VA EA Security Domain
Protecting our critical infrastructure, assets, networks, systems, and data is one of the most significant challenges our country faces in today’s Internet-based IT environment. Every day, our Nation experiences increasingly sophisticated cyber threats and malicious intrusions. Not surprisingly, in 1997 GAO designated Federal information security as a government-wide high-risk area (see GAO Report on Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs).
The Security Domain describes what VA must do to protect sensitive personal customer and employee information and ensure its cyberspace ecosystem is secure, ready, resistant, and resilient from threats, unauthorized access, and vulnerabilities. According to the Conceptual Metamodel below, the scope of this Domain includes security-related strategies, plans, laws, policies, regulations, capabilities, standards, practices, and performance measures.
Conceptual Metamodel – Security Domain View
The Security Domain information is closely linked to all other domains because security is integral to the overall security posture and health of an organization and/or system. These linkages:
- Describe the relationships between the Department’s cybersecurity strategy, goals, and objectives and enabling capabilities, functions, business processes, information, infrastructure, and technology needs
- Identify the laws, policies and regulations, and technical standards that must be met to ensure a compliant and secure IT operating environment
- Identify enterprise services that deliver security-related functions at lower cost than new development
- Provide standards related to sharing of information among systems, lines of business, customers, and partner providers
- Enable the establishment of a common “language” for information security within the Department
When this Metamodel and its relationships are fully developed, the information captured in this Domain can be used to enable the adoption of the latest technology innovations and help identify candidate systems, applications, and platforms for remediation or retirement due to security risks. By successfully addressing the cybersecurity risk in VA’s technology environment, VA will be able to provide trusted access and sharing of information within the ecosystem of Veteran service providers, thus ensuring confidence in VA.
As the Enterprise Cybersecurity Strategy continues to mature and evolve, the VA EA will be updated. This will include the addition and integration of all relevant security requirements to support critical aspects of the strategy that must be followed and enforced within VA business processes during the development, implementation, and execution of IT solutions.
Key EA Artifacts Currently Available
White Papers/Tech Insights
- List of security related Tech Insights:
- A VA Executive’s Guide to Mobile Security (January 2016) – This Tech Insight highlights mobile security concerns and provides enterprise solutions, including a critical focus on Enterprise Mobility Management (EMM).
- Cloud Privacy and Security (May 2015) – This Tech Insight discusses data privacy and security in a cloud computing environment.
- Mobile Device Security (May 2014) – This Tech Insight discusses the increased use of mobile devices in the workplace and the many security issues raised by this trend.
Models, Patterns, and Reports
- Enterprise Design Patterns – is a list of security-related Enterprise Design Patterns, and includes the following:
- User Identity Authentication – This Enterprise Design Pattern describes the “To-Be” state for VA internal (Personal Identity Verification [PIV]-enabled VA employees, contractors, and volunteers), as well as external user identity authentication (business partners, Veterans, and others who access VA resources from outside VA’s networks).
- External User Identity Authentication – This Enterprise Design Pattern supports VA’s goals of increasing security, decreasing total cost of ownership (TCO) and increasing information re-use/agility.
- Enterprise Secure Messaging – This Enterprise Design Pattern implements the standards and protocols required for message-level security. It describes the message-level security standards needed to integrate the enterprise IT infrastructure and Enterprise Shared Services (ESS).
- Mobile Veteran Facing Applications Security – This Enterprise Design Pattern provides enterprise-level capability guidance that identifies security best practices for Veteran-facing mobile applications used to access VA IT resources.
- Non-Person Entity Security – This Enterprise Design Pattern describes the “To-Be” state for VA NPE security. It describes “adaptive” authentication tools that need to be implemented, and the need for authentication protocols that can support attribute- and risk-based access controls.
VA Policies, Guidance, and Statutes
- VA Directive 6500 – Information Security Program (20 Sep 2012)
- VA Handbook 6500 – Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program (10 March 2015)
- VA Directive 6517 – Risk Management Framework for Cloud Computing (15 Nov 2016)
- Federal Information Security Modernization Act (FISMA) – FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.
- OIG FISMA reporting: 2014 FISMA Modernization Act and IG Maturity Model for Information Security Continuous Monitoring (ISCM) – A presentation that discusses changes in the FISMA provides metrics for assessing security programs and proposes a maturity model to be used for assessment reporting.
- FY 17 Annual Report to Congress: Federal Information Security Modernization Act – This is an annual report on the effectiveness of information security policies and practices during the preceding year and a summary of the evaluations conducted by agency Inspectors General. This report covers the period from April 1, 2017, through November 30, 2017.
- Director, OMB Memorandum – Annual Report To Congress: Federal Information Security Modernization Act, 30 October 2015 – This memorandum establishes current Administration information security priorities and provides agencies with Fiscal Year (FY) 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management reporting guidance and deadlines, as required by the Federal Information Security Modernization Act of 2014.
- FY 2016 CIO FISMA Metrics – FY 2016 CIO FISMA (FY 2016 FISMA) metrics focus on assessing Department/Agency (D/As) progress toward achieving outcomes that strengthen Federal cybersecurity.
- National Security Agency (NSA) Community Gold Standard Framework (CGS) v2.0 – A comprehensive set of best practices compiled by the NSA. It provides a holistic view of Information Assurance considerations for decision makers to use in planning, and for use by security engineers to implement measures necessary for a defensible enterprise. The CGS maps to National Institute of Standards and Technology (NIST) and is compatible with the existing VA NIST-based common taxonomy, organization mechanisms, and NIST-based architectural frameworks, among others. These correlate to NIST 800-53 and VA 6500 controls with which VA stakeholders are familiar. These correlations allow it to easily integrate into the existing VA EA. CGS aligns to VA security functions and organizations (Govern, Protect, Detect, Respond & Recover), and is flexible. It accommodates existing Enterprise Security Architecture (ESA) activities and artifacts (e.g., business-driven Sherwood Applied Business Security Architecture (SABSA) – based analysis).
- National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity (February 12, 2014)
- National Institute of Standards and Technology (NIST) standards:
- SP 800: Computer Security (December 1990-present)
- SP 800 – 37: Computer Security: Guide for Applying the Risk Management Framework to Federal Information Systems (February 2010-present)
- SP 500: Computer Systems Technology (January 1977-present)
- SP 1800: NIST Cybersecurity Practice Guides (2015-present)