OIT OIS Word ATO Cloud Guide 2018 11
User Manual:
Open the PDF directly: View PDF .
Page Count: 35
Download | |
Open PDF In Browser | View PDF |
UNCLASSIFIED OFFICE OF INFORMATION SECURITY Department of Veterans Affairs Cloud Authority to Operate (ATO) Process Version 2.0 November 19, 2018 | Cybersecurity Architecture Office Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security Revision History Date Version Description 10/08/2018 1.0 10/26/2018 1.1 11/19/2018 2.0 Initial Draft Updated Draft Updated and finalize for signature Author IMC / UNISYS VAEC COMS Team/Cognosante VAEC COMS Team/Cognosante VA Cloud ATO Process | 2 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security We, the undersigned, approve the content of this ATO Cloud Security Process for the VA Enterprise Cloud (VAEC) Microsoft Azure Government High and Amazon Web Services (AWS) GovCloud High. _________________________________ David Catanoso Director Enterprise Cloud Solutions Office (ECSO) _________________________________ Joseph Fourcade Program Manager Enterprise Cloud Solutions Office (ECSO) VA Cloud ATO Process | 3 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security Table of Contents VA Cloud Authority to Operate Process Summary .................................................................. 5 1 2 3 4 5 Background ...........................................................................................................................5 Purpose .................................................................................................................................6 Scope ....................................................................................................................................7 VA Cloud ATO Process – VA Cloud-Leveraged System ..............................................................8 Authorization Prerequisites ....................................................................................................9 5.1 Information Security Officer (ISO) Designation....................................................................... 9 5.2 Veteran – Focused Integration Process Request (VIPR) Identification (ID) .......................... 10 5.3 RiskVision Entry for Application or System ........................................................................... 10 5.4 Application Registration ........................................................................................................ 10 5.5 Secure Design Review ........................................................................................................... 11 5.6 Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) ......................................... 11 6 Assessment & Authorization (A&A) Requirements ................................................................12 6.1 Security Documentation ....................................................................................................... 12 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 System Security Plan (SSP) .............................................................................................................12 Incident Response Plan (IRP) .........................................................................................................13 Disaster Recovery Plan (DRP) .........................................................................................................13 Information Security Contingency Plan (ISCP)...............................................................................14 Privacy Threshold Analysis (PTA) / Privacy Impact Assessment (PIA) ..........................................14 Interconnection Security Agreement (ISA) / Memorandum of Understanding (MOU) ...............15 Configuration Management Plan (CMP) ........................................................................................15 Signatory Authority ........................................................................................................................16 Control Implementation Evidence .................................................................................................16 Risk Assessment (RA) .....................................................................................................................17 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 Nessus Scan ....................................................................................................................................17 Database Scan ................................................................................................................................18 Verification & Validation (V&V) Quality Code Review ..................................................................19 Secure Code Review .......................................................................................................................20 Penetration Test / Web Application Security Assessment (WASA) ..............................................20 Security Compliance Configuration Data (SCCD) ...........................................................................21 6.2 Scanning and Testing............................................................................................................. 17 6.3 Plan of Action and Milestone (POA&M) Remediation .......................................................... 22 6.4 Authorizing Official System Brief (AOSB) .............................................................................. 22 Appendix A Cloud ATO Checklist...................................................................................................23 APPENDIX B VA Cloud ATO Report and Dashboard (Sample Mockup) ............................................24 Appendix C System Owner Policy Mandated Responsibilities ........................................................25 Appendix D References and Supporting Documentation ...............................................................32 Appendix E Acronyms ..................................................................................................................33 VA Cloud ATO Process | 4 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security VA Cloud Authority to Operate Process Summary 1 Background Obtaining an Authority to Operate (ATO) for a cloud-leveraged Department of Veteran Affairs (VA) information system changes the ATO process applied historically at VA. Cloud Service Providers (CSPs) have gone to great lengths to secure their infrastructure, utilizing world-class security tools and employing in-house security teams with deep expertise. Most importantly, CSP’s use a shared responsibility model for providing defense-in-depth security. As detailed in Figure 1 below, the specific cloud service delivery mechanisms that a customer selects (whether on-premises, IaaS, PaaS, or SaaS) will define and determine customer-specific responsibilities. Figure 1: Shared Responsibility for different Cloud Service Modes https://www.hostingadvice.com/how-to/iaas-vs-paas-vs-saas/ There are three primary cloud service models based on the NIST SP 800-145, The NIST Definition of Cloud Computing: • • • Software as a Service (SaaS) - The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. Platform as a Service (PaaS) - The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider Infrastructure as a Service (IaaS) - The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run arbitrary software, which can include operating systems and applications. VA Cloud ATO Process | 5 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security Customers deploying in the VA Enterprise Cloud (VAEC) can take advantage of the shared responsibility model and accelerate more secure deployment of IT assets and accelerate the ATO process. Specifically, customers utilizing the shared-responsibility model can take advantage of control inheritance. The CSPs are responsible for ensuring they have gone through the FedRAMP process and obtained an ATO. As part of the FedRAMP process, the CSP will document in the Controls Implementation Summary (CIS) the responsibilities of the CSPs and the customer. The majority of VA cloud-leveraged systems will rely on not only their own ATO but the ATO of their Cloud Service Provider (CSP) and the ATO of the VA Enterprise Cloud (VAEC) with each representing a potential source of security control inheritance. The VAEC provides a set of common General Support Services (GSS) to simplify support and development. The services that are part of the VA GSS ATO provided to within the VAEC Azure an AWS deployments are the following: • • Common Services o Active Directory o PKI Services o Ansible o Backup o CA Unified Infrastructure Management (CA UIM) o Disaster Recovery o GitHub o Jump Boxes o SMTP Relays Security and Scanning Tools o BigFix o McAfee (HIPS, HIDS, Antivirus) o Nessus o Splunk 2 Purpose This document is intended to standardize the process flow and expectations for obtaining ATO for a VA cloud-leveraged system. It will be enhanced in future iterations to standardize the process flow for authorizing individual cloud services including Software-as-a-Service (SaaS) which presents unique challenges of its own. Linked to the process flow are potential metrics that can be measured and presented during Planning, Migration, and Operation of the VA cloud-leveraged information system. It will also be updated as the VA migrates from RiskVision to eMASS for RMF assessment recording. VA Cloud ATO Process | 6 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 3 Scope The VA Enterprise Cloud (VAEC) CSP Environments have a US Federal Risk and Authorization Management Program (FedRAMP) High Certified VA ATO. VAEC provides access to the FedRAMP certified services of each CSP. The ATO for an application or system residing in the VAEC is separate from the VAEC CSP Environment ATO. Each project team is responsible for its application or system level ATO. System Owners and Information Security Officers (ISO) will follow the Risk Management Framework for VA Information System (VA Handbook 6500). This guide presents the overall process flow to achieve an ATO for a VA cloud-leveraged information system. The process is linked to the RMF as described above and contains distinct procedures to ensure the appropriate security concerns and compliance requirements are considered throughout the RMF. Currently, the VA utilizes RiskVision (https://vaww.grc.va.gov/spc/page.jsp) as their Governance, Risk, and Compliance (GRC) tool to capture security and compliance requirements. VA has partnered with the Defense Information Systems Agency (DISA) to transition to a new GRC tool. This tool, Enterprise Mission Assurance Support Service (eMASS) is a web-based Government off-the-shelf (GOTS) service for Risk Management Framework (RMF) Assessment and Authorization activities. DISA will deploy and maintain eMASS on behalf of the VA. Please refer to the VAEC CSP’s website (VAEC Site) to determine which services are in scope and have been fully assessed by third party auditors, resulting in a FedRAMP Certification, attestation of compliance, or ATO. Customers deploying in the VAEC can take advantage of the common controls that are being provided by the CSP, VAEC, and from the VA to accelerate more secure deployment of IT assets and accelerate the ATO process. Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. The inheritable controls from the CSP have been assessed with an accredited Third-Party Assessment Organization (3PAO) as part of the FedRAMP ATO process. This means the System Owner has less controls that they are responsible for implementing and validating. This will help to accelerate the authorization process. When submitting an authorization package within RiskVision, the ISO will work with the System Owner to provide guidance on those controls that are inheritable and do not require a response. Figure 2 Controls Inheritance Summary VA Cloud ATO Process | 7 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 4 VA Cloud ATO Process – VA Cloud-Leveraged System The overview provided below illustrates the Risk Management Framework (RMF) process to obtain a system-specific ATO when the system leverages a cloud service (or multiple cloud services). The process flow follows the NIST and VA RMF by identifying specific procedural tasks for each of the following RMF steps (as applicable): 1. 2. 3. 4. 5. 6. Categorize Select Implement Assess Authorize Monitor Figure 3 Risk Management Framework (RMF) Note: As this is a document specific to the process and procedures required to achieve ATO for cloud services and VA cloud-leveraged information systems, the processes associated with implementation and assessment are abbreviated while referencing the appropriate legacy process for completing the action. The System Owner, ISO, and other designated stewards must complete the following to successfully submit for an Authorization package (see Appendix A – Cloud ATO Checklist): Designate an Information Security Officer and coordinate assignment of an Enterprise Program Management Office (EPMO) Information Assurance (IA) Security Analyst (see Section 5.1) Submit for a Veteran -Focused Integration Process Request (VIPR) ID (see Section 5.2) Complete the RiskVision (to be replaced by eMASS) System Inventory Checklist (see Section 5.3) Register with the VA Software Assurance Program Office (see Section 5.4) Submit for a Secure Design Review (see Section 5.5) VA Cloud ATO Process | 8 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security Submit a Privacy Threshold Analysis to determine if a Privacy Impact Analysis (PIA) is required (see Section 5.6 and Section 6.1.5) Prepare PIA if required (see Section 5.6) Prepare System Security Plan (see Section 6.1.1) Prepare Incident Response Plan (see Section 6.1.2) Prepare Disaster Recovery Plan (see Section 6.1.3) Prepare Information Security Contingency Plan (ISCP) (see Section 6.1.4) Prepare Interconnection Security Agreement/Memorandum of Understanding (see Section 6.1.6) Prepare Configuration Management Plan (see Section 6.1.7) Prepare Signatory Authority document (see Section 6.1.8) Document control implementation evidence in RiskVision (or eMASS) (see Section 6.1.9) Prepare Risk Assessment (see Section 6.1.10) Request Nessus Scan (see Section 6.2.1) If project includes a database, schedule Database scan (see Section 6.2.2) Request Quality Code Review validation (see Section 6.2.3) Request Secure Code Review validation (see Section 6.2.4) Request Penetration Test/Web Application Security Assessment (see Section 6.2.5) Request Security Compliance Configuration Data (SCCD) scan (see Section 6.2.6) Prepare Plan of Action and Milestones (see Section 6.3) Prepare Authorizing Official System Brief (AOSB) to be submitted with ATO Packet (see Section 6.4) For the ATO to be reviewed for authorization by the VA, the package must be completed and uploaded into RiskVision and progressed to “CA Provide Certification Recommendation” no less than 45 calendar days before the date of the requested authorization decision. More detailed information can be found in the Office of Information Security document “Authorization Requirements Standard Operating Procedures Version 3.27”, dated September 28, 2018. 5 Authorization Prerequisites 5.1 Information Security Officer (ISO) Designation If an ISO is not yet assigned to the system/application, the System Owner must submit the required form to request ISO Support. Form Link: https://vaww.portal2.va.gov/sites/infosecurity/ca/CA%20Home%20Documen ts/ATO%20Documents/FSS_ISO%20Support_Request.pdf E-mail Address: VAFSSISORequests@va.gov Once an ISO is assigned, coordinate with the ISO to get an assigned Security Analyst from the EPMO IA office. VA Cloud ATO Process | 9 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 5.2 Veteran – Focused Integration Process Request (VIPR) Identification (ID) If an effort touches the VA network, regardless of whether it spends government funds from VA’s Congressional IT Appropriation or any other appropriation, the VIP Framework is mandated per the Veteran-focused Integration Process (VIP) Memorandum signed on Dec. 31, 2015 by Laverne Council, Assistant Secretary for Information Technology. The Veteran-focused Integration Process (VIP), a Lean-Agile framework, services the interest of Veterans through the efficient streamlining of activities occurring within the IT enterprise. This effort prioritizes the increasing value to the Veteran, information security, portfolio management, and continuous organizational learning and improvement within VA. The primary goal of VIP is to increase the speed of delivering high-quality, secure, and sustainable IT capabilities to benefit the Veteran. The system owner will submit Epics to OIT to begin the process. VIP Link: VIP SharePoint: https://vaww.vaco.portal.va.gov/sites/OIT/epmo/vip/Pages/HomePage.aspx E-mail Address: VIP Business Office: vavip@va.gov Assistance with Alignment Epics: epics@va.gov Release Readiness Office: OITEPMOTRSRROReleaseAgents@va.gov 5.3 RiskVision Entry for Application or System System Owner or delegate completes the RiskVision (RV) System Inventory Checklist. Reach out to the ISO or the RiskVision Working Group (RVWG) with any questions regarding checklist completion. Once the RVWG approves the Application/System for a RiskVision entry, the System Owner or delegate will be notified by OIS via e-mail from the GRC Service Desk. RV Checklist Link: https://vaww.portal2.va.gov/sites/infosecurity/ca/RV_NewSystemRequest.as px E-mail Address: RiskVision Working Group: VARiskVisionWG@va.gov GRC Service Desk: vaGRCservicedesk@va.gov 5.4 Application Registration Custom developed and COTS VA applications are required to be registered with the VA Software Assurance Program Office. Registration is necessary to maintain an inventory of the total population of VA custom and COTS applications, by type and business line according to the VA Common Application Enumeration (CAE) to ensure application-level security considerations are taken into account when determining readiness and performance. Detailed instructions on the registration process can be found on the VA Software Assurance Developer Support Site. VA Cloud ATO Process | 10 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security Application Registration Link: https://wiki.mobilehealth.va.gov/display/OISSWA/How+to+open+an+NSD+tic ket+to+register+a+VA+application E-mail Address: OIS Software Assurance: OISSwAServiceRequests@va.gov 5.5 Secure Design Review Secure design reviews of VA custom-developed applications are conducted during development and during authorization processes. Secure design reviews, unlike secure code reviews, may be performed before any code is written. If the application has not already been registered (Section 5.2), then the custom-developed application will need to be registered. After the registration has been completed, an Application-ID and upload/report directory will be provided. COTS applications do not need to be submitted for Secure Design Review. Next, request a sample VA Application Threat Model by sending an email to OIS Software Assurance with the following: • • Subject: Request sample threat models Body: Include the Application-ID for which the models are being requested in support of. Secure Design Review Link: Application Threat Model: https://wiki.mobilehealth.va.gov/display/OISSWA/How+to+open+an+NSD+tic ket+to+request+an+initial+application+threat+model VA Secure Design Review SOP: https://wiki.mobilehealth.va.gov/download/attachments/24482308/VA%20S ecure%20Design%20Review%20SOP.pdf?api=v2 E-mail Address: OIS Software Assurance: OISSwAServiceRequests@va.gov 5.6 Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) The System Owner (SO), Privacy Officer (PO), and ISO will need to work together to submit a PTA to determine if Personally Identifiable Information (PII) is being collected by the Application/System. If the PTA determines that is no PII being collected: 1. The System Owner, PO, and ISO will be notified that no further action is required. 2. A copy of the PTA will be provided to the System Owner, PO and ISO as privacy compliance and risk management document indicating the system has been assessed for privacy implications. 3. Upload a copy of the PTA into RiskVision. If the PTA indicates that PII is being collected: VA Cloud ATO Process | 11 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 1. A copy of the PTA will be provided to the SO, PO and ISO as privacy compliance and risk management documentation indicating an IT system has been assessed for privacy implications and a PIA is required. 2. The PO will coordinate with the ISO and System Owner to ensure all data and associated risks are identified and documented in the PIA submission. The ISO and System Owner will review and draft the PIA and work with the PO for any chances. 3. The PIA will require electronic signature from the PO, ISO and SO prior to submission to the Chief Information Officer (CIO) for review and signature. Once the CIO reviews and signs the PIA, it is officially approved and completed. 4. The SO, PO and ISO will be notified of the approval and approved PIA will be incorporated into the System’s A&A package by the ISO. 5. The System Owner or delegate uploads the PIA into RiskVision. PTA / PIA Template Link: https://vaww.portal2.va.gov/sites/infosecurity/ca/CA%20Home%20Documen ts/Forms/AllItems.aspx?RootFolder=%2Fsites%2Finfosecurity%2Fca%2FCA%2 0Home%20Documents%2FVA%20A%20and%20A%20Templates&FolderCTID= 0x012000CB0DD849BEA0AB4FA5FEE491047C852D&View=%7b5FCA9CEF1C50-441D-A2FE-28D536ED0098%7d E-mail Address: Privacy Office: PIASupport@va.gov 6 Assessment & Authorization (A&A) Requirements 6.1 Security Documentation 6.1.1 System Security Plan (SSP) The SSP is the formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. The SSP is developed within RiskVision. Continuous Monitoring Requirement – The SSP must be updated on an annual basis or when a significant change in the system or a major change in the data occurs. RiskVision Link: National Release GRC Instance: https://vaww.grc.va.gov/spc/index.jsp Enterprise Operations GRC Instance: https://vaww.eogrc.va.gov/spc/index.jsp E-mail Address: GRC Service Desk: vaGRCservicedesk@va.gov VA Cloud ATO Process | 12 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 6.1.2 Incident Response Plan (IRP) IRP guidance is provided below: • Facilities are responsible for completing the IRP. • An IRP is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. • IRP guidance can be found in NIST SP 800-61. • Tools and websites that can be useful in IRP creation: o Agiliance RiskVision Enterprise Operations GRC Instance o Agiliance RiskVision National Release GRC Instance o OIS Cyber Security Portal • The System Owner works with the assigned ISO to create the IRP. • Once completed and tested, the System Owner or designee uploads the signed IRP into RiskVision. • Each site is responsible for developing local level procedures incorporating VA-CSOC areas of responsibility. • The Incident Response Plan must meet the following standards in creation: o o o Information Access and Privacy Program NIST Special Publication 800-61 - Computer Security Incident Handling Guide VA Handbook 6500.3, Certification and Authorization of Federal Information Systems Continuous Monitoring Requirement – The IRP must be tested and updated on an annual basis or when a significant change in the system or a major change in the data occurs. 6.1.3 Disaster Recovery Plan (DRP) DRP guidance is provided below: • Emergency Preparedness & Response (EPR) underneath DR/COOP is the Office of Primary Responsibility (OPR) for planning and testing of plans. • Plans are based upon current boundaries established by OIS. Each year EPR will provide planning and testing guidance through an action item. • Disaster Recovery planning refers to measures to recover information system services to an alternate location after a disruption. • The System Owner or delegate develops or revises the DRP. • Questions about the planning process, plan templates, or testing process should contact the EPR team (OITITOPSSPECOECCDRCOOPAllStaff@va.gov). • The System Owner or delegate uploads the DRP into RiskVision. VA Cloud ATO Process | 13 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security • The DRP must meet the following standards: o NIST Special Publication 800-34 Rev. 1 - Contingency Planning Guide for Federal Information Systems Agiliance RiskVision Enterprise Operations GRC Instance o Office of Information Security, Authorization Requirements Guide Standard Operating Procedures Continuous Monitoring Requirement – The DRP must be tested and updated on an annual basis or when a significant change in the system or a major change in the data occurs. 6.1.4 Information Security Contingency Plan (ISCP) ISCP guidance is provided below: • Emergency Preparedness & Response (EPR) underneath DR/COOP is the Office of Primary Responsibility (OPR) for planning and testing of plans. • Plans are based upon current boundaries established by OIS. Each year EPR will provide planning and testing guidance through an action item. • Contingency planning refers to interim measures to recover information system services after a disruption. • The System Owner or delegate develops or revises the Information System Contingency Plan. • Questions about the planning process, plan templates, or testing process should contact the EPR team (OITITOPSSPECOECCDRCOOPAllStaff@va.gov). • The System Owner or delegate uploads the Information System Contingency Plan into RiskVision. • The ISCP must meet the following standards: o NIST Special Publication 800-34 Rev. 1 - Contingency Planning Guide for Federal Information Systems Agiliance RiskVision Enterprise Operations GRC Instance o Office of Information Security, Authorization Requirements Guide Standard Operating Procedures Continuous Monitoring Requirement – The ISCP must be tested and updated on an annual basis or when a significant change in the system or a major change in the data occurs. 6.1.5 Privacy Threshold Analysis (PTA) / Privacy Impact Assessment (PIA) The Privacy Threshold Analysis (PTA) should be updated, signed and uploaded in the Documents tab in RiskVision. If required, the Privacy Impact Assessment (PIA) should be updated, signed and uploaded in the Documents tab in RiskVision. Continuous Monitoring Requirement – A PTA must be submitted on Annual Basis. A PIA must be submitted Every Three Years. (A&A SOP, 4.2.9) VA Cloud ATO Process | 14 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 6.1.6 Interconnection Security Agreement (ISA) / Memorandum of Understanding (MOU) ISA/MOU guidance is provided below: • Before an external connection can be granted, a Memorandum of Understanding (MOU) and an Interconnection Security Agreement (ISA) are required to authorize a connection between information systems that do not share the same Authorizing Official. • An ISA/MOU must be provided for all external interconnections. • ISA/MOU guidance can be found in NIST SP 800-47 and VA Handbook 6500. • Additional guidance for completion of the ISA/MOU can be found in the Field Security Service (FSS) Bulletin # 269 or by contacting the Health Information Security Division at vafsshisd@va.gov or the OIT Enterprise Risk Management (ERM) CRISP Team at Sharon.mcallister@va.gov. ISA/MOU completion steps: 1. System Owner in coordination with the entities identified in NIST SP 800-47 will complete the ISA/MOU using the latest template provided at: OIS Portal or A&A Home Documents. 2. ISO will upload all final draft MOU/ISA documents to the MOU/ISA Review Submissions SharePoint site for a review prior to requesting signatures. 3. A VA review team will assess the documents against a checklist for quality and content. 4. The reviewer and the ISO will work collaboratively to correct deficiencies found in the documentation. 5. The reviewer will notify the ISO via email informing them that the document is ready for signatures. 6. The ISO will process the document for signature. 7. Upon receipt of the completed and signed MOU/ISA document, the ISO will upload the document to the Enterprise Document SharePoint. 8. The finalized document should also be added to the existing A&A artifacts in RiskVision. Continuous Monitoring Requirement – The ISA/MOU Review Sheet must be completed on an annual basis. If there is a significant change, which impacts the architecture, please contact the Health Information Security Division at vafsshisd@va.gov to determine if an update to the ISA/MOU is necessary. 6.1.7 Configuration Management Plan (CMP) CMP guidance is provided below: VA Cloud ATO Process | 15 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security • Facilities are responsible for completing the CMP (pending clarification on requirement for systems). • CMP guidance can be found in NIST SP 800-128 and VA Handbook 6500. • Additional guidance for completion of the CMP can be provided by OIS. • The CMP should include processes for managing configuration and change management. • The CMP should include infrastructure devices and baseline configurations (e.g., switches, routers, firewalls). • The CMP should include a configuration file for each operating system(s), database(s), application(s), and network device(s) to validate compliance with baseline configuration. CMP completion steps: 1. System Owner or delegate completes the CMP using the template provided at A&A Home Documents. 2. ISO, System Owner or delegate/System Steward uploads the CMP to the Documents tab in RiskVision. Continuous Monitoring Requirement – The CMP must be updated on an annual basis or when a significant change in the system or a major change in the data occurs. 6.1.8 Signatory Authority Signatory Authority guidance is provided below: • The Signatory Authority must be signed and dated by the appropriate parties. • Additional guidance for completion of the Signatory Authority can be provided by OIS. Signatory Authority completion steps: 1. System Owner or delegate completes the Signatory Authority using the template provided at A&A Home Documents. 2. System Owner, ISO or delegate/System Steward uploads the Signatory Authority to the Documents tab in RiskVision. Continuous Monitoring Requirement – The Signatory Authority must be completed on an annual basis or when a significant change in the system or a major change in the data occurs. 6.1.9 Control Implementation Evidence All control implementation statements evaluated as part of the RiskVision Assessment Workflow need to contain evidence that demonstrates the control was tested, how it was tested, and the results. The evidence will be required for all controls that are documented to be in place and the VA Cloud ATO Process | 16 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security results can be documented by going to the appropriate assessment and clicking on the General tab. From the General tab, select each control in the Control Test column to document how a control was tested, the results, any associated findings, and any supporting documentation. 6.1.10 Risk Assessment (RA) The Risk Assessment (RA) should be uploaded in the Documents tab in RiskVision. Follow the steps below to complete the action item. 1. The System Steward completes the assessment in RiskVision. 2. The ISO validates information added by the System Steward in RiskVision. 3. The ISO, System Owner or delegate/System Steward exports the RA from RiskVision and uploads the document to the Documents tab in RiskVision Continuous Monitoring Requirement – The RA must be updated on an Annual Basis or when a significant change in the system or a major change in the data occurs (A&A SOP, 4.2.4). 6.2 Scanning and Testing 6.2.1 Nessus Scan A credentialed vulnerability scan against all instances of the operating system and desktop configurations must be conducted to identify security flaws. When conducting the Nessus Scan, a discovery scan to identify all assets within the authorization boundary must be conducted as a part of the vulnerability scan (a discovery scan will not enumerate any vulnerabilities). All Critical and High deficiencies should be mitigated with documented mitigation evidence provided, and Moderate and Low deficiencies should be mitigated or have a documented mitigation plan. The System Owner or delegate will need to request a Nessus scan. Once the request is completed, CPO will work with ISRM/CSOC to determine if a separate supplemental vulnerability scan shall be conducted or authentication information for the non-Windows devices (e.g., SSH credentials for Linus/Unix servers) be added to the existing monthly predictive scan (conducted by NSOC). Upload the results to the Documents tab within RiskVision when results are sent to you. Next, please provide the IP Ranges to ISRM, so the applicable Nessus data can be entered in TVM within RiskVision. If a system’s Nessus Scan data is not currently displayed in the TVM within RiskVision, refer to the TVM guidance material located on the OIS portal. Once the system’s Nessus Scan data is accurately shown in TVM within RiskVision, System Owner or delegate needs to follow these steps: a) Browse to Nessus Enterprise Web Tool (NEWT) and use the Remediation Effort Entry Form (REEF) to document your manual remediation effort. For each deficiency identified from the scan, the System Owner or delegate creates a response within REEF for VA Cloud ATO Process | 17 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security mitigating the deficiencies and / or provides evidence that the deficiencies have been mitigated. Also, include the scheduled completion date and status of each deficiency within REEF. b) Once all manual remediation has been documented within REEF, run this report https://spsites.cdw.va.gov/sites/FODW_PVT/Progress%20Reports/Progress_ReportbyRe gion_Chart.rdl within NEWT. c) Export the report by going to the upper left side of the screen select the Actions Menu. Choose Export and select Excel. Save the file. d) System Owner or delegate then uploads the report from step 3 above to the Documents tab within RiskVision. Mitigation information can also be provided in the Vulnerabilities tab within RiskVision. e) Within the uploaded mitigation strategy, each system should conduct an analysis on the results of the vulnerability scans to determine and document those findings that are false positives, not applicable to the system, or otherwise mitigated. Additionally, findings that must be remediated through or from the vendor should also be documented as part of this analysis. Continuous Monitoring Requirement – CSOC conducts predictive Nessus vulnerability scans monthly. A supplemental scan is required for A&A purposes when requested by OIS, CSOC, and/or when new vulnerabilities potentially affecting the system/applications are identified and reported. To maintain the authorization decision, the system must meet this continuous monitoring requirement. Nessus Links: Nessus Scan Request: https://vaww.portal2.va.gov/sites/infosecurity/ca/Lists/Supplemental%20Sca n%20Request/AllItems.aspx OIS Portal GRC Training: https://vaww.portal2.va.gov/sites/infosecurity/projects/GRC%20Tool/GRC%2 0Tool%20Training%20Materials/Forms/AllItems.aspx E-mail Address: Nessus Enterprise Web Tool (NEWT: https://spsites.cdw.va.gov/sites/FODW_PVT/ ISRM: vaoisisrmrmf@va.gov 6.2.2 Database Scan If this project includes a database host, a full database scan must be scheduled with the VA-CSOC. Once the database scan results are received, all findings should be mitigated and/or have a documented remediation strategy with expected mitigation date uploaded to Documents tab within RiskVision. VA Cloud ATO Process | 18 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security To maintain the authorization decision for the system, any findings must be remediated within the approved timelines for the severity of the findings, and a Plan of Action and Milestones (POA&M) must be created in RiskVision to keep track of the remediation effort. Database scans can be requested by visiting the link listed below. If a Database scan is not applicable, upload document to the documents tab explaining why a Database scan is not applicable. Continuous Monitoring Requirement – The Database scan must be conducted on an annual basis or when a significant change to the configuration. VA CSOC DB Scan Questionnaire https://vaww.portal2.va.gov/sites/infosecurity/ca/Lists/VA%20NSOC%20DB%2 0Questionnaire/AllItems.aspx E-mail Address: Database Scanning Team: VANSOCDBScans@va.gov 6.2.3 Verification & Validation (V&V) Quality Code Review Quality code reviews of VA enterprise applications are conducted during development. Quality code reviews conducted during development are performed both during component testing and during A&A processes. If the application has not be registered, then the VA Application Developer will need to open a VA National Service Desk (NSD) ticket to register their application with the VA SwA Program Office. V&V reviews are conducted during the A&A process to obtain an Authority to Operate (ATO) or Temporary Authority to Operate (TATO). VA Application Developers scan their own application source code and deliver the scan results to the VA SwA Program Office for review. • • Subject: "Request quality code review validation" Body: Include the Application-ID and attach the V&V Quality Code Review Request Form Secure Design Review Link: V&V Quality Code Review: https://wiki.mobilehealth.va.gov/pages/viewpage.action?pageId=63837464 V&V Quality Code Review Request Form: https://wiki.mobilehealth.va.gov/download/attachments/24482308/VA%20Q uality%20Code%20Review%20Validation%20Request%20Form.pdf V&V Quality Code Review SOP: https://wiki.mobilehealth.va.gov/download/attachments/24482308/VA%20Q uality%20Code%20Review%20SOP.pdf?api=v2 E-mail Address: OIS Software Assurance: OISSwAServiceRequests@va.gov VA Cloud ATO Process | 19 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security 6.2.4 Secure Code Review Secure code reviews of custom developed VA applications using the approved VA static code analysis tool should be conducted to identify vulnerabilities, coding, and design flaws within VA applications. Applications written in languages that are not supported, such as MUMPS, shall be targeted for manual review of testing with other applicable tools. If a Secure Code Review is not applicable, upload a document to the Documents tab within RiskVision explaining why a Secure Code Review is not applicable. Note there are two types of code reviews, which are not the same and are not interchangeable from an authorization perspective. There are different, separate A&A SOP technical/testing requirements for each. Secure code review has to do with following up mainly on potential critical and high severity findings. Compared to quality code review which has to do with following up on potential quality-specific findings. As part of the process for the secure code review, the Fortify .fpr scan file(s) and zip(s) of scanned code to your applications will need to be uploaded to the report directory on the VA network. An email will need to be sent to the OIS Software Assurance with the Secure Code Request form attached, and the following: • • Subject: "Request secure code review validation" Body: Please include the Application-ID and attach the Secure Code Review Request form. Continuous Monitoring Requirement – The Secure Design Review must be updated on an Annual Basis or when a significant change in the system or a major change in the application architecture occurs. (A&A SOP, 4.2.11) Secure Design Review Link: V&V Secure Code Review: https://wiki.mobilehealth.va.gov/pages/viewpage.action?pageId=26774489 V&V Secure Code Review Request Form: https://wiki.mobilehealth.va.gov/download/attachments/24482308/VA%20Q uality%20Code%20Review%20Validation%20Request%20Form.pdf E-mail Address: V&V Secure Code Review SOP: https://wiki.mobilehealth.va.gov/download/attachments/24482308/VA%20S ecure%20Code%20Review%20SOP.pdf?api=v2 OIS Software Assurance: OISSwAServiceRequests@va.gov 6.2.5 Penetration Test / Web Application Security Assessment (WASA) The System Owner or delegate requests a penetration test or a WASA by completing the CSOC Penetration Test / CSOC WASA form found at NSOC Scan Documents to request penetration test/application assessment from CSOC. VA Cloud ATO Process | 20 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security The CSOC Penetration Test / NSOC Web Application Security Assessment (WASA) must be uploaded in the Documents tab on RiskVision and updated Annually. Continuous Monitoring Requirement – A CSOC Penetration Test / CSOC WASA is required on an Annual Basis to maintain an ATO and/or when a major change to the system or upgrades to the tools used occurs. In addition, OI&T conducts penetration testing quarterly on one-fourth of the total number of VA High Systems and/or internet facing systems. (A&A SOP, 4.2.11) Pen Test / WASA Link: Pen Test / WASA Request: https://vaww.portal2.va.gov/sites/infosecurity/ca/CA%20Home%20Documen ts/Forms/AllItems.aspx?RootFolder=%2Fsites%2Finfosecurity%2Fca%2FCA%2 0Home%20Documents%2FCSOC%20Scan%20Documents&FolderCTID=0x012 000CB0DD849BEA0AB4FA5FEE491047C852D&View=%7B5FCA9CEF-1C50441D-A2FE-28D536ED0098%7D 6.2.6 Security Compliance Configuration Data (SCCD) The System Owner or delegate contacts ISRM at vaoisisrmrmf@va.gov to ensure the IP addresses or system names that make up their system(s) are appropriately tagged or accounted for in RiskVision. After reviewing information system boundaries for accuracy, System Owner/Delegate should run the Security Configuration Compliance Data (SCCD) Checklist Trending and Compliance Trending reports and export them to PDF from the EVVM Dashboard (https://dashboard.tic.va.gov > Enterprise > All Systems > Authorization & Accreditation). System Owner or Delegate uploads the Compliance Trending and Checklist Trending reports to the Documents tab in RiskVision. The Compliance Trending and Checklist Trending reports can be found at https://dashboard.tic.va.gov/s/28U/ and https://dashboard.tic.va.gov/s/28T/, respectively. Important: If the IS environment changes, the System Owner will need to contact ISRM to ensure the correct system(s) are tagged/untagged in RiskVision. Not informing ISRM of system inventory changes will result with incorrect SCCD scan reports. Continuous Monitoring Requirement – Security Configuration Compliance Data must be pulled in accordance with the guidance above on a quarterly basis, or when changes are made to the approved secure configuration/hardening guides, or when requested by OIS.(A&A SOP, 4.3.5) VA Cloud ATO Process | 21 Internal VA Use Only – For Official Use Only UNCLASSIFIED OFFICE OF INFORMATION AND TECHNOLOGY Office of Information Security Checklist Trending reports Regional GSS: https://dashboard.tic.va.gov/s/28T/ Facility GSS: https://dashboard.tic.va.gov/s/28V/ System: https://dashboard.tic.va.gov/s/28X/ Compliance Trending reports Regional GSS: https://dashboard.tic.va.gov/s/28U/ Facility GSS: https://dashboard.tic.va.gov/s/28W/ System: https://dashboard.tic.va.gov/s/28Y/ 6.3 Plan of Action and Milestone (POA&M) Remediation The System Owner or delegate will address all weaknesses that have been identified during the assessment and scanning of the applicable application or system within RiskVision prior to submission for ATO. The System Owner or delegate will need to provide responses for the weakness that includes the remediation activities for the corrective actions or mitigation activities with associated milestones to correct the weaknesses. 6.4 Authorizing Official System Brief (AOSB) The completion of the AOSB process is automated. EPMOIA will send out the AOSB link that is specific to the system typically two weeks prior to the “45-Day” ATO expiration date. The system’s AOSB link is sent to the System Owner and ISO. For further information, contact EPMOIA@va.gov. Initial ATOs will go through a similar process. The progression of the RiskVision workflow will prompt for an AOSB to be completed. VA Cloud ATO Process | 22 Internal VA Use Only – For Official Use Only UNCLASSIFIED Appendix A Cloud ATO Checklist CLOUD AUTHORIZATION CHECKLIST FOR DEPLOYMENTS WITHIN THE VAEC Activity Authorization Prerequisites Information Security Officer (ISO) Designation and EPMO IA Security Analyst assigned Focused Integration Process Request (VIPR) Identification (ID) RiskVision Entry for Application or System Application Registration Secure Design Review Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA) Assessment & Authorization (A&A) Requirements Security Documentation (RMF Step 3) System Security Plan (SSP) Incident Response Plan (IRP) Disaster Recovery Plan (DRP) Information Security Contingency Plan (ISCP) Interconnection Security Agreement (ISA) / Memorandum of Understanding (MOU) – (if required) Configuration Management Plan (CMP) Signatory Authority Control Implementation Evidence Risk Assessment (RA) (RMF Step 4) Scanning and Testing (RMF Step 4) – Request as soon as possible after CRISP compliance Nessus Scan Database Scan (if required) Verification & Validation (V&V) Quality Code Review Secure Code Review Penetration Test / Web Application Security Assessment (WASA) Security Compliance Configuration Data (SCCD) Plan of Action and Milestone (POA&M) Remediation Authorizing Official System Brief (AOSB) Authorization Package Submission Authorization to Operate (ATO) Issuance (RMF Step 5) Continuous Monitoring (RMF Step 6) Status VA Cloud ATO Process | 23 APPENDIX B VA Cloud ATO Report and Dashboard (Sample Mockup) All VA systems are required to register in VA’s Information System Inventory (VASI) and cloudleveraged systems are no exception. Information about each system will be captured in RiskVision and periodically fed to VASI. VA’s Enterprise Architecture (EA) Security Domain produces an ATO Report and Dashboard as illustrated in Figure 4, that can be leveraged to produce results filtered to show only cloud-leveraged systems. Figure 4: ATO Report and Dashboard Sample Mockup VA Cloud ATO Process | 24 Appendix C System Owner Policy Mandated Responsibilities In accordance with VA policy, System Owners/System Stewards have policy mandated responsibilities spanning from information system security to day-to-day system operations. The responsibilities in this checklist pertain to System Owners/Stewards responsibilities as outlined in VA Handbook 6500 and system accreditation requirements. (Source: Office of Information Security System Owner Accountability Model, Model Criteria Version 1.0, dated January 2016) VA Cloud ATO Process | 25 # Responsibility Designee Completed? [populate with name of actual designee, as appropriate] Yes No [populate with name of actual designee, as appropriate] Yes No 3. Review, update and test the system contingency [populate with name of actual designee, plan as specified in the SSP and when a as appropriate] significant change to the system occurs. Yes No 4. Ensure risk assessments are accomplished per the SSP, regularly reviewed/updated, and when there is a major change to the system, reviewed and updated as required. [populate with name of actual designee, as appropriate] Yes No 5. Conduct PIA with the assistance of the PO, as required. [populate with name of actual designee, as appropriate] Yes No 6. Develop and maintain an IT system Configuration, Change, and Release Management Plan. [populate with name of actual designee, as appropriate] Yes No 7. Ensure that technical testing is coordinated with [populate with name of actual designee, the appropriate organizational entities and as appropriate] completed as scheduled (i.e., Nessus scans, secure code reviews, penetration test/application assessments, security control assessments (SCA), and security configuration compliance data). Yes No 8. Ensure each system has developed a secure baseline of security controls by scoping, tailoring, compensating, and supplementing the controls as outlined in the VA Handbook 6500. [populate with name of actual designee, as appropriate] Yes No 9. Ensure each system secure baseline configuration outlined above is documented in [populate with name of actual designee, as appropriate] Yes No 1. Develop in RiskVision: - 2. SSP Risk Assessment Configuration Management Plan (CMP) Incident Response Plan (IRP) Information System Contingency Plan (ISCP) - Disaster Recovery Plan (DRP) - Privacy Impact Assessment (PIA) - Interconnection Security Agreement (ISA)/Memorandum of Understanding (MOU). Review and update the SSP as required by OCS and when a significant change to the system occurs. VA Cloud ATO Process | 26 the SSP and approved by the VA CIO (as the AO) or designee prior to implementation. 10. Provide appropriate access to VA systems (including types of privileges or access), in coordination with VA managers and ISOs. [populate with name of actual designee, as appropriate] Yes No 11. Ensure the development and maintenance of SSPs and contingency plans are in coordination with local information owners, the local system administrators, ISO, and functional “end user” for nationally deployed systems. [populate with name of actual designee, as appropriate] Yes No 12. Ensure system users and support personnel receive required security training. [populate with name of actual designee, as appropriate] Yes No 13. Assist the local system administrators in the identification, implementation, and assessment of security controls. [populate with name of actual designee, as appropriate] Yes No 14. Ensure the information system receives authorization prior to operational deployment, is reauthorized when a significant change in the system or a major change in the data occurs, and is continuously monitored. [populate with name of actual designee, as appropriate] Yes No 15. Assist other VA officials with significant information security responsibilities in remediating the weaknesses or deficiencies identified in the plan of action and milestones (POA&M) and updating the POA&M, conducting periodic compliance validation reviews, and completing the FISMA annual assessment to reduce or eliminate system vulnerabilities. [populate with name of actual designee, as appropriate] Yes No 16. Ensure continuous monitoring activities are performed. [populate with name of actual designee, as appropriate] Yes No 17. Notify the responsible VA ISO, PO, VA Network Security Operations Center (VA-NSOC) and the OIG as appropriate per VA Handbook 6500.2, Management of Data Breaches Involving Sensitive Personal Information (SPI), of any suspected incidents immediately upon identifying that an incident has occurred and [populate with name of actual designee, as appropriate] Yes No VA Cloud ATO Process | 27 assisting in the investigation of incidents, as necessary. 18. Ensure compliance with the Enterprise and Security Architecture throughout the system life cycle. [populate with name of actual designee, as appropriate] Yes No 19. Charter, organize, and maintain VA’s Patch and Vulnerability Team (PVT) Program. [populate with name of actual designee, as appropriate] Yes No 20. Collaborate with VA Identity Safety Service to monitor for identity theft, when appropriate. [populate with name of actual designee, as appropriate] Yes No 21. Nominate a COR for all contracts impacted by this directive and ensuring CORs complete the required COR training. [populate with name of actual designee, as appropriate] Yes No 22. Ensure security requirements and security specifications are explicitly included in VA contracts, as appropriate. [populate with name of actual designee, as appropriate] Yes No 23. Work with the ISO and PO to ensure contracts contain the required security language necessary for compliance with FISMA and 38 U.S.C. 5721-5728 and to provide adequate security for information and information systems used by the contractor, including the requirement for signing the VA Contractor ROB. [populate with name of actual designee, as appropriate] Yes No 24. Ensure contractors meet the appropriate background investigation requirements in accordance with VA Directive and Handbook 0710. [populate with name of actual designee, as appropriate] Yes No 25. Ensure contractors complete VA’s security and privacy awareness training and any additional role-based training, as outlined in the contract. [populate with name of actual designee, as appropriate] Yes No 26. Monitor the contract to ensure that security requirements are met, consulting the ISO and PO as necessary. [populate with name of actual designee, as appropriate] Yes No 27. Ensure compliance with Federal security requirements and VA security policies. [populate with name of actual designee, as appropriate] Yes No VA Cloud ATO Process | 28 28. Participate in self-assessments, external and [populate with name of actual designee, internal audits of system safeguards and as appropriate] program elements, including A&A of the system. Yes No 29. Evaluate proposed technical security controls to assure proper integration with other system operations. [populate with name of actual designee, as appropriate] Yes No 30. Identify requirements for resources needed to effectively implement technical security controls. [populate with name of actual designee, as appropriate] Yes No 31. Ensure the integrity in implementation and operational effectiveness of technical security controls by conducting technical control testing. [populate with name of actual designee, as appropriate] Yes No 32. Serve as owner for all local systems (e.g., tenant systems, guest networks) for which he/she is assigned, establishing standards (based on Federal requirements and VA security policies) for operating the systems within a VA facility, and removing non-compliant systems from use at the VA facility. [populate with name of actual designee, as appropriate] Yes No 33. Periodically repeat selected test procedures [populate with name of actual designee, from the system’s security authorization to as appropriate] ensure the security controls continue to operate effectively at the proper levels of assurance per NIST guidance and over the life cycle of the system. Yes No 34. Assist other VA officials with significant information security responsibilities in remediating the weaknesses or deficiencies identified in the POA&M; updating the POA&M, conducting periodic compliance validation reviews, and completing the FISMA annual assessment to reduce or eliminate system vulnerabilities. [populate with name of actual designee, as appropriate] Yes No 35. Collaborate with VA Identity Safety Service to provide training on identity theft and fraud prevention and mitigation and to assist in the prevention and mitigation of potential identity theft and fraud. [populate with name of actual designee, as appropriate] Yes No VA Cloud ATO Process | 29 36. Consult with the AO or designee, the local CIO and ISO when establishing or changing system boundaries. Additional guidance regarding the determination of system boundaries is outlined in NIST SP 800-37 and should be used if there are questions regarding a system’s boundary. [populate with name of actual designee, as appropriate] Yes No 37. In coordination with Information Owners and the ISO, categorize information systems as low-, moderate-, or high-impact for the security objectives of confidentiality, integrity, and availability. [populate with name of actual designee, as appropriate] Yes No 38. Continue with VA’s Risk Management Framework by: (1) selecting the initial baseline of security controls, (2) tailoring the initial baseline of security controls, and (3) supplementing the baseline controls as outlined in VA Handbook 6500. [populate with name of actual designee, as appropriate] Yes No 39. Implement and test the security controls specified in the approved SSP. [populate with name of actual designee, as appropriate] Yes No 40. Implement the VA-approved U.S. Government Configuration Baseline (USGCB) controls, formerly known as the Federal Desktop Core Configuration (FDCC), or Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG). [populate with name of actual designee, as appropriate] Yes No 41. Ensure assessors have access to the information system and environment of operation where the security controls are employed, and the appropriate documentation, records, artifacts, test results, and other materials needed to assess the security controls. [populate with name of actual designee, as appropriate] Yes No 42. Conduct initial remediation actions on security controls based on the findings and recommendations of the security assessment report and reassess remediated controls, as appropriate. [populate with name of actual designee, as appropriate] Yes No 43. Prepare the POA&M based on the findings and recommendations of various security [populate with name of actual designee, as appropriate] Yes No VA Cloud ATO Process | 30 assessment reports excluding any remediation actions taken. 44. Assemble the security authorization package and submits the package to the AO for adjudication. [populate with name of actual designee, as appropriate] Yes No 45. Follow the security authorization process defined in VA Handbook 6500.3. [populate with name of actual designee, as appropriate] Yes No 46. Determine the security impact of proposed or actual changes to the information system and its environment of operation. [populate with name of actual designee, as appropriate] Yes No 47. Conducts remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the POA&M. [populate with name of actual designee, as appropriate] Yes No 48. Update the SSP, security assessment report, and [populate with name of actual designee, POA&M based on the results of the continuous as appropriate] monitoring process. Yes No 49. Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the AO and other appropriate VA officials on an ongoing basis in accordance with the monitoring strategy. [populate with name of actual designee, as appropriate] Yes No 50. Follow VA Handbook 6500.1, Electronic Media Sanitization requirements when a system is removed from service. [populate with name of actual designee, as appropriate] Yes No 51. Follow additional information regarding continuous monitoring in VA Handbook 6500.3. [populate with name of actual designee, as appropriate] Yes No 52. Implement and follow additional System Owner/Steward responsibilities as outlined in the VA Handbook 6500’s security control details. [populate with name of actual designee, as appropriate] Yes No The list of System Owner responsibilities is subject to change as federal and VA security policies, standards and guidance are modified. VA Cloud ATO Process | 31 Appendix D References and Supporting Documentation VA Handbook 6500 Office of Information Security document “Authorization Requirements Standard Operating Procedures Version 3.27”, dated September 28, 2018 Assessment and Authorization, Process Asset Library, Office of Information and Technology, undated. Other ATO documents can be found at: NSOC ATO Scan Forms VA Cloud ATO Process | 32 Appendix E Acronyms Acronym 3PAO A&A AO AOSB ATO CA CA UIM CAE CIO CIS CMP COOP COTS CPO CRISP CSOC CSP DB DRP eMASS ERM ERP EVVM FIPS FISMA FSS GRC GSS HIDS HIPS HISD IaaS ID IP IRP Definition Third-Party Assessment Organization Assessment and Authorization Authorizing Official Authorizing Official System Brief Authority to Operate Certification Authority Computer Associates Unified Infrastructure Management Common Application Enumeration Chief Information Officer Controls Implementation Summary Continuous Monitoring Requirement Continuity of Operations Plan Commercial Off-The-Shelf Certification Program Office Continuous Readiness in Information Security Program Cybersecurity Operations Center Cloud Service Provider Database Disaster Recovery Plan Enterprise Mission Assurance Support Service Enterprise Risk Management Emergency Response Plan Enterprise Visibility and Vulnerability Management Federal Information Processing Standards Federal Information Security Management Act Field Security Service Governance, Risk and Compliance General Support Services Host Intrusion Detection System Host Intrusion Prevention System Health Information Security Division Infrastructure as a Service Identification Internet Protocol (Usually refers to IP Address) Incident Response Plan VA Cloud ATO Process | 33 ISA ISCP ISO ISRM IT MOU MUMPS NEWT NIST NSD NSOC OIS OIT OPR PaaS PHI PIA PII PKI PO POA&M PTA RA REEF RMF RV RVWG SaaS SCCD SO SOP SP SSP SwA TATO TVM V&V VA VAEC VIP Interconnection Security Agreement Information Security Contingency Plan Information Security Officer Information and Security Risk Management Information Technology Memorandum of Understanding Massachusetts General Hospital Utility Multi-Programming System Nessus Enterprise Web Tool National Institute of Standards and Technology National Service Desk Network and Security Operations Center Office of Information Security Office of Information Technology Office of Primary Responsibility Platform as a Service Protected Health Information Privacy Impact Assessment Personally Identifiable Information Public Key Infrastructure Privacy Officer Plan of Action and Milestones Privacy Threshold Analysis Risk Assessment Remediation Effort Entry Form Risk Management Framework RiskVision RiskVision Working Group Software as a Service Security Compliance Configuration Data System Owner Standard Operating Procedure Special Publication System Security Plan Software Assurance Temporary Authority to Operate Threat and Vulnerability Manager Verification & Validation Veteran Affairs Veteran Affairs Enterprise Cloud Veteran-focused Integration Process VA Cloud ATO Process | 34 VIPR WASA VA IT Process Request Web Application Security Assessment VA Cloud ATO Process | 35
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes AACG Add Mark : AACG Class Block : AACG Class Type : USClassificationMarking AACG Created : 1 AACG Custom Class XML Part : {80ABBD87-EC2A-4CF4-9065-7228CE881282} AACG Decl On List : AACG Desc Markings : AACG Dissem Other : AACG Footer : .UNCLASSIFIED AACG Header : UNCLASSIFIED AACG Nato Warning Class Level : AACG OFFICE DLL : 1 AACG Orcon Originator : AACG Orcon Recipients : AACG SCI Other : AACG Sat Warning Type : AACG USAF Derivatives : AACG Version : 201810 Author : U.S. Department of Veterans Affairs, Office of Information and Technology Comments : OIT20171010 Company : Veteran Affairs Content Type Id : 0x010100C4F9C8DADA7F05428A278F645D412669 Create Date : 2018:11:19 13:43:09-05:00 Keywords : OIT, information technology, office of information and technology, word, OIS, Office of Information Security Modify Date : 2018:11:19 13:46:28-05:00 Portion Waiver : Source Modified : D:20181119184238 Has XFA : No Language : EN-US Tagged PDF : Yes XMP Toolkit : Adobe XMP Core 5.6-c015 91.163280, 2018/06/22-11:31:03 Metadata Date : 2018:11:19 13:46:28-05:00 Creator Tool : Acrobat PDFMaker 19 for Word Document ID : uuid:5dfab7b9-1de1-4ce6-9ef4-73499ac6496c Instance ID : uuid:7fc97e50-a173-4ecd-acd7-834ebe48ef81 Subject : 9 Format : application/pdf Title : OIT OIS Word Document Creator : U.S. Department of Veterans Affairs, Office of Information and Technology Producer : Adobe PDF Library 19.8.103 Aacg Office Dll : 1 Page Layout : OneColumn Page Count : 35EXIF Metadata provided by EXIF.tools