ ities are performed in a secur e manner a nd that V& Vs perform ed by VA s oftware de velopers a re done co rrectly an d consiste ntly, acco rding to m inimum sta ndards pre scribed by the VA. | ||||
391 | The follow ing steps must be pe rformed to meet the V&V secure code revi ew require ment: | ||||
392 | VA Applica tion Devel opers open a NSD tic ket [(855) NSD-HELP] to reques t VA stati c code ana lysis tool s in order to perfor m scans ac cording to the proce dures in t he VA Secu re Code Re view SOP a nd guidanc e material s. | ||||
393 | VA Applica tion Devel opers scan their own applicati on source code. | ||||
394 | VA Applica tion Devel opers open a NSD tic ket [(855) NSD-HELP] to reques t validati on of a fi nal V&V se cure code review. | ||||
395 | VA Applica tion Devel opers deli ver the sc an results to the VA SwA Progr am Office at: HYPERLINK "PII " PI I
|
||||
396 | The scan r esults are reviewed to ensure that minim um VA stan dards have been met. The VA Sw A Program Office det ermines wh ether addi tional ana lysis is n eeded, and works wit h the VA A pplication Developer s to ensur e that the y understa nd how to meet the s tandards r equired. | ||||
397 | System Own er or dele gate uploa ds full te st results to the Do cuments ta b in RiskV ision. | ||||
398 | For each d eficiency identified from the V&V secure code revi ew, System Owner or delegate c reates a r esponse fo r mitigati ng the def iciencies and/or pro vides evid ence that the defici encies hav e been mit igated. Al so, includ e the sche duled comp letion dat e and stat us of each deficienc y. Informa tion shoul d be provi ded in Exc el or Word format; r efer to th e OCS pref erred temp late locat ed on the OIS Portal at A&A Ho me Documen ts. System Owner or delegate u ploads the aforement ioned docu ment to th e Document s tab in R iskVision. | ||||
399 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the V&V secure cod e review t o serve as a reminde r to resol ve the def iciencies. | ||||
400 | Note: See also t he SwA https://UR Lpages/vie wrecentb log posts.acti on?key=OIS SWA for futur e related A&A requir ement anno uncements. | ||||
401 | Continuous Monitorin g Requirem ent – A V& V Secure C ode Review is requir ed annuall y once the applicati on is in s ustainment OR upon d iscovery t hat the ap plication has alread y been dep loyed to p roduction and has no t gone thr ough the p rocess, e. g. older a pplication s in susta inment OR upon every major rel ease OR wh en request ed by OCS and/or NSO C. | ||||
402 | Penetratio n Test / A pplication Assessmen t | ||||
403 | A penetrat ion test o r full app lication a ssessment must be pe rformed th at include s automate d and manu al assessm ent tools and techni ques on In ternet Fac ing and/or High Impa ct Systems . All Crit ical and H igh defici encies sho uld be mit igated wit h document ed mitigat ion eviden ce provide d, and Mod erate and Low defici encies sho uld be mit igated or have a doc umented mi tigation p lan. If a Penetratio n Test / A pplication Assessmen t is not a pplicable, upload a word docum ent to the Documents tab withi n RiskVisi on explain ing why a Penetratio n Test / A pplication Assessmen t is not a pplicable. *The Pen etration T est / Appl ication As sessment r equirement is not ap plicable t o VistA sy stems. | ||||
404 | The follow ing steps must be pe rformed to meet the Penetratio n Test/App lication A ssessment requiremen t: | ||||
405 | System Own er or dele gate can r equest a p enetration test/appl ication as sessment b y completi ng the NSO C Penetrat ion Test Q uestionnai re / NSOC WASA Quest ionnaire f ound at NS OC Scan Do cuments to request p enetration test/appl ication as sessment f rom NSOC. Please all ow 30 days for NSOC to schedul e/conduct the penetr ation test /applicati on assessm ent. | ||||
406 | NSOC must conduct an independe nt penetra tion test/ applicatio n assessme nt for all VA owned applicatio ns and Man aged Servi ces. NSOC must have visibility into all VA applica tions wher e an autho rization d ecision is required. External systems mu st also ha ve a recen t NSOC pen etration t est/applic ation asse ssment per formed eit her remote ly or by u tilizing N SOC staff on-site to perform s cans, when necessary . | ||||
407 | NSOC will provide re sults to s ystem POCs . | ||||
408 | System Own er or dele gate uploa ds actual results to the Docum ents tab i n RiskVisi on. | ||||
409 | For each d eficiency identified from the penetratio n test/app lication a ssessment, the Syste m Owner or delegate creates a response f or mitigat ing the de ficiencies and/or pr ovides evi dence that the defic iencies ha ve been mi tigated. A lso includ e the sche duled comp letion dat e and stat us of each deficienc y. Informa tion shoul d be provi ded in Exc el or Word format; r efer to th e OCS pref erred temp late locat ed on the OIS Portal at A&A Ho me Documen ts. System Owner or delegate u ploads the aforement ioned docu ment to th e Document s tab in R iskVision. | ||||
410 | Within the uploaded mitigation strategy, each syst em should conduct an analysis on the res ults of th e penetrat ion test t o determin e and docu ment those findings that are f alse posit ives, not applicable to the sy stem, or o therwise m itigated. Additional ly, findin gs that mu st be reme diated thr ough or fr om the ven dor should also be d ocumented as part of this anal ysis and s hould be d ocumented in either the report of findin gs provide d from VA- NSOC or as a separat e document . | ||||
411 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the Pene tration Te st/Applica tion Asses sment to s erve as a reminder t o resolve the defici encies. | ||||
412 | Continuous Monitorin g Requirem ent – An N SOC penetr ation test /applicati on assessm ent is req uired on a n annual b asis to ma intain an ATO and/or when a ma jor change to the sy stem or up grades to the tools used occur s. In add ition, OI& T conducts penetrati on testing quarterly on one-fo urth of th e total nu mber of VA High Syst ems and/or internet facing sys tems. | ||||
413 | Security C onfigurati on Complia nce Data | ||||
414 | Security C onfigurati on Complia nce data m ust be obt ained for all IP add resses tha t make up a system a nd must ch eck agains t VA appro ved harden ing guidan ce for all Operating Systems, Databases, Networks, and Secur ity Device s, where g uidance ex ists. If S ecurity Co nfiguratio n Complian ce data is not appli cable, upl oad a word document to the Doc uments tab within Ri skVision e xplaining why Securi ty Configu ration Com pliance da ta is not applicable . | ||||
415 | The follow ing steps must be pe rformed to meet the Security C onfigurati on Complia nce requir ement: | ||||
416 | The System Owner or delegate c ontacts CP O at HY P ERLINK "PI I " PII to ensure the IP add resses or system nam es that ma ke up thei r system(s ) are appr opriately tagged or accounted for in Ris kVision. T he CPO off ice will a ssist the System Own er with it ems ‘a’ an d/or ‘b’ b elow depen ding on th e system. | ||||
417 | For system s with IP address ra nges inter nal to the VA that h ave the IB M Endpoint Manager ( IEM) agent installed : | ||||
418 | System Own er/Delegat e should v erify thei r IP addre sses or sy stem names by review ing the bo undaries d isplayed i n the Ente rprise Vis ibility an d Vulnerab ility Mana gement (EV VM) Dashbo ard. | ||||
419 | Regional G SS boundar ies can be found at: https:// URLp a ge s /viewrecen t b l o gpos t s .
|
||||
420 | Facility G SS and Sys tem bounda ries can b e found at : https:// URL/ s ites/FODW_ PVT/Progre ss%20Repor ts/Progres s_Rep o
|
||||
421 | |||||
422 | If there a re any dis crepancies found ple ase send a n email to the CPO ( HY P ERLINK "PI I " PII ) and CC t he OIS EV Support Gr oup ( HYP E RLINK "PII " PII ). | ||||
423 | After revi ewing info rmation sy stem bound aries for accuracy, System Own er/Delegat e should r un the Sec urity Conf iguration Compliance Data (SCC D) Checkli st Trendin g and Comp liance Tre nding repo rts and ex port them to PDF fro m the EVVM Dashboard (https:// URL/ s ites/FODW_ PVT/Progre ss%20Rep o
|
||||
424 | |||||
425 | Checklist Trending r eports are located a t: | ||||
426 | Regional G SS: https: / URL d i s pl a y/OISSWA/O IS+Sof t w a re+A s surance | ||||
427 | Facility G SS: https: / URL / | ||||
428 | System: ht tps://URL/ sites/FODW _PVT/Progr ess%20Repo rts/Progre ss_Reportb yRegion_Ch art.rdl | ||||
429 | |||||
430 | Compliance Trending reports ar e located at: | ||||
431 | Regional G SS: https: //URL/site s/FODW_PVT /Progress% 20Reports/ Progress_R eportbyReg ion_Chart. rdl | ||||
432 | Facility G SS: https: / URL / | ||||
433 | System: ht tps:URL | ||||
434 | |||||
435 | When runni ng the com pliance re ports plea se select the applic able infor mation sys tem (Note: Both boun dary data and compli ance data are update d nightly) . | ||||
436 | System Own er/Delegat e then upl oads the C ompliance Trending a nd Checkli st Trendin g reports to the Doc uments tab in RiskVi sion. | ||||
437 | System Own er/Delegat e creates one findin g and a re sponse in the Findin gs tab wit hin RiskVi sion for t he complia nce scan t o serve as a reminde r to resol ve the def iciencies. | ||||
438 | System Own er/Delegat e continue s to remed iate defic iencies id entified f rom the Co mpliance T rending an d Checklis t Trending reports. | ||||
439 | System Own er/Delegat e uploads new Compli ance Trend ing and Ch ecklist Tr ending rep orts to th e Document s tab with in RiskVis ion as evi dence to s how the re mediation progress. | ||||
440 | For system s with IP address ra nges exter nal to the VA that d o not have the IBM E ndpoint Ma nager (IEM ) agent in stalled: S ystem Owne r or deleg ate must s ubmit a ‘S upplementa l Scan Req uest’ form found at the NSOC S can Docume nts site. Ensure tha t the ‘Com pliance’ c heck box i s checked. The CPO wi ll submit this form to the NSO C and an N SOC POC wi ll contact the Syste m Owner/Ad ministrato r to sched ule the co mpliance s can. NSOC will submi t complian ce results /reports t o system P OCs for co mpliance s cans that are conduc ted. Please wor k with
|
||||
441 | In most ca ses, NSOC has visibi lity into external M anaged Ser vices and has the ab ility to p erform com pliance sc ans in coo rdination with syste m personne l. Extern al systems must have a recent NSOC compl iance scan conducted either vi a remote c onnection or by util izing NSOC staff on- site to pe rform scan s, when ne cessary. I n addition to this r equirement , OIS may request th at NSOC co nduct a fo llow-up co mpliance s can, where necessary . NSOC has the abili ty to prov ide an ass essment of complianc e scan res ults and r ecommendat ions prior to an aut horization determina tion. | ||||
442 | System Own er or Dele gate uploa ds the Com pliance Tr ending and Checklist Trending reports to the Docum ents tab i n RiskVisi on. The Co mpliance T rending an d Checklis t Trending reports c an be foun d at https :// URL/ s ites/FODW_ PVT/Progre ss%20Repor ts/Progres s_Rep o
|
||||
443 | System Own er or Dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the comp liance sca n to serve as a remi nder to re solve the deficienci es. | ||||
444 | System Own er or Dele gate conti nues to re mediate de ficiencies identifie d from the Complianc e Trending and Check list Trend ing report s. | ||||
445 | System Own er or Dele gate uploa ds new Com pliance Tr ending and Checklist Trending reports to Documents tab withi n RiskVisi on as evid ence to sh ow the rem ediation p rogress. | ||||
446 | Continuous Monitorin g Requirem ent – An N SOC or NSO C approved Security Configurat ion Compli ance Scan must be pe rformed on a quarter ly basis o n external systems, or when ch anges are made to th e approved secure co nfiguratio n/hardenin g guides, or complia nce report s must be pulled in accordance with the guidance a bove on a quarterly basis, or when chang es are mad e to the a pproved se cure confi guration/h ardening g uides, or when reque sted by OC S. | ||||
447 | Security C ontrol Ass essment (S CA) | ||||
448 | A SCA may be require d by the O CS. If an SCA is re quired, al l Critical and High POA&Ms sho uld be mit igated wit h document ed mitigat ion eviden ce provide d. Moderat e and Low POA&Ms sho uld be mit igated or have a doc umented mi tigation p lan. | ||||
449 | The follow ing steps must be pe rformed to meet the SCA requir ement: | ||||
450 | Once notif ied by OCS that a SC A is requi red, the a ppropriate audit tea m will be notified b y the OCS to schedul e the asse ssment. | ||||
451 | The assign ed audit t eam will c onduct the SCA. | ||||
452 | OCS will c reate a SC A program for the ap propriate entity in GRC that w as audited . | ||||
453 | The audit team lead will uploa d the deli verables, to include the SCA r eport and import the POAMs, wi thin 4 wee ks of comp letion of the audit. | ||||
454 | System Own er or dele gate creat es respons es to the POAMs/find ings withi n 15 days of the POA Ms uploade d. | ||||
455 | Continuous Monitorin g Requirem ent – An S CA will be performed based on the critic ality of t he system and/or if circumstan ces arise that requi re an onsi te SCA und er the dis cretion of OCS. | ||||
456 | 4.3.7 Cont rol Implem entation E vidence | ||||
457 | All contro l implemen tation sta tements ev aluated as part of t he RiskVis ion Assess ment Workf low need t o contain evidence t hat demons trates the control w as tested, how it wa s tested, and the re sults. Th e evidence will be r equired fo r all cont rols that are docume nted to be in place and the re sults can be documen ted by goi ng to the appropriat e assessme nt and cli cking on t he General tab. Fro m the Gene ral tab, s elect each control i n the Cont rol Test c olumn to d ocument ho w a contro l was test ed, the re sults, and any assoc iated find ings. | ||||
458 | Closing | ||||
459 | Once all o f the abov e requirem ents are e ither met or deemed inappropri ate by OIS , the comp leted pack age will b e submitte d to the A uthorizing Official by OCS/CA with one o f the foll owing reco mmendation s: | ||||
460 | ATO | ||||
461 | ATO with C onditions: An author ization de cision all owing a sy stem to op erate for an establi shed amoun t of time (e.g., 30, 60, 90, 1 20 days) i f certain terms and conditions must stil l be met, or | ||||
462 | Full ATO: An authori zation dec ision allo wing a sys tem to ope rate and f all into t he Continu ous Monito ring proce ss if all applicable security requiremen ts have be en met. | ||||
463 | Denial of ATO (DATO) | ||||
464 | An authori zation dec ision allo wing the a uthority t o halt an existing o perational or new sy stem becau se unaccep table secu rity risks exist. | ||||
465 | Appendix A – FedRAMP /Cloud – V A Requirem ents | ||||
466 | FedRAMP Au thorized C loud Servi ce Provide r (CSP) Re ciprocity (Agency AT O) Process | ||||
467 | Federal Ri sk and Aut horization Managemen t Program (FedRAMP) is designe d to assis t agencies in meetin g FISMA re quirements for cloud systems. CSPs must meet FedR AMP in ord er to do b usiness wi th US gove rnment age ncies as p art of the “Cloud fi rst policy ”. FedRAM P is desig ned as a “ do once, u se many” f ramework t o create e fficiency in governm ent procur ement of c loud servi ces. As p art of the program, CSPs pursu ing FedRAM P are requ ired to be independe ntly asses sed by a T hird Party Assessmen t Organiza tion (3PAO ). Per th e “Accepta nce of FED RAMP Autho rization M emo” issue d on Augus t 11, 2015 by the De puty Assis tant Secre tary for I nformation Security, “existing Federal R isk and Au thorizatio n Manageme nt Program (FedRAMP) authoriza tions for certified FedRAMP Cl oud Servic e Provider cloud sys tems shoul d be evalu ated, and reused whe n possible , to reduc e the over all time r equired to grant an authorizat ion and be gin using a cloud se rvice.”. | ||||
468 | The Cloud/ FedRAMP Re ciprocity ATO proces s consists of the fo llowing st eps: | ||||
469 | Note: A co ntract mus t be in pl ace before requestin g a RiskVi sion entry of the Fe dRAMP Clou d Service Provider. In the abs ence of a contract, RVWG will not entert ain any su ch request . | ||||
470 | Designate an ISO and System Ow ner to the project. | ||||
471 | Coordinate with the RVWG to re quest a Ri skVision e ntry of th e FedRAMP Cloud Serv ice Provid er. Refer ence secti on 2 (Auth orization Prerequisi tes) for a ction step s. | ||||
472 | System Own er and ISO will comp lete the C SP system questionna ire within RiskVisio n to defin e the syst em acronym , security categoriz ation, ope rational s tatus, sys tem type, cloud comp uting serv ice model [Infrastru cture-as-a -Service ( IaaS), Pla tform-as-a -Service ( PaaS), Sof tware-as-a -Service ( SaaS), etc .], and cl oud servic e type (pr ivate, pub lic, hybri d). | ||||
473 | ISO will r equest Fed RAMP repos itory acce ss for CSP authoriza tion docum entation p ackage by completing the FedRA MP Agency Access Req uest Form and emaili ng to Cert ification Program Of fice (CPO) at HY P ERLINK "PI I " PII . | ||||
474 | ISO will m ap the CSP authoriza tion docum entation a rtifacts t o the VA A TO documen tation req uirements in RiskVis ion. Then review an d assess t he CSP’s 3 PAO FedRAM P authoriz ed SSP usi ng the NIS T/CAG-20 s coresheet provided b y OCS. Al l document s will be uploaded t o the Docu ments tab in RiskVis ion. | ||||
475 | CSP author ization pa ckage in R iskVision will then be advance d to OCS a nd Certifi cation Aut hority (CA ) for revi ew. Addit ionally, V A determin es if the CSP system appropria tely addre sses any a nd all nec essary VA and Depart ment of Ho meland Sec urity (DHS ) Trusted Internet C onnection (TIC) requ irements ( e.g., all external s ystems, in cluding cl oud soluti ons, hoste d from fac ilities or data cent ers outsid e of the V A network and bounda ry must co mply with DHS TIC re quirements and VA’s external c onnection agreements ) before p rogressing to the VA CISO and Designated Accrediti ng Authori ty (DAA) f or agency ATO consid eration. | ||||
476 | Cloud-Base d VA Appli cation / W orkload / Third-Part y System A TO Process | ||||
477 | The Cloud/ FedRAMP cl oud-based VA Applica tion / Wor kload / Th ird-Party System ATO process c onsists of the follo wing steps : | ||||
478 | Coordinate with the RVWG to re quest a Ri skVision e ntry of th e cloud-ba sed VA App lication / Workload / Third-Pa rty System . Referen ce section 2 (Author ization Pr erequisite s) for act ion steps. | ||||
479 | System Own er and ISO will comp lete the C SP/VA Appl ication / Workload / Third-Par ty System questionna ire within RiskVisio n to defin e the syst em acronym , security categoriz ation, ope rational s tatus, sys tem type, etc. | ||||
480 | Customer R esponsibil ities Secu rity Plan provided b y the CSP ISO will b e complete d by the S ystem Owne r. This s et of secu rity contr ols is doc umented in the FedRA MP authori zed CSP Cu stomer Res ponsibilit ies Matrix . The sec urity plan controls have been mapped to VA 6500 re quirements . | ||||
481 | ISO will r eview the completed Customer R esponsibil ities Secu rity Plan for proper implement ation deta ils and up loads to t he Documen ts tab in RiskVision . | ||||
482 | The cloud- based VA A pplication / Workloa d / Third- Party Syst em in Risk Vision wil l then be advanced t o OCS and Certificat ion Author ity (CA) f or review before pro gressing t o the VA C ISO and De signated A ccrediting Authority (DAA) for agency AT O consider ation. | ||||
483 | Other Fede ral Agency (Non-FedR AMP) ATO A cceptance | ||||
484 | The cybers ecurity re quirements for VA in formation systems wi ll be mana ged throug h the Risk Managemen t Framewor k (RMF) co nsistent w ith the pr incipals e stablished in Nation al Institu te of Stan dards and Technology (NIST) Sp ecial Publ ication (S P) 800-37. Reciproc al accepta nce of oth er federal agency sy stem autho rizations will be im plemented to the max imum exten t possible . Refusal s must be timely, do cumented, and report ed to the responsibl e VA Autho rizing Off icial. | ||||
485 | VA employe es and con tract staf f working for the VA are prohi bited from sending V A data out side the V A Network without an Authority to Operat e signed b y the VA A uthorizing Official. | ||||
486 | Any projec t seeking to use ano ther feder al agency ATO must c ontact the HY P ERLINK "PI I " PII to initiat e the proc ess. | ||||
487 | A review o f the othe r agency A TO process will be i nitiated t o ensure i t meets VA requireme nts for NI ST 800-53 implementa tion; ATO package re view is al lowed; and POAM mana gement and tracking is in plac e. In the event the other age ncy will n ot share t he entire A&A packag e, negotia tions will ensue bet ween VA an d the othe r agency t o obtain a n agreed u pon subset of the re quired doc umentation . | ||||
488 | Once an ag reement/un derstandin g is in pl ace to rev iew the ot her agency package, an entry i n RiskVisi on will be created u sing the V A 6500.3 C ontractor/ FedRAMP pr ogram. | ||||
489 | The other Federal Ag ency ATO m emo, along with addi tional doc umentation , will be uploaded t o the docu ments tab in RiskVis ion. Addi tional doc umentation may inclu de a list of open PO AMs, requi red artifa cts, Inter connection Security Agreements (ISA)/Mem orandum of Understan ding (MOU) . | ||||
490 | Questionna ires will be answere d and any customer r esponsible controls, if necess ary, will be complet ed and upl oaded to t he documen ts tab. | ||||
491 | The workfl ow will be progresse d to the V A Authoriz ing Offici al for rev iew and ap proval. | ||||
492 | |||||
493 | If the VA AO refuses reciproci ty of the other agen cy ATO, a memo will be develop ed and sen t to the V A project staff for notificati on. | ||||
494 | Appendix B – Authori zation Req uirements Quick Refe rence Guid e | ||||
495 | Authorizat ion Requir ementsRequ irementRol es / Respo nsibilitie sReference sTechnical /Testing R equirement sNessus Sc an | ||||
496 | A credenti aled vulne rability s can agains t all inst ances of t he operati ng system and deskto p configur ations mus t be condu cted to id entify sec urity flaw s. | ||||
497 | Actual sca n results must be pr ovided for analysis. | ||||
498 | All Critic al and Hig h deficien cies shoul d be mitig ated with documented mitigatio n evidence provided, and Moder ate and Lo w deficien cies shoul d be mitig ated or ha ve a docum ented miti gation pla n. | ||||
499 | Within the uploaded mitigation strategy, each syst em should conduct an analysis on the res ults of th e vulnerab ility scan s to deter mine and d ocument th ose findin gs that ar e false po sitives, n ot applica ble to the system, o r otherwis e mitigate d. Additio nally, fin dings that must be r emediated through or from the vendor sho uld also b e document ed as part of this a nalysis an d should b e document ed. | ||||
500 | Refer to t he Threat & Vulnerab ility Mana ger (TVM) guidance m aterial lo cated on t he OIS por tal at Tra ining and Brown Bag Materials for detail ed informa tion on ho w to acces s TVM with in RiskVis ion.If the system’s Nessus Sca n data is currently displayed in TVM wit hin RiskVi sion: | ||||
501 | Browse to Nessus Ent erprise We b Tool (NE WT) and us e the Reme diation Ef fort Entry Form (REE F) to docu ment your manual rem ediation e ffort. For each defi ciency ide ntified fr om the sca n, the Sys tem Owner or delegat e creates a response within RE EF for mit igating th e deficien cies and / or provid es evidenc e that the deficienc ies have b een mitiga ted. Also , include the schedu led comple tion date and status of each d eficiency within REE F. | ||||
502 | Once all m anual reme diation ha s been doc umented wi thin REEF, run this report htt ps://s URL /sites/FOD W_PVT/Prog ress%20Rep orts/Progr ess_Report byRegion_C hart.rdl w ithin NEWT . | ||||
503 | Export the report by going to the upper left side of the scr een select the Actio ns Menu. C hoose Expo rt and sel ect Excel. Save the file. | ||||
504 | System Ow ner or del egate then uploads t he report from step 3 above to the Docum ents tab w ithin Risk Vision. M itigation informatio n can also be provid ed in the Vulnerabil ities tab within Ris kVision. | ||||
505 | Within the uploaded mitigation strategy, each syst em should conduct an analysis on the res ults of th e vulnerab ility scan s to deter mine and d ocument th ose findin gs that ar e false po sitives, n ot applica ble to the system, o r otherwis e mitigate d. Additio nally, fin dings that must be r emediated through or from the vendor sho uld also b e document ed as part of this a nalysis. | ||||
506 | If the sys tem’s Ness us Scan da ta is not currently displayed in TVM wit hin RiskVi sion: | ||||
507 | : If Ness us Scan da ta is not currently provided i n TVM for the system and inste ad raw Nes sus Scan r esults exi st from NS OC, the Sy stem Owner or delega te shall u pload the actual Nes sus Scan r esults to the Docume nts tab in RiskVisio n; along w ith a miti gation str ategy for each findi ng. Also, within NEW T, if the ISO/System Owner doe s not have an option to pull a report fo r their FI SMA report able syste m, then co ntact the VA GRC Ser vice Desk to provide the IP ad dress rang e of the s ystem auth orization boundary t o add it t o NEWT to pull the r eport. | ||||
508 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the Ness us scan to serve as a reminder to resolv e the defi ciencies.C ontact the Office of Cyber Sec urity (OCS ) at: HY P ERLINK "PI I " PII with any q uestions. | ||||
509 | TVM guidan ce materia l located on the OIS portal at Training and Brown Bag Materi als Qualit y Code Rev iew | ||||
510 | Quality co de reviews of custom developed VA applic ations usi ng the app roved VA s tatic code analysis tool shoul d be condu cted to id entify cod e quality issues wit hin VA app lications. | ||||
511 | Applicatio ns written in langua ges that a re not sup ported, su ch as MUMP S, shall b e targeted for manua l review o f testing with other applicabl e tools; n otify the VA Softwar e Assuranc e (SwA) Pr ogram Offi ce if this is the ca se at: HYPERL I NK "PII " PII . | ||||
512 | V&V Qualit y Code Rev iews | ||||
513 | VA Applica tion Devel opers open a NSD tic ket [(855) NSD-HELP] to reques t VA stati c code ana lysis tool s in order to perfor m scans ac cording to the proce dures in t he VA Qual ity Code R eview SOP and guidan ce materia ls. | ||||
514 | VA Applica tion Devel opers scan their own applicati on source code. | ||||
515 | VA Applica tion Devel opers open a NSD tic ket [(855) NSD-HELP] to reques t validati on of a fi nal V&V qu ality code review. | ||||
516 | VA Applica tion Devel opers deli ver the sc an results to the VA SwA Progr am Office at: PI I
|
||||
517 | The scan r esults are reviewed to ensure that minim um VA stan dards have been met. The VA Sw A Program Office det ermines wh ether addi tional ana lysis is n eeded, and works wit h the VA A pplication Developer s to ensur e that the y understa nd how to meet the s tandards r equired. | ||||
518 | System Own er or dele gate uploa ds full te st results to the Do cuments ta b in RiskV ision. | ||||
519 | System Own er or dele gate creat es a respo nse for mi tigating t he deficie ncies and/ or provide s evidence that the deficienci es have be en mitigat ed for eac h deficien cy identif ied from t he V&V qua lity code review. Al so, includ e the sche duled comp letion dat e and stat us of each deficienc y. Informa tion shoul d be provi ded in Exc el or Word format; r efer to th e OCS pref erred temp late locat ed on the OIS Portal at A&A Ho me Documen ts. System Owner or delegate u ploads the aforement ioned docu ment to th e Document s tab in R iskVision. | ||||
520 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the V&V quality co de review to serve a s a remind er to reso lve the de ficiencies .For detai led instru ctions on the code r eviews pro cess, refe rence the VA Quality Code Revi ew SOP and guidance materials, which are posted on the VA Sw A Program Office Res ource Site .Secure Co de Review | ||||
521 | V&V secure code revi ews of cus tom develo ped VA app lications must be co nducted ac cording to the VA Se cure Code Review SOP located a t | ||||
522 | VA SwA Pro gram Offic e Resource | ||||
523 | V&V secure code revi ews are co nducted by the VA Ap plication Developers . | ||||
524 | Applicatio ns written in langua ges that a re not sup ported, su ch as MUMP S, shall b e targeted for manua l review o r testing with other applicabl e tools (n otify OCS if this is the case at: HYPERL I NK "PII " PII ). | ||||
525 | V&V Secure Code Revi ews | ||||
526 | VA Applica tion Devel opers open a NSD tic ket [(855) NSD-HELP] to reques t VA stati c code ana lysis tool s; they sc an their o wn applica tion sourc e code; op en a NSD t icket to r equest val idation of a final V &V secure code revie w; deliver the scan results to the VA Sw A Program Office at HYPERLINK "PII " PI I
|
||||
527 | System Own er or dele gate is re sponsible for coordi nating the mitigatio n of defic iencies, d ocumenting the mitig ation plan s, and upl oading the m along wi th the sec ure code r eview resu lts to Ris kVision un der Entity Details: Documents tab. | ||||
528 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the secu re code re view to se rve as a r eminder to resolve t he deficie ncies.Cont act the NS D Help Des k [(855) N SD-HELP] t o request tools (For tify), rev iews, or t echnical s upport | ||||
529 | Penetratio n Test/App lication A ssessment | ||||
530 | A full pen etration t est/applic ation asse ssment mus t be perfo rmed that includes a utomated a nd manual assessment tools and technique s on Inter net Facing and/or Hi gh Impact Systems. | ||||
531 | Actual tes t results must be pr ovided for analysis. | ||||
532 | All Critic al and Hig h deficien cies shoul d be mitig ated with documented mitigatio n evidence provided, and Moder ate and Lo w deficien cies shoul d be mitig ated or ha ve a docum ented miti gation pla n. | ||||
533 | System Own er or dele gate conta cts CPO at HY P ERLINK "PI I " PII to request penetrati on test/ap plication assessment from NSOC . | ||||
534 | NSOC condu cts penetr ation test /applicati on assessm ent and pr ovides res ults to sy stem POCs. Please al low 30 day s for NSOC to schedu le/conduct the penet ration tes t/applicat ion assess ment. | ||||
535 | System Own er or dele gate is re sponsible for coordi nating the mitigatio n of defic iencies, d ocumenting the mitig ation plan s, and upl oading the m along wi th the tes t results to RiskVis ion under Entity Det ails: Docu ments tab. | ||||
536 | System Own er or dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the pene tration te st/applica tion asses sment to s erve as a reminder t o resolve the defici encies.Con tact OCS a t: HY P ERLINK "PI I " PII with any q uestionsSe curity Con trol Asses sment (SCA ) (if appl icable) | ||||
537 | An SCA wil l be requi red only u pon reques t from OCS . | ||||
538 | If an SCA is require d, all Cri tical and High POA&M s should b e mitigate d with doc umented mi tigation e vidence pr ovided, an d Moderate and Low P OA&Ms shou ld be miti gated or h ave a docu mented mit igation pl an. Once n otified by OCS that an SCA is required, the approp riate audi t team wil l be notif ied by OCS to schedu le the ass essment. | ||||
539 | The assig ned audit team will conduct th e SCA. | ||||
540 | OCS will create a S CA program for the a ppropriate entity in GRC that was audite d. | ||||
541 | The audit team lead will uplo ad the del iverables, to includ e the SCA report and import th e POAMs, w ithin 4 we eks of com pletion of the audit . | ||||
542 | System Ow ner or del egate crea tes respon ses to the POAMs/fin dings with in 15 days of the PO AMs upload ed.Contact OCS at: HY P ERLINK "PI I " PII Security C onfigurati on Complia nce Data | ||||
543 | Compliance data must be obtain ed for all IP addres ses that m ake up a s ystem and must check against V A approved hardening guidance for all Op erating Sy stems, Dat abases, Ne tworks, an d Security Devices, where guid ance exist s. | ||||
544 | For system s with IP address ra nges inter nal to the VA that h ave the IB M Endpoint Manager ( IEM) agent installed : | ||||
545 | System Own er or Dele gate conta cts CPO at HY P ERLINK "PI I " PII to ensure the IP add resses or system nam es that ma ke up thei r system(s ) are appr opriately tagged or accounted for in Ris kVision. | ||||
546 | System Own er or Dele gate shoul d run the Security C onfigurati on Complia nce Data ( SCCD) Chec klist Tren ding and C ompliance Trending r eports and export th em to PDF from the E VVM Dashbo ard. | ||||
547 | |||||
548 | Checklist Trending r eports are located a t: | ||||
549 | Regional G SS: https: //URL/site s/FODW_PVT /Progress% 20Reports/ Progress_R eportbyReg ion_Chart. rdl | ||||
550 | Facility G SS: https: // URL | ||||
551 | System: ht tps:/URL/d isplay/OIS SWA/OIS+So ftware+Ass urance | ||||
552 | |||||
553 | Compliance Trending reports ar e located at: | ||||
554 | Regional G SS: https: //
|
||||
555 | Facility G SS: https: // URL System: h ttps:// URL | ||||
556 | |||||
557 | System Own er or Dele gate uploa ds the Com pliance Tr ending and Checklist Trending reports to the Docum ents tab i n RiskVisi on. | ||||
558 | System Own er or Dele gate creat es one fin ding and a response in the Fin dings tab within Ris kVision fo r the comp liance sca n to serve as a remi nder to re solve the deficienci es. | ||||
559 | System Own er or Dele gate conti nues to re mediate de ficiencies identifie d from the Complianc e Trending and Check list Trend ing report s. | ||||
560 | System Own er or Dele gate uploa ds new Com pliance Tr ending and Checklist Trending reports to the Docum ents tab w ithin Risk Vision as evidence t o show the remediati on progres s. | ||||
561 | |||||
562 | For system s with IP address ra nges exter nal to the VA that d o not have the IBM E ndpoint Ma nager (IEM ) agent in stalled: | ||||
563 | System Own er or dele gate must submit a ‘ Supplement al Scan Re quest’ for m found at A&A Home Documents to CPO at HY P ERLINK "PI I " PII . Ensure tha t the ‘Com pliance’ c heck box i s checked. | ||||
564 | CPO will s ubmit this form to t he NSOC an d an NSOC POC will c ontact the System Ow ner/Admini strator to schedule the compli ance scan. | ||||
565 | NSOC will submit com pliance re sults/repo rts to sys tem POCs f or complia nce scans that are c onducted.C ontact OCS at: HY P ERLINK "PI I " PII and NSOC, or the Ent erprise Vi sibility T eam at: HYP E RLINK "PII " PII with any q uestions | ||||
566 | Internal C ompliance reports lo cation: ht tps:/ URL /d i s play/OISSW A/OIS+S o ftw ar e+Assur a nce > Enterpr ise > All Systems > Authorizat ion & Accr editation | ||||
567 | OCS prefer red templa te locatio n on the O IS Portal at A&A Hom e Document sRequireme ntRoles / Responsibi litiesRefe rencesSecu rity Docum entation R equirement sSystem Se curity Pla n (SSP) | ||||
568 | The SSP is developed within Ri skVision. | ||||
569 | All requir ed diagram s and conf irmation o f the secu rity autho rization b oundary to include a ll devices and suppo rting soft ware archi tecture sh ould be in cluded. | ||||
570 | All contro ls must be addressed . A findin g will nee d to be cr eated in R iskVision for every control th at is not in place.S ystem Stew ard comple tes the as sessments in RiskVis ion and de velops fin dings and responses in the Fin dings tab for contro ls not in place. | ||||
571 | ISO valida tes inform ation adde d by the S ystem Stew ard in Ris kVision. | ||||
572 | The ISO, S ystem Owne r or deleg ate/System Steward e xports the SSP from RiskVision and uploa ds the doc ument to t he Documen ts tab in RiskVision . | ||||
573 | NIST SP 80 0-18 and V A Handbook 6500.3 | ||||
574 | Additional guidance for comple tion of th e SSP can be provide d by OCS | ||||
575 | Minor Appl ication Se lf-Assessm ent | ||||
576 | Minor Appl ication Se lf-Assessm ent must b e complete d for all minor appl ications.T he ISO, Pr oject team , and the SS, workin g in conju nction sho uld prepar e the Mino r Applicat ion Securi ty Control Summary a nd provide implement ation deta il for all applicabl e security controls and upload the Self- Assessment to GSS/MA Documents repositor y in RiskV ision.Mino r Applicat ion Self A ssessment SOP | ||||
577 | (Appendix D)Signator y Authorit y | ||||
578 | The Signat ory Author ity must b e signed a nd dated b y the appr opriate pa rties. | ||||
579 | System Own er or dele gate compl etes the S ignatory A uthority u sing the t emplate pr ovided at A&A Home D ocuments a nd uploads the Signa tory Autho rity to Ri skVision u nder Entit y Details: Documents tab. NIST SP 800-18 | ||||
580 | Additional guidance for comple tion of th e Signator y Authorit y can be p rovided by OCS Risk Assessment (RA) | ||||
581 | The RA is developed within Ris kVision.Sy stem Stewa rd complet es the ass essments i n RiskVisi on. | ||||
582 | ISO valida tes inform ation adde d by the S ystem Stew ard in Ris kVision. | ||||
583 | The ISO, S ystem Owne r or deleg ate/System Steward e xports the RA from R iskVision and upload s the docu ment to th e Document s tab in R iskVision. | ||||
584 | NIST SP 80 0-30 | ||||
585 | Additional guidance for comple tion of th e RA can b e provided by the Of fice of Ri sk Managem ent and In cident Rep orting (RM IR)/OCSCon figuration Managemen t Plan (CM P) | ||||
586 | The CMP sh ould inclu de process es for man aging conf iguration and change managemen t. | ||||
587 | The CMP sh ould inclu de infrast ructure de vices and baseline c onfigurati ons (e.g., switches, routers, firewalls) . | ||||
588 | The CMP sh ould inclu de a confi guration f ile for ea ch operati ng system( s), databa se(s), app lication(s ), and net work devic e(s) to va lidate com pliance wi th baselin e configur ation.Syst em Owner o r delegate completes the CMP u sing the t emplate pr ovided at A&A Home D ocuments a nd uploads the CMP a s evidence to RiskVi sion under Entity De tails: Doc uments tab . | ||||
589 | NIST SP 80 0-70 and V A Handbook 6500 | ||||
590 | Additional guidance for comple tion of th e CMP can be provide d by OCSIn cident Res ponse Plan (IRP) | ||||
591 | The IRP mu st be crea ted using RA and SSP . | ||||
592 | The IRP mu st meet th e followin g standard s: | ||||
593 | Informat ion Access and Priva cy Program | ||||
594 | NIST Spe cial Publi cation 800 -61 - Comp uter Secu rity Incid ent Handli ng Guide | ||||
595 | VA Handb ook 6500.3 , Certific ation and Authorizat ion of Fed eral Infor mation Sys tems | ||||
596 | Each site is respons ible for d eveloping local leve l procedur es incorpo rating VA- NSOC areas of respon sibility. System Own er works w ith the as signed ISO to create the IRP. | ||||
597 | System Own er or desi gnee uploa ds the sig ned IRP in to RiskVis ion once c ompleted a nd tested. NIST SP 80 0-61 | ||||
598 | Useful too ls and web sites: | ||||
599 | Agiliance RiskVisio n Enterpri se Operati ons GRC In stance | ||||
600 | Agiliance RiskVisio n National Release G RC Instanc e | ||||
601 | Office of Cyber Sec urity (OCS ) PortalIn formation Security C ontingency Plan (ISC P) | ||||
602 | The ISCP m ust be cre ated using following inputs: | ||||
603 | Prelimin ary Inform ation Syst em Conting ency Plan | ||||
604 | Primary Site Syste m Security Plan | ||||
605 | Backup S ite System Security Plan | ||||
606 | The ISCP m ust meet t he followi ng standar ds: | ||||
607 | NIST Spe cial Publi cation 800 -34 Rev. 1 - Conting ency Plann ing Guide for Federa l Informat ion System s | ||||
608 | Office o f Informat ion Securi ty, Author ization Re quirements Guide Sta ndard Oper ating Proc edures | ||||
609 | VA Handb ook 6500.8 , Informat ion System Contingen cy Plannin gSystem Ow ner or del egate deve lops or re vises the Informatio n System C ontingency Plan. | ||||
610 | System Own er or desi gnee uploa ds the Inf ormation S ystem Cont ingency Pl an into Ri skVision.A dditional guidance f or complet ion of the ISCP can be provide d by the O BC | ||||
611 | Useful too ls and web sites: | ||||
612 | Agiliance RiskVisio n Enterpri se Operati ons GRC In stance | ||||
613 | Agiliance RiskVisio n National Release G RC Instanc e | ||||
614 | Business Continuity Portal | ||||
615 | Office of Cyber Sec urity (OCS ) Portal | ||||
616 | Technical Services Project Re pository ( TSPR)Disas ter Recove ry Plan (D RP) | ||||
617 | The DRP mu st be crea ted using following inputs: | ||||
618 | Primary Site Syste m Security Plan | ||||
619 | Backup S ite System Security Plan | ||||
620 | The DRP mu st meet th e followin g standard s: | ||||
621 | Office o f Informat ion Securi ty, Author ization Re quirements Guide Sta ndard Oper ating Proc edures S ystem Owne r or desig nee develo ps the DRP as the en try point for the cr eation of both the f acility an d data cen ter plans. | ||||
622 | System Own er or desi gnee uploa ds the DRP into Risk Vision onc e complete d and test ed.Additio nal guidan ce for com pletion of the ISCP can be pro vided by t he OBC | ||||
623 | Useful too ls and web sites: | ||||
624 | Agiliance RiskVisio n Enterpri se Operati ons GRC In stance | ||||
625 | Agiliance RiskVisio n National Release G RC Instanc e | ||||
626 | Business Continuity Portal | ||||
627 | Office of Cyber Sec urity (OCS ) PortalPr ivacy Impa ct Assessm ent (PIA) | ||||
628 | A complete PIA must have: | ||||
629 | A previous ly complet ed Privacy Threshold Analysis (PTA). | ||||
630 | Been compl eted in th e most up- to-date an d Privacy Services a pproved te mplate for both the PTA and PI A. The PTA and PIA t emplate ca n be found at A&A Ho me Documen ts | ||||
631 | Been compl eted in co ordination with the VA Privacy Services Office. | ||||
632 | Been signe d by the S ystem Owne r, Privacy Officer, and ISO. | ||||
633 | Been re-su bmitted wh enever the re are maj or changes to the sy stem or wi thin 3 yea rs.System Owner, Pri vacy Offic er, and IS O work tog ether to s ubmit a PT A, which i s reviewed by the Pr ivacy Serv ices Offic e. After r eview and determinat ion by ana lysts, the PTA must be signed by the Sys tem Owner, Privacy O fficer, IS O, and any other rel evant stak eholders a nd re-subm itted to t he Privacy Services Office via HY P ERL I NK "PII " PII . If a PIA is requir ed as an o utcome of the PTA an alysis by the Privac y Services Office, a PIA must be complet ed and sub mitted to the Privac y Services Office an d then com ments by t he analyst s, if any, must be i ncorporate d. | ||||
634 | Privacy Se rvices ver ifies PIA and provid es results . | ||||
635 | System Own er or dele gate re-su bmits the PIA as a P DF file wi th the sig natures of the Syste m Owner, P rivacy Off icer, ISO, and any o ther relev ant stakeh olders to HY P ERL I NK "PII " PII . | ||||
636 | System Own er or dele gate uploa ds the PIA to RiskVi sion under Entity De tails: Doc uments tab .Authority is found in E-Gover nment Act of 2002, O MB Circula r 03-22, V A Directiv e 6502, VA Directive 6508, and VA Handbo ok 6508.1 | ||||
637 | Additional guidance for comple tion of th e PIA/PTA can be pro vided by t he Privacy Services Office. Any questi ons may be sent to HY P ERL I NK "PII " PII Interconne ction Secu rity Agree ment (ISA) / Memorand um of Unde rstanding (MOU) | ||||
638 | An ISA/MOU must be p rovided fo r all exte rnal inter connection s.System O wner in co ordination with the entities i dentified in NIST SP 800-47 wi ll complet e the ISA/ MOU using the latest template provided a t: OIS Po rtal or A& A Home Doc uments. | ||||
639 | ISO will u pload all final draf t MOU/ISA documents to the MOU /ISA Revie w Submissi ons ShareP oint site for a revi ew prior t o requesti ng signatu res. | ||||
640 | VA review team will assess the documents against a checklist for quali ty and con tent. | ||||
641 | Reviewer a nd the ISO will work collabora tively to correct de ficiencies found in the docume ntation. | ||||
642 | Reviewer w ill notify the ISO v ia email i nforming t hem that t he documen t is ready for signa tures. | ||||
643 | ISO will p rocess the document for signat ure. | ||||
644 | ISO will u pload the document t o the Ente rprise Doc ument Shar ePoint upo n receipt of the com pleted and signed MO U/ISA docu ment,. | ||||
645 | The finali zed docume nt should also be ad ded to the existing A&A artifa cts in Ris kVision.NI ST SP 800- 47, VA Han dbook 6500 , and FSS Bulletin#2 69 | ||||
646 | Additional guidance can be pro vided by t he Health Informatio n Security Division at HYPERLINK "PII " PII or the OIT ERM CRISP Team at PII Appendix C – Job Aid : Security Informati on | ||||
647 | Job Aid | ||||
648 | Security I nformation Purpose | ||||
649 | This Job A id will as sist Infor mation Sec urity Offi cers (ISOs ), Facilit y Chief In formation Officers ( FCIOs), Sy stem Owner s and stak eholders w ith securi ty respons ibilities when perfo rming secu rity-relat ed job fun ctions. T he Job Aid provides security i nformation on the fo llowing it ems: | ||||
650 | Authorizat ion Decisi on Process | ||||
651 | VA Authori zation Bou ndaries | ||||
652 | Finding/Mi lestone Pr ocess | ||||
653 | Vulnerabil ity Integr ation into Authoriza tion Decis ion Proces s | ||||
654 | NIST SP 80 0-53 Rev 3 to Rev 4 Transition | ||||
655 | This Job A id is subj ect to cha nge as new critical security e lements em erge and/o r VA polic ies and pr ocesses ch ange. | ||||
656 | Authorizat ion Decisi on Process | ||||
657 | Independen t third-pa rty Assess ment & Aut horization (A&A) rev iews are c onducted t o determin e the tech nical secu rity postu re of VA’s Informati on Technol ogy (IT) s ystems. A& A reviews evaluate a ll applica ble system security controls c onducted i n accordan ce with th e Authoriz ation Requ irements G uide / Sta ndard Oper ating Proc edure (SOP ). A&A re views incl ude a comb ination of : | ||||
658 | On-site as sessments conducted by Enterpr ise Risk M anagement (ERM) on a sub-set o f VA syste ms and Man aged Servi ces. | ||||
659 | Technical security t ests (pene tration te sts, vulne rability s cans, disc overy scan s, and sec urity conf iguration compliance scans) co nducted by the VA-NS OC. | ||||
660 | Verificati on and Val idation (V &V) Secure Code Revi ews conduc ted by VA Applicatio n Develope rs. | ||||
661 | Office of Cyber Secu rity (OCS) third-par ty assessm ents of al l system s ecurity do cumentatio n, on-site assessmen t results, technical testing r esults, se cure code review res ults, and configurat ion files provided b y the syst em personn el. | ||||
662 | All VA sys tems were assessed i n August 2 013 during the deplo yment of R iskVision. If a pack age lacked informati on but the security posture wa s acceptab le, the Au thorizing Official c ould issue an ATO wi th Conditi ons, there by allowin g the syst em to stor e, process , or trans mit VA dat a, while t he remaini ng securit y informat ion is pro vided by t he System Owner. Un der no cir cumstances , has any VA system been allow ed to oper ate minus a review o f the secu rity autho rization p ackage req uired by N IST. It is important to note t he NIST af fords Fede ral Depart ments and Agencies l atitude th roughout t he authori zation pro cess to ma ke balance d decision s that are based on security r isk and th e business needs of the Depart ment. It is incorre ct to stat e that VA systems we re not ass essed cons istent wit h NIST sta ndards and were allo wed to ope rate devoi d of a sec urity post ure determ ination. | ||||
663 | VA authori zation req uirements can be con ducted and met using remote ca pabilities . Therefor e, on-site SCAs cond ucted by E RM are onl y conducte d on a sub -set of VA systems a nnually. This is al so in part due to la ck of reso urces, fun ding, and time requi red to tra vel to VA and Manage d Service sites. The schedule for system SCAs is d etermined by ERM in coordinati on with OC S based on available resources , budget, and system SCA needs . | ||||
664 | All VA sys tems are r equired, a nd were re quired upo n the issu ance of ne w authoriz ation boun daries, to address t he VA Auth orization requiremen ts in acco rdance wit h the Auth orization Requiremen ts SOP / G uide and V A Handbook 6500. | ||||
665 | Reference 1: Authori zation Req uirements Standard O perating P rocedure ( SOP) / Gui de – A&A H ome Docume nts | ||||
666 | Reference 2: ERM SCA Results a re uploade d to RiskV ision unde r the resp ective sys tem as wel l as at th e followin g location – SCA Ass essment Re sults | ||||
667 | Reference 3: DAS Exp ectation M emo: Autho rization R equirement s Expectat ions (Marc h 19, 2014 ) | ||||
668 | VA Authori zation Bou ndaries | ||||
669 | The author ization bo undaries w ere change d in the s ummer of 2 013 to mee t OIS stra tegic goal s, improve accountab ility, bet ter define common co ntrols, an d align wi th actual operationa l and mana gerial pra ctices. T he system boundaries for the t hree major systems c over the e ntire Regi on; there are no fac ility-leve l boundari es althoug h there ar e facility -level con trols, and RiskVisio n maps eac h known IP address t o the syst em that co ntains it. System se curity doc umentation was updat ed / re-cr eated to r eflect the new autho rization b oundaries in August 2013 and a ssessed as a part of the OCS t hird-party assessmen ts. If th e security documenta tion lacke d informat ion but th e security posture o f the syst em was acc eptable (a ccording t o technica l testing results, o ther secur ity artifa cts, etc.) , the Auth orizing Of ficial cou ld issue a n ATO with Condition s thereby allowing t he system to store, process, o r transmit VA data, while the remaining security i nformation was provi ded by the System Ow ner. Any S SPs that a re incompl ete and do not appro priately r eflect the authoriza tion bound aries are required t o be updat ed as a co ndition of the autho rization p rocess. In all cases , any gaps in the do cumentatio n are thor oughly ass essed to d etermine t heir impac t on the a uthorizati on decisio n. | ||||
670 | The system boundarie s have bee n reviewed and appro ved by the Certifica tion Autho rity and t he Authori zing Offic ial (AO). The three primary s ystems / a uthorizati on boundar ies are as follows: | ||||
671 | VistA - Co mposed of VistA Mump s environm ent and it s applicat ions, and user data sorted in ‘dat’ file s. This system bou ndary will not conta in IP addr esses or o perating s ystems onl y the Majo r Applicat ion. | ||||
672 | GSS - Comp osed of de sktops, la ptops, fil e/print se rvers, COT S and othe r applicat ions inclu ding opera ting syste ms. IP ad dresses ar e used to define thi s boundary . | ||||
673 | Infrastruc ture - Com posed of l ocal area networking equipment that conn ects the o ther two i ncluding, routers, s witches, f irewalls, load balan cers, wire less acces s points. IP address es are use d to defin e this bou ndary. | ||||
674 | The author ization bo undaries a re based o n NIST 800 -18 and su mmarized i n the Syst em Securit y Plan (SS P) while R iskVision contains a more thor ough defin ition of t he boundar ies; down to the IP address le vel. All e stablished IP addres ses in VA are assign ed to a sy stem bound ary and Ri skVision c ontains a list of th ese IP ass ignments. Maintainin g a curren t list of IP address es in the SSP is imp ractical d ue to the frequency of IP addr ess change s. There fore, the SSP bounda ry descrip tion is a high-level depiction while Ris kVision’s boundary d escription includes components down to t he device level. | ||||
675 | Note: Faci lity-level staff are no longer System Ow ners. Any questions concernin g system b oundaries should be referred t o the Regi onal Syste m Owner if facility staff are unable to provide a detailed a nswer. | ||||
676 | Finding/Mi lestone Pr ocess | ||||
677 | RiskVision allows fo r granular identific ation and remediatio n of Findi ngs (aka P OA&Ms), ac countabili ty, and tr acking mec hanisms by managemen t. Open Fi ndings are assigned at the ent ity level to which t he control is presen ted. This means that findings can be pre sented at a Region e ntity, GSS Informati on System, Infrastru cture Info rmation Sy stem, Vist A Informat ion System or facili ty level. ISOs are required t o conduct reviews of the secur ity contro l implemen tation sta tements an d create a Finding i n RiskVisi on, with a n associat ed milesto ne, for co ntrols tha t are not properly i mplemented in accord ance with VA and Fed eral guida nce. Janu ary CRISP Focus trai ning and m ultiple IS O and SDE GRC traini ng opportu nities and guidance were provi ded to ass ist with t he creatio n of Findi ngs and mi lestones. | ||||
678 | Per the Au thorizatio n Requirem ents SOP a nd Authori zation Req uirements training, a Finding should be created by system pe rsonnel wi thin RiskV ision to t rack the v ulnerabili ties ident ified from scans. T he field i s required to develo p a remedi ation plan for the v ulnerabili ties. | ||||
679 | POA&M Tran sition fro m SMART to RiskVisio n | ||||
680 | POA&Ms in SMART date d back as early as 2 005. With the imple mentation of RiskVis ion, VA is able to c apture mor e relevant informati on on comp liance and security data withi n IBM Endp oint Manag er (IEM) a nd Nessus. Also, th e new auth orization boundaries cause the pre-exist ing SMART POA&Ms to be irrelev ant and ou tdated; wi th the exc eption to the 2012 a nd 2013 OI G findings which wer e migrated over to R iskVision. Also, con trols that may have been the t arget duri ng a 2012 facility a udit may n ow only be present a t an infor mation sys tem level. With the transforma tion of th e A&A proc ess and it s focus on technical security requiremen ts, as opp osed to pa per based processes (which man y of the p re-existin g POA&Ms w ere based on), VA is now able to better articulate the secur ity postur e of its i nformation systems. | ||||
681 | Reference 1: CRISP F OCUS Share Point | ||||
682 | Reference 2: Executi ve Decisio n Memorand um – FISMA Challenge Recommend ations | ||||
683 | Vulnerabil ity Integr ation into Authoriza tion Decis ion Proces s | ||||
684 | In accorda nce with t he Authori zation Req uirements Standard O perating P rocedure ( SOP) / Gui de, OCS as sesses vul nerabiliti es identif ied throug h the foll owing test s / scans provided i n RiskVisi on by syst em personn el prior t o T/ATO is suance: | ||||
685 | NSOC Penet ration Tes ts | ||||
686 | NSOC Vulne rability S cans / Dis covery Sca ns | ||||
687 | Security C onfigurati on Complia nce Scans | ||||
688 | Secure Cod e Reviews | ||||
689 | All VA sys tems were assessed i n August 2 013 during the deplo yment of R iskVision. If a pack age lacked vulnerabi lity infor mation but the secur ity postur e was acce ptable (ac cording to existing technical testing re sults, sec urity docu mentation, etc.), th e Authoriz ing Offici al can iss ue an ATO with Condi tions ther eby allowi ng the sys tem to sto re, proces s, or tran smit VA da ta, while the remain ing securi ty informa tion is pr ovided by the System Owner. As new vulne rability s cans / tec hnical tes ts are con ducted on systems, t hey are re -assessed for a new authorizat ion decisi on based o n the curr ent securi ty state. | ||||
690 | The field is require d to devel op a remed iation pla n of the v ulnerabili ties along with an e xpected co mpletion d ate, and u pload the informatio n to RiskV ision. Thi s involves the syste m personne l analyzin g the defi ciencies t o determin e which ar e applicab le to thei r authoriz ation boun dary, iden tifying fa lse positi ves, provi ding a rem ediation s trategy (u sing vario us methods ), and als o providin g an expec ted comple tion date for remedi ation. In addition, system per sonnel hav e the resp onsibility of provid ing update d informat ion and re mediation strategies in RiskVi sion. OCS may follow -up for ad ditional i nformation when nece ssary. The controls associated with tech nical scan ning are n ot present ed to the facility l evel but r ather the Informatio n System l evel. | ||||
691 | The result s of OCS a ssessments are provi ded in the T/ATO rec ommendatio n that is submitted to the Aut horizing O fficial (A O), the VA Chief Inf ormation O fficer, fo r the fina l authoriz ation deci sion. OCS provides an explana tion of th e existing vulnerabi lities, th e potentia l risk the vulnerabi lities bri ng to the VA network , as well as conditi ons that t he system needs to a ddress rel ative to t he closure of the vu lnerabilit ies. | ||||
692 | Importing Scan Data into RiskV ision | ||||
693 | RiskVision imports N essus scan data from NSOC via the Threat & Vulnera bility Man ager (TVM) . Nessus s can data w as importe d and made available to the fi eld on Apr il 1, 2014 . TVM tra ining was provided t o the fiel d on March 26 and 27 , 2014. | ||||
694 | Reference 1: Authori zation Req uirements Standard O perating P rocedure ( SOP) / Gui de – A&A H ome Docume nts | ||||
695 | Reference 2: TVM Tra ining | ||||
696 | NIST SP 80 0-53 Rev 3 to Rev 4 Transition | ||||
697 | OIS Risk B ased Decis ion (RBD) 53, Implem entation o f NIST 800 -53 Revisi on 4 is in place ack nowledging that VA h as not iss ued update d policy g uidance th at adds th e new Revi sion 4 req uirements. However, OMB guida nce (M-04- 14) provid es Departm ents with the flexib ility and latitude i n applying and imple menting NI ST's guide lines. VA will appl y the NIST Rev 4 gui dance to a ll new sys tem implem entations and also w hen system s undergo upgrades. This is s tandard pr actice thr oughout th e governme nt for sev eral years and accep ted by OIG s at other Departmen ts. It is not practi cal or cos t effectiv e to immed iately upd ate all sy stems with in one yea r, each ti me NIST up dates its systems se curity gui delines. T he new Rev ision 4 ad ds 200 new additiona l system s ecurity co ntrols or enhancemen ts for fed eral syste ms. For VA legacy systems in operation and not d ue for upg rades, VA will consi der using RBDs regar ding wheth er it is c ost effect ive to imp lement out of cycle upgrades t o address new NIST s ystems sec urity guid ance. | ||||
698 | The update d VA Handb ook 6500 r eflecting NIST Revis ion 4 has been draft ed and is currently going thro ugh the co ncurrence process, a nd is expe cted for r elease pri or to the end of the 2014 fisc al year. OIS is tak ing action to expedi te the pol icy coordi nation and issuance process to make it t imelier fo r future p olicy upda tes. An R BD or POA& M/Finding will be de veloped fo r legacy s ystems tha t are not due for up grades, to assess wh ether the systems de velopment life cycle process w ill suppor t the impl ementation of new, a dditional controls. | ||||
699 | RiskVision will be c apable of performing assessmen ts based o n Revision 4 content by June 3 0, 2014, w ith new as sessments being cond ucted cons istent wit h Revision 4 by the end of the 1st Quart er of FY15 . | ||||
700 | Reference 1: OIS Ris k Based De cision (RB D) 53, Imp lementatio n of NIST 800-53 Rev ision 4 – OCS RBD Po rtal | ||||
701 | Appendix D – Minor A pplication s Self-Ass essment SO P | ||||
702 | Purpose | ||||
703 | The purpos e of this Standard O perating P rocedure ( SOP) is to provide g uidelines for the Se curity Aut horization process o f Minor Ap plication( s) that ar e listed u nder a Gen eral Suppo rt System (GSS) or M ajor Appli cation (MA ). The SOP establish es procedu res for in corporatin g the Mino r Applicat ion Securi ty Control s Summary document i nto the lo cal site’s Complianc e Report f or the par ent GSS or Major App lication t o ensure t he securit y and inte grity of t he VA’s in formation systems ar e maintain ed. In gen eral, a Mi nor Applic ation is a n applicat ion that i s not a st andalone a pplication , or is a component of a MA or GSS, and receives m uch of its security from the p arent appl ication or system. | ||||
704 | The proces s determin es the ext ent to whi ch the sec urity cont rols are i mplemented correctly , operatin g as inten ded, and p roducing d esired out come with respect to meeting s ecurity re quirements . Each lis ted contro l is desig ned to det ermine the sufficien cy and eff ectiveness of a cont rolled fea ture or sa feguard. N ot all con trols are applicable to all Mi nor Applic ations. | ||||
705 | Scope | ||||
706 | The scope of the Min or Applica tion Secur ity Contro ls Summary process c overs only the minor applicati on under e valuation, including connectiv ity within the syste m. Evaluat ion will b e conducte d in the a reas of: | ||||
707 | Access Con trol | ||||
708 | Audit and Accountabi lity | ||||
709 | Security A uthorizati on and Sec urity Asse ssments | ||||
710 | Configurat ion Manage ment | ||||
711 | Contingenc y Planning | ||||
712 | Identifica tion and A uthenticat ion | ||||
713 | Maintenanc e | ||||
714 | Media Prot ection | ||||
715 | Physical a nd Environ mental Pro tection | ||||
716 | Planning, Personnel Security | ||||
717 | Risk Asses sment | ||||
718 | System and Services Acquisitio n | ||||
719 | System and Communica tions Prot ection and | ||||
720 | System and Informati on Integri ty | ||||
721 | Note: Inci dent Respo nse and Aw areness an d Training are cover ed by the GSS or Maj or Applica tion in th eir entire ty | ||||
722 | Procedure | ||||
723 | In accorda nce with F ederal Inf ormation P rocessing Standard ( FIPS) 199 Standards for Securi ty Categor ization of Federal I nformation and Infor mation Sys tems, secu rity categ orization for both i nformation and infor mation sys tems is ca lculated b ased on th e three ba sic securi ty objecti ves; confi dentiality , integrit y, and ava ilability. National Institute of Standar ds and Tec hnology (N IST) Publi cation 800 -60 Guide for Mappin g Types of Informati on and Inf ormation S ystem to S ecurity Ca tegories p rovides im plementati on guidanc e in compl eting this activity. | ||||
724 | * Minor Ap plications cannot ha ve a Secur ity Catego ry higher than that of the hos t system. | ||||
725 | If the app lication f alls under a GSS or Major Appl ication an d is consi dered a Mi nor Applic ation, the n the Mino r Applicat ion Securi ty Control Summary c an be used in place of an SSP. The List of Securit y Controls of this S OP shall a lso be use d to docum ent the se curity con trols as t hey are im plemented for a spec ific appli cation. Th e Minor Ap plication Self-Asses sment Work book can b e found at A&A Home Documents. | ||||
726 | The ISO, P roject Tea m and the SS, workin g in conju nction, sh ould prepa re the Min or Applica tion Secur ity Contro l Summary and the Li st of Secu rity Contr ols. | ||||
727 | Only thos e controls that are provided b y the Mino r Applicat ion need a complete implementa tion expla nation, an notated an d shall be documente d just as they would be if an SSP were r equired. | ||||
728 | Controls that are p rovided by the host system, wh ether it i s a MA or GSS should be annota ted as suc h. | ||||
729 | There is no need to annotate common con trols, (Th ose contro ls are man aged at th e enterpri se level) and they h ave been e liminated from the l ist of sec urity cont rols in or der to avo id duplica tion of ef fort. | ||||
730 | If the co ntrol cann ot be impl emented, i t is neith er a commo n control nor a cont rol that i s being pr ovided by the host s ystem, it must be no ted. | ||||
731 | The Minor Applicatio n Security Control S ummary sha ll be inse rted as an appendix to hosting GSS/MA SS P. The app lication s hould be i dentified in the SSP table of content as a Minor A pplication under GSS or MA. | ||||
732 | Monitoring | ||||
733 | The ISO wi ll store a ll records developed throughou t this pro cess in th e Document s reposito ry within RiskVision of the MA or GSS wh ich suppor ts this Mi nor Applic ation. Add itionally, the ISO c onducts au dits and/o r actions as directe d by Conti nuous Read iness Info rmation Se curity Pro gram (CRIS P) action items and any additi onal manda ted VA pol icy or gui dance. | ||||
734 | Definition s | ||||
735 | Authorizat ion: The o fficial ma nagement d ecision gi ven by a s enior agen cy officia l to autho rize opera tion of an informati on system and to exp licitly ac cept the r isk to age ncy operat ions (incl uding miss ion, funct ions, imag e, or repu tation), a gency asse ts, or ind ividuals, based on t he impleme ntation of an agreed -upon set of securit y controls . | ||||
736 | Authorizin g Official : Official with the authority to formall y assume r esponsibil ity for op erating an informati on system at an acce ptable lev el of risk to agency operation s (includi ng mission , function s, image, or reputat ion), agen cy assets, or indivi duals. | ||||
737 | Business R equirement s Document (BRD): Th e Business Requireme nts Docume nt (BRD) i s authored by the bu siness com munity for the purpo se of capt uring and describing the busin ess needs of the cus tomer/busi ness owner . The BRD provides i nsight int o the AS I S and TO B E business area, ide ntifying s takeholder s and prof iling prim ary and se condary us er communi ties. This document identifies what capa bilities t he stakeho lders and the target users nee d and why these need s exist, p roviding a focused o verview of the reque st require ments, con straints, and Inform ation Tech nology (IT ) options to be cons idered. Th is documen t does not state the developme nt methodo logy. | ||||
738 | Common Sec urity Cont rol: Secur ity contro l that can be applie d to one o r more age ncy inform ation syst ems and ha s the foll owing prop erties: (i ) the deve lopment, i mplementat ion, and a ssessment of the con trol can b e assigned to a resp onsible of ficial or organizati onal eleme nt (other than the i nformation system ow ner); and (ii) the r esults fro m the asse ssment of the contro l can be u sed to sup port the s ecurity ce rtificatio n and auth orization processes of an agen cy informa tion syste m where th at control has been applied. | ||||
739 | Compensati ng Securit y Controls : The mana gement, op erational, and techn ical contr ols (i.e., safeguard s or count ermeasures ) employed by an org anization in lieu of the recom mended con trols in t he low, mo derate, or high base lines desc ribed in N IST SP 800 -53, Lates t Version, that prov ide equiva lent or co mparable p rotection for inform ation syst ems and th e informat ion proces sed, store d, or tran smitted by those sys tems. | ||||
740 | EIB Milest one 0: Ent erprise In formation Board (EIB 0 Mileston e 0 is int ended to h ave the Co ntracting Officer, C ontracting Officer R epresentat ive, or Pr oject Mana ger addres s the basi c areas ne cessary to warrant p roject ini tiation ap proval. It does not presume an y signific ant prior investment in analys is (either business or technic al), conce pt or requ irements d efinition or design; rather, i t seeks an swers to t hese most basic ques tions even before co mmitting t o that lev el of inve stment. Th e Project Manager sh ould have a clear un derstandin g of the p roblem tha t needs to be solved and how s olving tha t problem supports a strategic objective of the De partment. Based on a successfu l Mileston e 0 review , the Proj ect Manage r will be authorized to expend the resou rces neces sary to es tablish th e project’ s business case and prepare fo r the proj ect’s Mile stone I re view. | ||||
741 | General Su pport Syst em: An int erconnecte d set of i nformation resources under the same dire ct managem ent contro l that sha res common functiona lity. It n ormally in cludes har dware, sof tware, inf ormation, data, appl ications, communicat ions, and people. | ||||
742 | High Impac t System: An informa tion syste m in which a least o ne securit y objectiv e (i.e., c onfidentia lity, inte grity, or availabili ty) is ass igned a FI PS 199 pot ential imp act value of high. | ||||
743 | Informatio n Owner: O fficial wi th statuto ry or oper ational au thority fo r specifie d informat ion and re sponsibili ty for est ablishing the contro ls for its generatio n, collect ion, proce ssing, dis semination , and disp osal. | ||||
744 | Informatio n Security : A means for protec ting infor mation and informati on systems from unau thorized a ccess, use , disclosu re, disrup tion, modi fication, or destruc tion in or der to pro vide integ rity, conf identialit y, and ava ilability. | ||||
745 | Informatio n Security Officer ( ISO): Indi vidual res ponsible t o the seni or agency informatio n security officer, authorizin g official , or infor mation sys tem owner for ensuri ng the app ropriate o perational security posture is maintaine d for an i nformation system or program. | ||||
746 | Informatio n Security Requireme nts: Infor mation sec urity requ irements p romulgated in accord ance with law, or di rected by the Secret ary of VA, the Natio nal Instit ute of Sta ndards and Technolog y, and the Office of Managemen t and Budg et, and, a s to natio nal securi ty systems , the Pres ident. | ||||
747 | Informatio n Sensitiv ity: Infor mation sen sitivity r eflects th e relation ship betwe en the cha racteristi cs of the informatio n processe d (e.g., p ersonnel d ata subjec t to prote ction unde r the Priv acy Act) a nd the mis sion need to ensure the confid entiality, integrity , and avai lability o f the info rmation (e .g., legal requireme nts to pro tect confi dentiality of person al data). Sensitivit y may vary from low, to medium , to high. | ||||
748 | Informatio n System O wner: Offi cial respo nsible for the overa ll procure ment, deve lopment, i ntegration , modifica tion, or o peration a nd mainten ance of an informati on system. | ||||
749 | Informatio n Type: A specific c ategory of informati on, (e.g., privacy, medical, p roprietary , financia l, investi gative, co ntractor s ensitive, security m anagement) , defined by an orga nization, or in some instances , by a spe cific law, executive order, di rective, p olicy or r egulation. | ||||
750 | Low Impact System: A n informat ion system in which all three security o bjectives (i.e. conf identialit y, integri ty, and av ailability ) are assi gned a FIP S 199 pote ntial impa ct value o f low. | ||||
751 | Major Appl ication: A n applicat ion that r equires sp ecial atte ntion to s ecurity du e to the r isk and ma gnitude of harm resu lting from the loss, misuse, o r unauthor ized acces s to or mo dification of the in formation in the app lication. | ||||
752 | Minor Appl ication: A n applicat ion can be classifie d as being a Minor A pplication if they m eet the fo llowing co nditions: they rely upon a Gen eral Suppo rt System (GSS) or M ajor Appli cation for security, they are within ano ther syste m’s author ization bo undary, an d they do not have t heir own c apital pla n. | ||||
753 | Moderate I mpact Syst em: An inf ormation s ystem in w hich at le ast one se curity obj ective (i. e., confid entiality, integrity , or avail ability) i s assigned a FIPS 19 9 potentia l impact v alue of mo derate and no securi ty objecti ve is assi gned a FIP S 199 pote ntial impa ct value o f high. | ||||
754 | Potential Impact: Th e loss of confidenti ality, int egrity, or availabil ity could be expecte d to have: (i) a lim ited adver se effect (FIPS 199 low); (ii) a serious adverse e ffect (FIP S 199 mode rate); or (iii) a se vere or ca tastrophic adverse e ffect (FIP S 199 high ) on organ izational operations , organiza tional ass ets, or in dividuals. | ||||
755 | Security C ategory: T he charact erization of informa tion or an informati on system based on a n assessme nt of the potential impact tha t a loss o f confiden tiality, i ntegrity, or availab ility of s uch inform ation or i nformation system wo uld have o n organiza tional ope rations, o rganizatio nal assets , or indiv iduals. | ||||
756 | Security C ontrols: T he managem ent, opera tional, an d technica l controls (i.e., sa feguards o r counterm easures) p rescribed for an inf ormation s ystem to p rotect the confident iality, in tegrity, a nd availab ility of t he system and its in formation. | ||||
757 | System Sec urity Plan : Formal d ocument th at provide s an overv iew of the security requiremen ts for the informati on system and descri bes the se curity con trols in p lace or pl anned for meeting th ose requir ements. | ||||
758 | References | ||||
759 | 5 U.S.C. 5 52a, Priva cy Act, c. 1974 | ||||
760 | 38 U.S.C. 5705, Conf identialit y of medic al quality assurance records. | ||||
761 | Health Ins urance Por tability a nd Account ability Ac t of 1996 (HIPAA). | ||||
762 | OMB Circul ar A-130, Appendix I II, Securi ty of Fede ral Automa ted Inform ation Syst ems. | ||||
763 | VA Directi ve 6500, I nformation Security Program | ||||
764 | VA Handboo k 6500, In formation Security P rogram | ||||
765 | VA Directi ve 6001, L imited Per sonnel Use of Govern ment Offic e Equipmen t Includin g Informat ion Techno logy | ||||
766 | OMB Circul ar A-123 I I, Managem ent Accoun tability a nd Control , | ||||
767 | NIST SP 8 00-37 “Gui de for App lying the Risk Manag ement Fram ework to F ederal Inf ormation S ystems, A Security Life cycle Appr oach” | ||||
768 | NIST SP 80 0-53, “Rec ommended S ecurity Co ntrols for Federal I nformation Systems” | ||||
769 | NIST SP 80 0-53A, “Gu ide for As sessing th e Security Controls in Federal Informati on Systems ” | ||||
770 | Records Ma nagement, FSS Record s Manageme nt | ||||
771 | FIPS Publi cation 199 , “Standar ds for Sec urity Cate gorization of Federa l Informat ion and In formation Systems” | ||||
772 | Appendix E – A&A Sys tem/Facili ty DRP and ISCP Requ irements | ||||
773 | BoundaryPl ansDRPComm entsRegion 1• Region 1 - RCSnet Assessing | ||||
774 | • Region 1 GSS Asses sing | ||||
775 | • Region 1 Infrastru cture Asse ssing | ||||
776 | • Region 1 VistA Ass essing Fa cility DRP s (collect ively) cov er the Reg ion DRP re quirementI SCP plan e xpected fo r each ass essing ent ity as ide ntified in GRCRegion 2• Region 2 GSS Asse ssing | ||||
777 | • Region 2 Infrastru cture Asse ssing | ||||
778 | • Region 2 VistA Ass essing Fa cility DRP s (collect ively) cov er the Reg ion DRP re quirementI SCP plan e xpected fo r each ass essing ent ity as ide ntified in GRCRegion 3• Region 3 GSS Asse ssing | ||||
779 | • Region 3 Infrastru cture Asse ssing | ||||
780 | • Region 3 VistA Ass essing Facility DRPs (col lectively) cover the Region DR P requirem entISCP pl an expecte d for each assessing entity as identifie d in GRCRe gion4• Reg ion 4 Infr astructure Assessing | ||||
781 | • Region 4 VistA Ass essing | ||||
782 | • Region 4 - Electro nic Comput er Access Request (e CAR) Asses sing | ||||
783 | • Philadel phia – BHI E Assessin g Fac ility DRPs (collecti vely) cove r the Regi on DRP req uirementIS CP plan ex pected for each asse ssing enti ty as iden tified in GRCRegion5 • Region 5 GSS Asses sing | ||||
784 | • Region 5 Infrastru cture Asse ssing Fa cility DRP s (collect ively) cov er the Reg ion DRP re quirementI SCP plan e xpected fo r each ass essing ent ity as ide ntified in GRCRegion 6• Region 6 GSS Asse ssing | ||||
785 | • Region 6 Infrastru cture Asse ssing | ||||
786 | • Region 6 - CDB Ass essing | ||||
787 | • Region 6 VistA Ass essing | ||||
788 | • Region 6 - FPPS As sessing | ||||
789 | • Region 6 - WRAP As sessing | ||||
790 | • Region 6 - CIRTS A ssessing | ||||
791 | • Region 6 - OSCR As sessing | ||||
792 | • Region 6 – VHALWD Assessing F acility DR Ps (collec tively) co ver the Re gion DRP r equirement ISCP plan expected f or each as sessing en tity as id entified i n GRCFacil ities• Fac ility. LAN .ISCP | ||||
793 | • Facility . PBX.ISCP (May only apply to certain fa cilities w ith wired PBX) | ||||
794 | • Facility . Major ap plication (May only apply to f acility th at house a nd manage the MA) | ||||
795 | •Facility .DRPEach f acility mu st have a DRP planIS CP plan ex pected for LAN and a s applicab le PBX and or MARegi on OtherEa ch GRC Ass essing ent ity must h ave an ISC P planEach GRC Asses sing entit y must hav e a DRP pl anISCP pla n expected for each assessing entity as identified in GRCApp endix F – Links/URLs /E-Mail Ad dresses | ||||
796 | Links & UR LsShort Li nksFull Ad dress(FSS) Bulletin #124 (MOU/ ISA Guidan ce) | ||||
797 | https:// URL .va.gov/si tes/infose curity/fie ldsecurity /FSS%20Bul letins/124 _MOU%20ISA %20Documen t%20Proces sing%20FIN AL%20Guida nce_080113 .pdf | ||||
798 | A&A Home D ocuments | ||||
799 | https:// URL .va.gov/si tes/infose curity/ca/ CA%20Home% 20Document s/Forms/Al lItems.asp x?RootFold er=%2Fsite s%2Finfose curity%2Fc a%2FCA%20H ome%20Docu ments%2FVA %20A%20and %20A%20Tem plates&Fol derCTID=0x 012000CB0D D849BEA0AB 4FA5FEE491 047C852D&V iew={5FCA9 CEF-1C50-4 41D-A2FE-2 8D536ED009 8} | ||||
800 | Acceptance of FEDRAM P Authoriz ation Memo | ||||
801 | https:/ URL /docctr/Me moranda/15 0811-005R- Acceptance _of_FEDRAM P_Authoriz ations.pdf
|
||||
802 | Approved S ecurity Di rectives a nd Handboo ks | ||||
803 | https:// URL .va.gov/si tes/infose curity/ca/ policy_def ault.aspx | ||||
804 | Authorizat ion Requir ements Qui ck Link Re ference Gu ide | ||||
805 | https:// URL .va.gov/si tes/infose curity/ca/ CA%20Home% 20Document s/Forms/Al lItems.asp x?RootFold er=%2Fsite s%2Finfose curity%2Fc a%2FCA%20H ome%20Docu ments%2FAT O%20Docume nts&Folder CTID=0x012 000CB0DD84 9BEA0AB4FA 5FEE491047 C852D&View ={5FCA9CEF -1C50-441D -A2FE-28D5 36ED0098} | ||||
806 | Business C ontinuity Portal | ||||
807 | https:// URL .va.gov/si tes/infose curity/bc/ default.as px | ||||
808 | Common App lication E numeration | ||||
809 | https:// URL /display/O ISSWA/Comm on+Applica tion+Enume ration | ||||
810 | CRISP FOCU S SharePoi nthttps:// URL .va.gov/si tes/infose curity/ipr m/OIS%20Co mmunicatio ns%20Home% 20Folder%2 01/Forms/A llItems.as px?RootFol der=/sites /infosecur ity/iprm/O IS%20Commu nications% 20Home%20F older%201/ CRISP%20FO CUS%20Camp aign/Year% 20Five&Fol derCTID=0x 0120004841 CB7EF06124 4DBC5BD867 B86555D1&V iew=%7b0F9 3DBB4-6AA1 -4A48-95F1 -D1C9735AF F78%7d | ||||
811 | Cyber Secu rity Polic y & Compli ance (CSPC ) | ||||
812 | https:// URL .va.gov/si tes/infose curity/ca/ VA_6500_Wa iver.aspx Enterprise Operation s GRC Inst ance | ||||
813 | https://UR L/display/ OISSWA/Com mon+Applic ation+Enum eration | ||||
814 | Enterprise Visibilit y and Vuln erability Management (EVVM) Da shboardhtt ps:// URL/ d i s play/OISSW A/C o mmon+Appli c a
|
||||
815 | FedRAMP-Ag ency Acces s Request Form | ||||
816 | https://ww w.fedramp. gov/files/ 2015/01/Fe dRAMP-Pack age-Access -Request-F orm-v2-0.p df | ||||
817 | Informatio n Access a nd Privacy Program | ||||
818 | http://URL | ||||
819 | ISA/MOU Do cument Rev iew Site | ||||
820 | https:// URL .va.gov/si tes/fss/HI SD/ISAMOU/ SitePages/ Home2.aspx | ||||
821 | ISCP/DRP T emplate | ||||
822 | https:// URL .va.gov/si tes/infose curity/bc/ ISCPA%20Pr ocess%20Do cumentatio n/Forms/Al lItems.asp x | ||||
823 | List of co mmon contr ols for Re gions 1- 4 https:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool%20I PT/Shared% 20Document s/RiskVisi on%20Train ing%20and% 20Document ation/Rev% 203%20cont rol%20mapp ing/Region %201-4%20C ontrol%20B reakdown.x lsx | ||||
824 | List of co mmon contr ols for Re gion 5http s:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool%20I PT/Shared% 20Document s/RiskVisi on%20Train ing%20and% 20Document ation/Rev% 203%20cont rol%20mapp ing/Region %205%20Com mon%20Cont rols%20Upd ated_FINAL .xlsx | ||||
825 | List of co mmon contr ols for GS Shttps:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool%20I PT/Shared% 20Document s/RiskVisi on%20Train ing%20and% 20Document ation/Rev% 203%20cont rol%20mapp ing/GSS%20 SSP%20Cont rol%20prov iders_v3-M VM%20Summa ries.xlsx | ||||
826 | National R elease GRC Instance | ||||
827 | https://UR L/display/ OISSWA/Com mon+Applic ation+Enum eration | ||||
828 | NIST Speci al Publica tion 800-3 4 Rev. 1 - Contingen cy Plannin g Guide fo r Federal Informatio n Systems | ||||
829 | http://csr c.nist.gov /publicati ons/nistpu bs/800-34- rev1/sp800 -34-rev1_e rrata-Nov1 1-2010.pdf | ||||
830 | NIST Speci al Publica tion 800-6 1 - Comput er Securit y Incident Handling Guide | ||||
831 | http://nvl pubs.nist. gov/nistpu bs/Special Publicatio ns/NIST.SP .800-61r2. pdf | ||||
832 | NSOC Scan Documents | ||||
833 | https:// URL .va.gov/si tes/infose curity/ca/ CA%20Home% 20Document s/Forms/Al lItems.asp x?RootFold er=%2Fsite s%2Finfose curity%2Fc a%2FCA%20H ome%20Docu ments%2FNS OC%20Scan% 20Document s&FolderCT ID=0x01200 0CB0DD849B EA0AB4FA5F EE491047C8 52D&View={ 5FCA9CEF-1 C50-441D-A 2FE-28D536 ED0098} | ||||
834 | OCS RBD Po rtalhttps: // URL .va.gov/si tes/infose curity/ca/ VA_6500_Wa iver.aspx | ||||
835 | Office of Cyber Secu rity (OCS) Portal | ||||
836 | https:// URL .va.gov/si tes/infose curity/ca/ default.as px | ||||
837 | Office of Informatio n Security (OIS) Por tal | ||||
838 | https:// URL .va.gov/si tes/infose curity/ind ex.aspx | ||||
839 | Office of Informatio n Security , Authoriz ation Requ irements G uide Stand ard Operat ing Proced ures | ||||
840 | https:// URL .va.gov/si tes/infose curity/ca/ CA%20Home% 20Document s/ATO%20Do cuments/Au thorizatio n%20Requir ements%20S OP%20Guide .doc | ||||
841 | POA&M Mana gement Gui dehttps:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool/GRC %20Tool%20 Training%2 0Materials /Finding%2 0Specific% 20Training /POAM%20Ma nagement%2 0Guide%20v 2%20Nov%20 21%202016% 20FINAL.do cx | ||||
842 | Policy Man ager Train ing (RBD P rocess) | ||||
843 | https:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool/GRC %20Tool%20 Training%2 0Materials /Forms/All Items.aspx ?RootFolde r=%2Fsites %2Finfosec urity%2Fpr ojects%2FG RC%20Tool% 2FGRC%20To ol%20Train ing%20Mate rials%2FPo licy%20Man ager%20Tra ining%20%2 8RBD%20Pro cess%29&Fo lderCTID=0 x012000C58 51A4D870A2 F49AC5BFED 7E758CE1F& View=%7b27 EC8AEE-0BC C-4C7D-88E 7-F5321F82 F5EC%7d | ||||
844 | Request Fo r Informat ion Securi ty Officer Support F orm | ||||
845 | https:// URL .va.gov/si tes/infose curity/fie ldsecurity /Field%20S ecurity%20 Home%20Doc uments/ISO %20Forms/F SS_FORM_IS O%20Suppor t_Request. pdf | ||||
846 | SCA Assess ment Resul tshttps:// URL .va.gov/si tes/infose curity/pro jects/SCA% 20Assessme nts/Lists/ SCA%20Asse ssment%20R esults/All Items.aspx Technical Services Project Re pository ( TSPR) | ||||
847 | http:// URL . URL /tspr/inde x.asp | ||||
848 | Training a nd Brown B ag Materia ls | ||||
849 | https:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool/GRC %20Tool%20 Training%2 0Materials /Forms/All Items.aspx | ||||
850 | TVM Traini nghttps:// URL .va.gov/si tes/infose curity/pro jects/GRC% 20Tool/GRC %20Tool%20 Training%2 0Materials /Forms/All Items.aspx ?RootFolde r=/sites/i nfosecurit y/projects /GRC%20Too l/GRC%20To ol%20Train ing%20Mate rials/TVM% 20Training &FolderCTI D=0x012000 C5851A4D87 0A2F49AC5B FED7E758CE 1F&View=%7 b27EC8AEE- 0BCC-4C7D- 88E7-F5321 F82F5EC%7d | ||||
851 | VA Directi ve 6404 | ||||
852 | http:/ URL /vapubs/vi ewPublicat ion.asp?Pu b_ID=826&F Type=2
|
||||
853 | VA Handboo k 6500.3, Certificat ion and Au thorizatio n of Feder al Informa tion Syste ms | ||||
854 | https:// URL .va.gov/si tes/infose curity/fie ldsecurity /Field%20S ecurity%20 Home%20Doc uments/VA% 206500%20H B%20Series %20Pubs/VA %206500.3% 20HB%20Cer tification %20of%20In formation% 20Systems. pdf VA Sof tware Assu rance Deve loper Supp ort | ||||
855 | https:// URL /display/O ISSWA/How+ to+open+an +NSD+ticke t+to+regis ter+a+VA+a pplication | ||||
856 | VA SwA Pro gram Offic e Resource | ||||
857 | https:// URL /display/O ISSWA/OIS+ Software+A ssurance | ||||
858 | E-Mail Add ressesName E-MailCert ification Program Of fice HYPER LINK "PII " PI I Enterpri se Visibil ity Team H YPERLINK " PII " PII FS S Health I nformation Security Division H YPERLINK " PII " PII OIT Ent erprise Ri sk Managem ent (ERM) CRISP Team HYPERLINK "PII " PII Privacy S ervices Of fice HYPER LINK "PII " PII VA FSS ISO Request H YPERLINK " PII " PII VA G RC Service Desk HYPE RLINK "PII " P II VA Risk Vision Wor king Group (RVWG) HY PERLINK "P II " P II VA Softwa re Assuran ce (SwA) P rogram Off ice HYPERL INK "PII " P II _1629 202208.unk nown_16292 02210.unkn own_162920 2211.unkno wn_1629202 209.unknow n_16292022 04.unknown _162920220 6.unknown_ 1629202207 .unknown_1 629202205. unknown_16 29202202.u nknown_162 9202203.un known_1629 202200.unk nown_16292 02201.unkn own_162920 2198.unkno wn_1629202 199.unknow n_16292021 97.unknown | ||||
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.