Department of Veterans Affairs Veteran’s Enterprise Management System

Download 321.93 Kb.
Date conversion29.04.2016
Size321.93 Kb.
1   2   3   4   5   6   7   8   9   ...   12

1.6.Constraining Policies, Directives and Procedures

The VEMS solution will be designed to operate in accordance to VA policies, directives, and procedures for Information Assurance (IA), Privacy, and Records Management. In addition, VEMS will adhere to emerging standards for Cloud Computing and Mobile Security technologies Enterprise Technical Architecture (ETA) requirements, and the Data Architecture Repository (DAR). These alignments will include ongoing IPT coordination and enhanced alignment in future design deliverables such as the SDD and data-centric deliverables.
Constraining Policies, Directives, and Procedures for VEMS include:

  • Federal Information Security Management Act (FISMA) of 2002;

  • VAAR 852.273-75 Security requirements for unclassified information technology resources (interim Oct 2008);

  • FIPS Pub 201, Personal Identity Verification for Federal Employees and Contractors, February 25, 2005;

  • Section 2224 of title 10, United States Code, "Defense Information Assurance Program"

  • Software Engineering Institute, Software Acquisition Capability Maturity Modeling (SA CMM) Level 2 procedures and processes;

  • Privacy Act of 1974

  • Title VI of the Civil Rights Act of 1964

  • Department of Veterans Affairs (VA) Directive 0710 dated September 10, 2004

  • Department of Veterans Affairs (VA) Directive 6102

  • Department of Veterans Affairs (VA) Handbook 6102 (Internet/Intranet Services)

  • Health Insurance Portability and Accountability Act (HIPAA); 45 CFR Part 160, 162, and 164; Health Insurance Reform: Security Standards; Final Rule dated February 20, 2003

  • Electronic and Information Technology Accessibility Standards (36 CFR 1194)

  • OMB Circular A-130

  • U.S.C. § 552a, as amended

  • 32 CFR 199

  • An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,
    March 2005

  • Sections 504 and 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998

  • Homeland Security Presidential Directive (12) (HSPD-12)

  • VA Handbook 6500

  • OED ProPath Process Methodology

  • NIST SP500-153, “ Guide to Auditing for Controls and Security: A System Development Life-Cycle Approach,” April 1988

  • Program Management Accountability System (PMAS) portal

  • Federal Travel Regulation (FTR)

  • NIST SP 800 145, “The NIST Definition of Cloud Computing”

  • “Federal Mobile Security Baseline”, Federal CIO Council, May 23, 2013 (or latest version)

  • “Mobile Security Reference Architecture”, Federal CIO Council and the Department of

Homeland Security (DHS), May 23, 2013

  • FedRAMP (Federal Risk and Authorization Management Program)

  • NIST SP 800-53, Rev 3

  • FIPS 140-2

A large portion of constraints directly address IA compliance needs for the VEMS solution. IA policies and procedures for VEMS must follow the information security program practices outlined in VA Handbook 6500 that also provides mandatory security controls to be applied against the VEMS architecture and design. VEMS will also achieve an Authority to Operate (ATO) at the FISMA Moderate assurance category at the application layer and a FedRAMP Moderate ATO at the infrastructure layer hosted by a FedRAMP accredited Cloud Service Provider. The FISMA and FedRAMP underlying frameworks are based on NIST SP 800-53 security control standards and guidelines along with cloud computing controls defined in NIST SP 800-145. VEMS will follow additional security constraints to handle the design needs for mobile interfaces to the application from the “Federal Mobile Security Baseline”, and “Mobile Security Reference Architecture” both published by the Federal CIO Council and DHS. OMB Circular A-130 is another publication as a VEMS constraint that covers guidelines for system security plans, emergency response plans, security awareness and training plans, and operational security requirements. Lastly, auditing guidelines for performing regular security assessments of the VEMS solution SDLC will follow guidelines from the NIST SP 500-153 “Guide to Auditing Controls and Security”.

Protecting the privacy of data that VEMS will be managing whether it is transactional, unstructured, or meta-data is of utmost importance to VEMS system design and functionality, and there are both privacy and data security constraints that must be followed. VEMS will be managing large sets of Personally Identifiable Information (PII) that will be handled under privacy laws and guidelines described in the Privacy Act of 1974. Furthermore, while VEMS may not process any Protected Health Information (PHI), the VEMS contract is still responsible under the T4 PWS to ensure HIPAA security rules and standards are followed for handling any PHI. Moreover, ensuring data security for VEMS requires numerous protections in how the data is processed at rest, in use, and in transit utilizing strong FIPS 140-2 approved encryption. VEMS will incorporate least privilege data access rules with role-based access controls, and strong identification, authentication, and authorization controls implemented for system users by applying HSPD-12 and FIPS Pub 201 constraints.
One of the main goals of the VEMS solution is to replace the lack of data integration services of the legacy system to a new architecture that can interface with common data services and follow constraints of the Data Architecture Repository (DAR) Enterprise Technical Architecture Compliance Criteria. VEMS will integrate with the VA Common Data Model and other key components of the VA Data Enterprise Architecture.
Further, VEMS has been aligned with the OneVA Enterprise Technical Architecture as follows:

Table 4: Alignment of VEMS with VA Enterprise Technical Architecture

ETA Criteria

ETA Sub-Criteria

VEMS Alignment

Mission Alignment

Veteran Centric Solution

VEMS supports the veteran directly through certification of Veteran-Owned Small Businesses and Service Disabled Veteran-Owned Small Businesses

Mission Alignment

Business Architecture

VEMS was designed to provide a secure and stable environment for veterans’ applications handling. VEMS uses mainstream architecture and VA enterprise software like Dynamics and SharePoint to perform core functions.

Data Visibility and Accessibility

N-Tier Architecture

VEMS provides programming language and operating system agnostic web services to provide data to those approved to view it. VEMS follows a 3-tier architecture that separates the data presentation, business rules and data storage to make enhancements and troubleshooting less disruptive to the overall solution. The layers use asynchronous components and events and many times are coupled with web services.

Data Visibility and Accessibility

Data Independence

The application and data are separated into layers; transactions are governed by commits and rollbacks.

Data Visibility and Accessibility

Common Look and Feel

VEMS web site design is based on HTML5. It is designed and architected from input from a cross functional workgroup.

Data Visibility and Accessibility

Data Persistence

All VEMS data, including data accessed by all VEMS developed applications are stored on approved VA servers.

Data Visibility and Accessibility

Test Driven Development

Unit tests have been developed for web services where appropriate.

Data Visibility and Accessibility

Exception Handling

There is extensive use or TRY/CATCH exception handling throughout the web site and ancillary code as well as in the OCTS products.

Data Visibility and Accessibility


VEMS applications can scale out. VEMS is load balanced and more servers/VMs can be added as needed.

Data Visibility and Accessibility

Stateless Business Logic

User interaction and session information is not stored within business logic.

Data Visibility and Accessibility


VEMS services and application fully meet Section 508 requirements.

Data Interoperability

Data standards

All data stored in VEMS adhere to and follow the standards set for the VA systems.

Data Interoperability

Authoritative information sources

All VEMS data follow the VA standards, with the VA systems as the authoritative data source. Reuse of data design from VRM and FCMT enhances these criteria.

Data Interoperability

Enterprise data model

All VEMS data follow the VA standards.

Data Interoperability

Local copies of data

VEMS uses VEMS-specific copies of data as necessary but leverages VA authoritative data stores for external data that is fetched real-time.

Data Interoperability

Meta Data Registry

All VEMS data are documented with metadata and can be published as required.

Infrastructure Interoperability

Cloud first

VEMS ill be cloud hosted with enterprise SLAs to ensure performance and availability.

Infrastructure Interoperability

Standard OS images

VEMS will use standard images as part of the cloud model and provide offsite backup of these images for rapid restoration.

Infrastructure Interoperability

Standard databases

All VEMS database platforms, including hardware, operating system, middleware, databases, and supporting system software conform to the VA Standard Databases. VEMS uses Microsoft Windows Server operating system and SQL Server databases.

Infrastructure Interoperability


VEMS evaluate the requirement of each application and determine the best placement, either as a physical or Virtual machine.

VEMS uses virtualization technology.

Infrastructure Interoperability

Infrastructure capacity

VEMS capacity is planned, tested, and provided by cloud host SLAs.

Infrastructure Interoperability


Storage requirements are based on historical usage and incoming data request to determine our future growth. DBAs carefully monitor usage and provide future growth projections.

Infrastructure Interoperability

Network Configurations

VEMS network devices will be configured to industry best practices and servers configured to communicate on Ethernet VLANs (Virtual Local Area Networks).

Infrastructure Interoperability

System monitoring

System monitoring, reporting, and improvement will be provided under SLA by the VEMS cloud host.

Infrastructure Interoperability

Disaster recovery

VEMS does not affect patient care so it is not classified as critical system. Only the data is located at multiple physical locations. Core DR functions will be provided under SLA by the cloud host.

Infrastructure Interoperability

Backup and restore

Core DR functions will be provided under SLA by the cloud host.

Infrastructure Interoperability

Thin client

VEMS utilizes web technologies where possible. Where client applications are required, they are presented to the user through desktop virtualization, keeping the thick client components centralized.

Information Security

Security regulations

VEMS will obtain ATO by submitting all necessary C&A documentation.

Information Security

External hosting

VEMS will be cloud hosted and interact with multiple external systems per the architecture diagrams continued.

Information Security

Secure access paths

The security access is being managed by Active Directory which specific security access can be given to a specific user to a specific set of data.

Information Security

Secure information sharing

Data access is being managed by Active directory that audit access to the server to the event logs. Only approved users with VA account can access the system.

Information Security


Sensitive Data will be managed and tracked at the data level. Only approved users are allowed access to sensitive information.

Information Security


VEMS closely follows the VA PKI initiative and deploy when the infrastructure are ready.

Enterprise Services

System integration

VEMS follows the strict standard of OIT implementation. The VEMS website will use standard HTML5 and in order to access VEMS workspace securely, it will employ HTTPS protocol to provide encrypted access to the environment. VEMS will leverage BGS and MVI services (potentially VLER) to act as a service consumer in SOA.

Enterprise Services

Service registry

VEMS will consume and provide (as necessary) services to/from the registries. (UDDI)

Enterprise Services

Shared enterprise services

Only if the request is denied or cannot be fulfilled, then we develop local services.

Enterprise Services


VEMS authenticates all users via Active Directory and Kerberos. Each user must obtain a VA account and approval from their management to access VEMS.

Enterprise Services

VLER Information Services


Enterprise Services

Service Enabled Information Sharing


Enterprise Services


All products have been reviewed to be on TRM or has an exception filed to be used within VEMS. VEMS mainly uses Microsoft products, MS SQL, and other COTS.

Enterprise Services

COTS Products

All the production software is either on the TRM or has exception filed for use in production environment. We do retire older version of the software due to newer version and supportability of older version.

1   2   3   4   5   6   7   8   9   ...   12

The database is protected by copyright © 2016
send message

    Main page