Report Template - VA Center for Innovation · Web view0.2 DAS Team Refinement of information. 09/05/15 0.3 Laura Manning, DAS Team TW TWR1 09/08/15 0.4 Laura Manning, DAS Team TW

INTERCONNECTION SECURITY AGREEMENT AND MEMORANDUM OF UNDERSTANDING

Between the Department of Veterans Affairs Veterans Benefits Administration Veterans Relationship Management Office andVendor Name

MM/YYYY

FOR OFFICIAL USE ONLY

Document Control Change SheetDate Filename/Version# Author Revision Description07/30/15 0.1 M. Snowden Start putting info in

template.

08/30/15 0.2 DAS Team Refinement of information.

09/05/15 0.3 Laura Manning, DAS Team TW TWR1

09/08/15 0.4 Laura Manning, DAS Team TW Implemented feedback from ISO review. Checked content against MOU/ISA checklist. Four unanswered questions outstanding.

12/8/2015 0.5 David Martin Updated language reflecting Vendor not storing VA sensitive data.

1/6/2015 0.6 Joseph Cosentino D2D Project Requested Edits

Office of Information Security ii January 2016


Table of Contents

EXECUTIVE SUMMARY..................................................................................................................................... 6

1. INTRODUCTION......................................................................................................................................... 7

1.1 Overview and Purpose......................................................................................................................................... 7

1.2 Authority............................................................................................................................................................. 7

2. MEMORANDUM OF UNDERSTANDING................................................................................................ 8

2.1 Background.......................................................................................................................................................... 8

2.2 Ownership of Data (including storage requirements)............................................................................................8

2.3 Communications.................................................................................................................................................. 92.3.1 Security Incidents......................................................................................................................................................92.3.2 Disasters and Other Contingencies.........................................................................................................................102.3.3 Material Changes to System Configuration.............................................................................................................102.3.4 New Interconnections.............................................................................................................................................102.3.5 Personnel Changes..................................................................................................................................................102.3.6 Security...................................................................................................................................................................11

3. INTERCONNECTION SECURITY AGREEMENT.................................................................................12

3.1 Background........................................................................................................................................................ 123.1.1 System Description.................................................................................................................................................123.1.2 System Hardware and Software Requirements......................................................................................................12

3.2 System Security Considerations.......................................................................................................................... 123.2.1 System Security Documentation.............................................................................................................................123.2.2 General Information/Data Description...................................................................................................................133.2.3 Services Offered......................................................................................................................................................133.2.4 Information Security Officer at Interconnection Site..............................................................................................133.2.5 Sensitivity Categorization.......................................................................................................................................133.2.6 User Community.....................................................................................................................................................133.2.7 A VA SAC/NACI is not required for the users of Vendor Name because there is no VA Owned Sensitive information transmitted to Vendor Name Trusted Behavior Expectations..........................................................................133.2.8 Formal Security Policy.............................................................................................................................................143.2.9 Audit Trail Responsibilities......................................................................................................................................143.2.10 Security Parameters...........................................................................................................................................143.2.11 Training and Awareness.....................................................................................................................................14

3.3 Topological Drawing........................................................................................................................................... 15

4. DURATION................................................................................................................................................. 16

5. SIGNATORY AUTHORITY...................................................................................................................... 17

Office of Information Security iii January 2016


APPENDIX A:POINTS OF CONTACT..................................................................................................... 19

APPENDIX B:QUESTIONNAIRE – TRANSMISSION OF VA SENSITIVE INFORMATION USING A SYSTEM INTERCONNECTION................................................................................................................... 21

APPENDIX C: VA ANNUAL REVIEW DOCUMENTATION..................................................................22

APPENDIX D:DEFINITIONS OF SENSITIVE INFORMATION TYPES.............................................23

D. 1. Relations among Different Types of Information.................................................................................................25

APPENDIX E: INTERCONNECTION PORTS AND PROTOCOLS.......................................................27

Office of Information Security iv January 2016


List of TablesTABLE 1: IT SYSTEMS OF THE VLER DAS ASSESSING VENDOR NAME MOU/ISA..........................................................................8TABLE 2: PARTIES RESPONSIBLE FOR EACH SYSTEM................................................................................................................19TABLE 3: PARTIES TO CONTACT DURING A SECURITY INCIDENT..............................................................................................19TABLE 4: QUESTIONNAIRE 1 - TRANSMISSION OF VA SENSITIVE INFORMATION USING A SYSTEM INTERCONNECTION.........21TABLE 5: ANNUAL DOCUMENTATION REVIEW........................................................................................................................22TABLE 6: SENSITIVE INFORMATION TYPES...............................................................................................................................23TABLE 7: INTERCONNECTION PORTS AND PROTOCOLS...........................................................................................................27

List of FiguresFIGURE 1: TOPOLOGICAL DRAWING........................................................................................................................................15FIGURE 2: DATA TYPES.............................................................................................................................................................26

Office of Information Security v January 2016

Executive SummaryThe Department of Veterans Affairs (VA) Veterans Benefits Administration (VBA) Veterans Relationship Management (VRM) Office which operates the Digits to Digits (D2D) program (later referred collectively as the VA), uses a Memorandum of Understanding (MOU) to document the terms and conditions for sharing data and information resources in a secure manner. The following supporting information within the MOU will define the purpose of the interconnection, identify relative authorities, specify the responsibilities of both organizations, and define the terms of the agreement. Additionally, the MOU provides details pertaining to apportionment of cost and timeline for terminating or reauthorizing the interconnection.

Technical details on how the interconnection is established or maintained are included within the Interconnection Security Agreement (ISA). A system interconnection is a direct connection between two or more information technology (IT) systems for the purpose of sharing data and other information resources. The VA D2D program uses the ISA to formally document the reasons, methodology, and approvals for interconnecting IT systems; to identify the basic components of an interconnection; to identify methods and levels of interconnectivity; and to discuss potential security risks associated with the interconnections.

Office of Information Security 6 January 2016

1. INTRODUCTION

1.1 Overview and PurposeThe ISA specifies the technical and security requirements of the interconnection and the MOU defines the responsibilities of the participating organizations.

This MOU/ISA between the organizations listed below is the initial MOU/ISA pertaining to the interconnection described below.

The purpose of this section is to establish a management agreement between the Department of Veterans Affairs (VA) Veterans Benefits Administration (VBA) Veterans Relationship Management (VRM) (with respect to the Digit to Digit (D2D) project and claims submission process) and Vendor Name regarding the development, management, operation, and security of a connection between VLER DAS Assessing and Vendor Name’ Claim Management System (owned by Vendor Name). In the absence of a common management authority, this agreement will govern the relationship between the VA and Vendor Name, including designated managerial and technical staff.

1.2 AuthorityThe authority for this interconnection is based on the following.

Federal Information Security Management Act (FISMA) VA Directive 6500, Managing Information Security Risk: VA Information Security Program, and Handbook

6500, Risk Management Framework for VA Information Systems: Tier 3 – VA Information Security Program Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. Part 160 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, Security Guide for

Interconnecting Information Technology Systems 38 United States Code (U.S.C.) §§ 5721-5728, Veteran’s Benefits, Information Security Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated

Information Systems 18 U.S.C. 641 Criminal Code: Public Money, Property or Records 18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information

The authority to disclose VA data per this agreement must comply with disclosure authority under each of the following applicable statutes.

Privacy Act of 1974, 5 U.S.C. § 552a VA Claims Confidentiality Statute, 38 U.S.C § 5701 HIPAA Privacy Rule, 45 C.F.R. Part 164 Confidentiality of Certain Medical Records, 38 U.S.C. § 7332 Confidentiality of Healthcare Quality Assurance Review Records, 38 U.S.C. § 5705 Freedom of Information Act (FOIA), 5 U.S.C. § 552


2. MEMORANDUM OF UNDERSTANDING

2.1 BackgroundThrough this agreement, it is the intent of both parties to connect the VLER DAS Assessing and Vendor Name IT systems via an asynchronous secure connection in order to transmit data. Vendor Name requires the use of VLER DAS Assessing, as approved and directed by Brian Stephens, Deputy Director, Disability and Medical Assessment (DMA), the Executive in Charge and Chief Information Officer, O&IT within the authority contained in VA Directive & Handbook 6500. The expected benefit of the interconnection is to provide connectivity to Vendor Name which provides software as a service to Veterans Service Organizations submitting Benefits claims to VA. Under this ISA, Vendor Name will make a one way submission of data to VA. At no time will VA PII/PHI sensitive information be transmitted back to Vendor Name

Each IT system involved in this MOU/ISA is described below.

Table 1: IT Systems of the VLER DAS Assessing VENDOR NAME MOU/ISA

System / InfoAsset

Function Location Data to be Transmitted

VLER DAS Assessing

VLER DAS Assessing delivers a wide range of integrally linked, complementary capabilities and services that enable the transmission of Veteran and Service Member medical, benefit, personnel and personal/administrative information (DAS data). These capabilities will cut across the entire VA enterprise, including VHA, Veterans Benefit Administration (VBA), National Cemetery Administration (NCA), Office of Policy and Planning (OPP) and OI&T, program offices, and external partners.

VLER DAS Assessing is currently located at Philly SunGard and is scheduled to be moved to the Austin Information Technology Center (AITC) in August 2016.

This system contains Veteran medical records that contain both Protected Health Information (PHI) and Personally Identifiable Information (PII) data.

Vendor Name Vendor Nameprovides software as a Claims Management System to Veteran Service Organizations (VSO’s).

Vendor Name Veteran Benefits claims including medical exam results will be transferred to VLER DAS Assessing; this data will contain Veteran PII and PHI. VBA categorizes this system as Moderate; VLER DAS Assessing has a category of High.

2.2 Ownership of Data (including storage requirements)The system interconnection described in this MOU/ISA will not enable the transmittal of VA owned sensitive information; only non-VA owned sensitive information as well as non-sensitive information per the business needs described in this document. Sensitive information types are discussed in Appendix D. If in the future, VA


transmits sensitive information to Vendor Name through the system interconnection, the transmission must be protected through the use of FIPS 140-2 (or successor) validated encryption and this MOU/ISA will need to be re-executed and the VA originating point of contact (POC) for the data transfer must submit responses to the questionnaire contained in Appendix B

Vendor Name has not identified any specific requirements (outside of those currently specified in this ISA/MOU) needed from VA regarding information transmitted by means of the system interconnection from Vendor Name to VLER DAS Assessing.

Ownership of the data is never transferred to Vendor Name from the VA. The Vendor Name-VLER DAS Assessing System will follow its own established policy for storage. Only copies of VA information may be given to Vendor Name; VA will always retain VA’s original version of the data.

The type of data being transmitted from Vendor Name is non VA owned, PHI and PII.

IMPORTANT! NO VA sensitive information will be stored on Vendor Name’s systems connection.

The information provided may not be disclosed or used for any purpose other than as outlined in this agreement. If Vendor Name wishes to use the data and information provided by VA under this agreement for any purpose other than those outlined in this agreement, Vendor Name shall make a written request to VA describing the additional purposes for which it seeks to use the data. If VA determines that Vendor Name’ request to use the data and information provided hereunder is acceptable, VA shall provide Vendor Name with written approval of the additional use of the data.

Vendor Name hereby acknowledges that criminal penalties under § 1106(a) of the Social Security Act (42 U.S.C. § 1306(a)) may apply to disclosures of information that are covered by § 1106 and that are not authorized by regulation or by Federal law. Vendor Name further acknowledges that criminal penalties under the Privacy Act (5 U.S.C. § 552a (i)(1)) may apply if it is determined that Vendor Name, or any individual employed or affiliated therewith, knowingly and willfully discloses VA’s sensitive information. Vendor Name further acknowledges that criminal penalties under the HIPAA (45 C.F.R. 160.404) may apply if it is determined that Vendor Name, or any individual employed or affiliated therewith, knowingly and willfully discloses VA’s sensitive information pertaining to protected health information. Finally, Vendor Name acknowledges that criminal penalties may be imposed under 18 U.S.C. § 641 if it is determined that Vendor Name, or any individual employed or affiliated therewith, has taken or converted data file(s) to his own use or received the file(s) knowing that they were stolen or converted.

2.3 CommunicationsFrequent formal communications are essential to ensure the successful management and operation of the interconnection agreement. The parties agree to maintain open lines of communication between designated staff at both the managerial and technical levels. All communications described herein must be conducted in writing (mail or email, excluding any sensitive VA information) unless otherwise noted.

VLER DAS Assessing, in coordination with the D2D product owner, and Vendor Name’ Systems agree to designate and provide contact information for the technical lead(s) for their respective system and to facilitate direct contact between technical leads to support the management and operation of the interconnection. To safeguard the confidentiality, integrity, and availability of the connected systems and the data stored, processed, and transmitted, the parties agree to provide notice of specific events within the timeframes indicated below.

2.3.1 Security IncidentsVA Handbook 6500.2, Management of Data Breaches Involving Sensitive Personal Information (SPI) governs the reporting of incidents involving VA systems and information. If Vendor Name’ employee, contractor, or agent becomes aware of the theft, loss or compromise of any device used to transport, access or store VA-sensitive information or data, such employee, agent, or contractor must immediately report the incident to the VA POC listed within Appendix A or in the Business Associate Agreement (BAA) (or contract when applicable) so that the incident can be reported to the VA Network Security Operations Center (VA-NSOC) for action. Should any


security incident or event (or suspected incident or event) involve VA-owned sensitive data (e.g. the theft, loss, compromise, or destruction of any device used to transport, access, or store VA data) covered by this agreement, or the incident places VA data at risk of loss, unauthorized access, misuse or compromise, then Vendor Name will notify the VA POC listed within Appendix A or in the Business Associate Agreement (BAA) or contract when applicable, by phone or in writing immediately upon detection. The VA POC will immediately notify the D2D product owner and VBA’s ISO or PO, as well as the D2D ISO, who will contact VA-NSOC within one hour of notification. Vendor Name will provide details of the security event, the potential risk to VA owned sensitive information, and the actions that have been or are being taken to remediate the issue. Vendor Name will also provide VA with a written closing action report once the security event or incident has been resolved. VA will follow this same notification process should a security event occur within the VA boundary involving Vendor Name’ provided data. Designated POCs will follow established incident response and reporting procedures, determine whether the incident warrants escalation, and comply with established escalation requirement for responding to security incidents. These reporting requirements DO NOT apply to Veteran or VSO owned PHI or PII stored on Vendor Name’ systems.

2.3.2 Disasters and Other ContingenciesTechnical staff will immediately notify their designated counterparts listed within Appendix A by telephone or email in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected systems.

2.3.3 Material Changes to System ConfigurationPlanned technical changes to the system connection architecture will be reported to technical staff before such changes are implemented. Prior to implementing a change, the System Owner, with assistance from the ISO and PO, will conduct a risk assessment (RA) based on the new system architecture and determine if the proposed change requires reauthorization of the interconnection. Formal reauthorization is required whenever a system undergoes a significant change and the MOU/ISA must be modified and re-signed within one (1) month of implementation.

A significant change to an information system should only be reported in the case that it causes VA owned PII or PHI to be transferred to the Vendor Name system. In that case, changes that require reporting may include changes to the system itself or to the environment of operation. Significant changes to the information system may include but are not limited to: installation of a new or upgraded operating system, middleware component, or application; modifications to system ports, protocols, or services; installation of a new or upgraded hardware platform; modifications to cryptographic modules or services; or modifications to security controls. Significant changes to the environment of operation may include, but are not limited to: moving to a new facility; adding new core missions or business functions; acquiring specific and credible threat information that the organization is being targeted by a threat source; or establishing new or modified laws, policies or regulations. Major changes to the information collected or maintained are those changes that could result in greater disclosure of information or a change in the way personal data is used.

2.3.4 New InterconnectionsThe initiating party will notify the other party at least one (1) month before it connects its IT system (as described in Section 2.1) with any other IT system that materially impacts the security of the interconnection covered by this MOU/ISA. This includes connecting the IT system with systems that are owned and operated by third parties in a manner that changes how VA Owned Sensitive Information is handled, transmitted, and/or stored.

2.3.5 Personnel ChangesThe parties agree to provide notification of the separation or long-term absence of their respective system owner or technical lead. In addition, both parties will provide notification of any changes in POC information. With


respect to the system owner and technical lead, both parties also will provide notification of changes to user profiles, including users who resign or change job responsibilities.

The responsible parties for each system are listed in Appendix A Points of Contact of this MOU/ISA. The appendix will be updated as necessary. Updating the appendix does not require the re-signing of this MOU/ISA by either party. It is the responsibility of each respective approving authority to ensure the timely updating of this appendix and for the notification of such changes to the alternate party within thirty (30) days of any personnel change.

2.3.6 SecurityBoth parties agree to work together to ensure the joint security of the connected systems and the data stored, processed, and transmitted, as specified in the ISA section of this document. By signing this agreement each party certifies that its respective system is designed, managed, and operated in compliance with all relevant Federal laws, regulations, and policies including those stated in Section 1.2 Authority.


3. INTERCONNECTION SECURITY AGREEMENT

3.1 BackgroundThe technical details of the interconnection are documented in this ISA section of the document. Proposed changes to either system or the interconnecting medium will be reviewed and evaluated to determine the potential impact to the interconnection. The MOU/ISA will be renegotiated before changes (identified in Section 2.2.4) are implemented. Signatories to the MOU/ISA shall be the System Owner, ISO and PO for each system. The document should become an integral piece of the VA Assessment and Authorization (A&A) documentation and should be included in subsequent authorization requests.

3.1.1 System DescriptionFor the VA, VLER DAS Assessing delivers a wide range of integrally linked, complementary capabilities and services that enable the transmission of Veteran and Service Member medical, benefit, personnel and personal/administrative information (Data). These capabilities will cut across the entire VA enterprise, including VHA, VBA, NCA, OPP and OIT program offices, and external partners.

For Vendor Name, Vendor Name provides software as a service Claims Management System to VSO’s which will be used in conjunction with the connection defined herein to transmit Benefit claims to VA.

The Vendor Name Claim Management System is a proprietary 3rd party claim management system comprised of file servers with perimeter firewalls and detection monitors.

3.1.2 System Hardware and Software RequirementsVendor Name transfers non-VA Owned Veteran data to VA using a FIPS 140-2 compliant web services call (https) supported with SSL certificates.

3.2 System Security Considerations

3.2.1 System Security Documentation VLER DAS Assessing holds a Temporary Authorization to Operate (TATO) based on successful adherence to all of the NIST 800-53 Security Control Families; this also complies with the same requirements in VA Directive & Handbook 6500. This system authorization has expired on (AITC) May 2, 2015 and (PITC) April 27, 2015, and is currently undergoing the process to acquire a new Authorization to Operate (ATO.)

Accreditation_Requirements_Expectation_03 19 14.pdf memo dated March 19, 2014 Section 3 states: “Also, in the situation where a system has a Temporary ATO (TATO) that expires prior to the Designated Approval Authority (DAA) granting a new accreditation decision, the system is appropriately covered under VA's continuous monitoring process and can maintain its existing accreditation decision until the DAA issues the new decision.”

Based on this guidance from the VA DCIO for Information Security, any system TATO that has expired and is not immediately renewed is considered still accredited until they are issued the new ATO/TATO.

It is only after formal establishment of a legal basis for power of attorney to represent a Veteran desiring to make a claim utilizing their services, do the approximately 300 Veteran Service Organizations (VSO) transmission data through the contracted secure interfaces referenced above.

Vendor Name has implemented a layered security defense combining multiple mitigating security controls to protect resources and data (non-VA Owned).


Different institutions assess and document system security through a variety of methods (e.g., risk assessment (RA), security control assessment (SCA), contractor security control assessment (CSCA), or system security plan (SSP). For VA systems, the system interconnection/information sharing aspect is an essential part of the SSP. Two sections in the SSP require documentation of interconnections:

System Identification: The VA facility must identify and document the types of system interconnections and information sharing that is allowed within the system.

Security Assessment and Authorization (CA-3): The VA facility must identify and document whether all connections are authorized between the system and other systems outside the authorization boundary. The VA facility must also identify, document, and list external connections outside VA, as well as indicate information concerning the MOU/ISA. The VA facility must identify and document the appropriate officials designated to approve the information system agreements.

The VLER DAS Assessing system (owned by VA VBA VRM D2D) has been assessed against NIST SP 800-53 revision 4 controls and is governed by a comprehensive set of IT security and privacy policies and procedures.

Per Vendor Name, the Vendor Name Claim Management System (owned by Vendor Name) submitted the annual Contractor Security Control Assessment (CSCA) in December 2014.

3.2.2 General Information/Data DescriptionThe interconnection between VLER DAS Assessing and Vendor Name is a one-way path. For detailed data description, see Appendix D.

3.2.3 Services OfferedThe web services call uses a secure connection via https for transmission of data between Vendor Name and VLER DAS Assessing. SOAP is the protocol used to map data types from the Vendor Name data interface to the VLER DAS Assessing interface.

3.2.4 Information Security Officer at Interconnection SiteThere must be an established ISO (or business partner equivalent) at all interconnection sites (described herein) who can provide oversight through the duration of the system development lifecycle (SDLC) phases (development, deployment, operations, and disposal) of the interconnection and who can ensure that the systems maintain appropriate security controls.

3.2.5 Sensitivity CategorizationThe sensitivity categorization of data transmitted between the VA and Vendor Name is based on FIPS 199, Sensitivity Categorization of Federal Systems and guidance in NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The VLER DAS Assessing system has an overall category of High. Information transmitted from DAS to Vendor Name has a categorization of Low since the only data transmitted back to the VSO Vendor system is in the form of error messages, not Veteran Claim data.

3.2.6 User Community

3.2.7 A VA SAC/NACI is not required for the users of Vendor Name because there is no VA Owned Sensitive information transmitted to Vendor Name Trusted Behavior ExpectationsVA system and users are expected to protect Vendor Name’ System or Informational Asset, and Vendor Name' system and users are expected to protect VLER DAS Assessing, in accordance with the Privacy Act and Trade Secrets Act (18 U.S.C. 1905), the Unauthorized Access Act (18 U.S.C. 2701 and 2710), and HIPAA.


3.2.8 Formal Security PolicyDirectives or policies that govern the protection of the data include but are not limited to NIST documents, VA Directive 6500, and VA Handbook 6500 (or successors).

3.2.9 Audit Trail ResponsibilitiesBoth parties are responsible for auditing application processes and user activities involving the interconnection with sufficient granularity to allow successful investigation and possible prosecution of wrongdoers. Activities that will be recorded include event type, date and time of event, user identification, workstation identification, success or failure of access attempts, and security actions taken by system administrators or security officers. Audit logs will be retained for a minimum of three (3) years.

3.2.10 Security ParametersVA agrees to maintain a formal security program, maintain security plans, and conduct risk assessments and periodic independent security inspections according to a formal approved security program. Vendor Name agrees to maintain a formal security program compliant with its contractual responsibilities with VSO’s to which it provides service and not subject to VA parameters. Directives or policies that govern the protection of the data and information transmission are as follows: National Institute of Science and Technology (NIST), Federal Information Security Management Act of 2002 (FISMA), OMB, Vendor Name Security Policies and Procedures Manual, and VA Directive and Handbook 6500, Risk Management Framework for VA Information Systems-Tier 3: VA Information Security Program. These laws, directives, and regulations include requirements for safeguarding Federal information systems and PII used in Federal agency business process as well as related reporting requirements. Vendor Name recognizes and will implement, if mandated, per its contracts with VSO’s, the laws, regulations, NIST standards, and OMB directives including subsequent publications to the effective date relating to the subject of this agreement.

FISMA requirements apply to all Federal contractors, organizations, or sources that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. VA VLER DAS Assessing is responsible for oversight and compliance of its contractors and agents. As is such, Vendor Name is not subject to FISMA requirements at this time as it will not possess Federal information.

VLER DAS Assessing is considered a Web Service, with the actual connection interfacing with the VA WAN hosted at VA NSOC. Veteran data is transported to VA using a FIPS 140-2 compliant web services call (https) supported with SSL certificates. The transport outputs are Uniform Claims Documents along with their Attachments. As a Web Service, data is transmitted using a standardized and secure protocol that supports service capabilities and constraints at both the transport and application layers. VA VLER DAS Assessing PHI/PII must not be transmitted by remote access unless VA VLER DAS Assessing approved protection mechanisms are used. Only approved encryption solutions using validated modules may be used when protecting data during transmission. All VA VLER DAS Assessing data must be stored in an encrypted partition on the hard drive and must be encrypted with FIPS 140-2 validated software. The application must be capable of key recovery, and a copy of the encryption key(s) must be stored in multiple secure locations.

Note: Each organization will install firewalls to protect internal networks and other resources from unauthorized access. Across the interconnection and the firewall, ports must be configured properly, and all default passwords must be changed. See NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, for more information.

3.2.11 Training and AwarenessAll VA employees as well as non-VA employees seeking access to VA information systems or VA-sensitive information must complete annually the VA Privacy and Information Security Awareness Training and Rules of Behavior (VA 10176) and acknowledge annually VA’s Rules of Behavior (RoB) before VA access is granted to such information or information systems. Additionally, individuals seeking access to health information must also


annually complete Privacy and HIPAA Focused Training (VA 10203). --- This section is not applicable. The VSO’s at no time have direct access via D2D to VA information systems.

3.3 Topological DrawingFigures provided in this section depict the interconnectivity from VLER DAS Assessing to Vendor Name

Figure 1: Topological Drawing

VA Firewall

Physical Server

MongoDB Cluster

MongoDB DataMongoDB Application

Server

MongoDB Application

Server MongoDB DataMongoDB DataMongoDB Data

Encrypted Solid State Drives

Physical Server

Weblogic Cluster

VRS Wrappers

Pre-Fetch(Java)

Internal Consumers Redis Application

Redis Server

In-Memory Queue Holding Encrypted Data

Node.js Proxy Cluster

Proxy(Node.js)

Node.js Cluster

eCRUD(Node.js)

LENS

Audit

REDIS2JMS Bridge(Node.js)

REDIS2JMS Bridge pulls encrypted data from Redis

LENS decrypts requests pulled from Redis and

encrypts responses

pushed to Redis

eCRUD Encrypts data changes, async. query responses and audit information before sending to Redis

MongoDB Application

Server

MongoDB Application

Server

Audit decrypts the data from

Redis

Authorizations & Preferences

CreateRead

Update

Notify ChangesAsync. Query Responses

Audit

Encrypted Data

Consumers don’t have direct access to Redis or MongoDB Servers

SSL

Internal Producers

External Consumers

External Producers

VLER DAS Assessing provides a highly reliable and scalable infrastructure for developing and deploying Producer and Consumer wrappers to facilitate data transmission with minimal support, administration costs, and more flexibility than your own infrastructure. It includes a variety of foundational services to facilitate data transmission through RESTDesc – Semantic Descriptions. The services are completely decoupled components, load balanced, asynchronous systems. Requests are processed in parallel, results are retrieved in parallel. The services are thread safe with multiple asynchronous nodes work through a load balancer. VLER DAS Assessingalso provides Redis-based fast, reliable caching mechanisms to keep static data closer to Consumers and dynamic data closer to computing components. Secure data in transit and confidential data is encrypted and future integration with IAM services at every layer (as services are available). Services are developed in Node.js and Java.


4. DURATION

This MOU/ISA will be reviewed no later than one (1) year after the last date on the signatures below, and every year thereafter, to determine if the interconnection is still required. The VLER DAS Assessing and D2D ISO will be the primary party responsible for reviewing the agreement on behalf of the VA and will coordinate the review with the VA CIO, D2D product owner, D2D Business Owner and Key Stakeholders.

If there is no review, then this agreement will expire. If the interconnection is deemed still necessary and there are no significant changes to the interconnection

(see section 2.3.3 Material Changes to System Configuration), then the agreement will remain in effect and the VLER DAS Assessing and VA D2D ISO will document the annual review in Appendix C.

If there are significant changes to the interconnection or the VLER DAS Assessing and VA D2D ISO finds that a review has been completed and major changes were noted during the review, the signatories must update and reauthorize the agreement.

If one or both of the parties wish to terminate this agreement prematurely, they may do so upon thirty (30) days advanced notice or in the event of a security incident that necessitates an immediate response.


5. SIGNATORY AUTHORITY

We, the undersigned, mutually agree to the terms of this agreement.

VA VLER DAS Assessing System OwnerMearl Webb, Project ManagerDallas OIT Field OfficeDallas, [email protected]

Signature:

VA VLER DAS Assessing Information Security OfficerScott Allen, Information Security Officer221 Butler AvenueMartinsburg, [email protected]

Signature:

VA VLER DAS Assessing Local Privacy OfficerRita Grewal , VA OI&T Privacy Officer810 Vermont AveWashington, DC [email protected]

Signature:


Vendor Name Information Security Officer (External) Name, TitleAddressTelephone NumberEmail

Signature:

Vendor Name Local Privacy Officer (External)Name, TitleAddressTelephone NumberEmail

Signature:

Vendor Name System Owner (External)Name, TitleAddressTelephone NumberEmail

Signature:


mailto:[email protected]



Appendix A: POINTS OF CONTACT

The tables below list parties responsible for each system as well as parties to contact during a security incident.

Table 2: Parties Responsible for Each System

Name Company Title Office Phone

Email

Scott Allen VA ISO 304-596-8333

[email protected]

Aaron Fogle VA ISO 304-260-6660

[email protected]

Mearl Webb VA System Owner

303-842-6442

[email protected]

Stan Moran VA Government POC

202-461-9007

[email protected]

Dan Whitcher VA Government Sponsor

202-461-9511

[email protected]

Vendor Administrator Name

Vendor Name Vendor Title

Table 3: Parties to Contact during a Security Incident

Name Company Title Office Phone EmailVA Network Security Operations Center (NSOC)

VA Contact for Security Incidents

800-877-4328 [email protected]

TBD Vendor Name

TBD TBD TBD

TBD Vendor Name

TBD TBD TBD


Name Company Title Office Phone EmailTBD Vendor

NameTBD TBD TBD


Appendix B: QUESTIONNAIRE – TRANSMISSION OF VA SENSITIVE INFORMATION USING A SYSTEM INTERCONNECTION

Complete as many questionnaires as needed.

Table 4: Questionnaire 1 - Transmission of VA Sensitive Information Using a System Interconnection

# Question Answer1 MOU/ISA for Interconnection Interconnection Security Agreement and Memorandum Of

Understanding Between the Department of Veterans Affairs and Vendor Name

2 VA Points of Contact Scott Allen and Aaron Fogle

3 Description of Data Health records and other medical information of Veterans. This type of data is highly sensitive PII and ePHI.

4 Purpose of Data Transfer To provide a secure and efficient means of transmitting Benefits claims filings from VSO’s via the Vendor Name Claims Management System, to VA for processing.

5 Non-VA Storage Location of the Transmitted Information

On Vendor Name secure servers that are part of the Vendor Name VLER DAS Assessing system.

6 Supporting Document(s) Describing the Transfer of Data to the Recipient

None

VA Point of Contact (for Questionnaire 1): Mearl Webb

VA Information Security Officer (for Questionnaire 1): Scott Allen


Appendix C: VA ANNUAL REVIEW DOCUMENTATION

VA ISO signature is required for each annual review. During the annual review, the ISO should consult key stakeholders (for example: CIO, VA Business Owner, Privacy Officer, Contracting Officer, and Research).

Note: In the Change Status column of the table below, select all that apply to the review and delete the rest. When a page is full, the ISO should add another page.

Table 5: Annual Documentation Review

Date Change Status Additional Comments Signature(s)TBD 1. No Change

2. Minor Change3. Major Change4. New Agreement5. Change in POC6. Other (please specify)

TBD <ISO signature>

TBD 1. No Change2. Minor Change3. Major Change4. New Agreement5. Change in POC6. Other (please specify)

TBD <ISO signature>


TBD <ISO signature>


TBD <ISO signature>


Appendix D: DEFINITIONS OF SENSITIVE INFORMATION TYPES

The following discussion defines the various types of personal information collected, maintained, and used within VA and provides an overview of how they inter-relate. Every type is subject to VA security statutes (38 U.S.C. §§ 5721-28), as long as it identifies or could reasonably be used to identify an individual. Depending on the type of information, it may also be protected by the Privacy Act (5 U.S.C. § 552a), the VA confidentiality statutes (38 U.S.C. §§ 5701, 5705, and 7332), and the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160, 164).

Table 6: Sensitive Information Types

Type DefinitionVA Sensitive Information/Data All Department information and/or data on any storage media or in any form or

format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes not only information that identifies an individual but also other information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. SOURCE: 38 U.S.C. § 5727.

Personally Identifiable Information

Any information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Information does not have to be retrieved by any specific individual or unique identifier (i.e., covered by the Privacy Act) to be personally identifiable information. SOURCE: Office of Management and Budget (OMB) Memorandum 07-16, Safeguarding Against and Responding to Breaches of Personally Identifiable Information (May 22, 2007).Note: The term “Personally Identifiable Information” is synonymous and interchangeable with “Sensitive Personal Information.”

Sensitive Personal Information The term, with respect to an individual, means any information about the individual maintained by VA, including the following: (i) education, financial transactions, medical history, and criminal or employment history; and (ii) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. SPI is a subset of VA Sensitive Information/Data. SOURCE: 38 U.S.C. § 5727.Note: The term “Sensitive Personal Information” is synonymous and interchangeable with “Personally Identifiable Information.”


Type DefinitionHealth Information Health Information is any information, whether oral or recorded in any form or

medium, created or received by a health care provider, health plan, public health authority, employer, life insurers, school or university, or health care clearinghouse or health plan that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or payment for the provision of health care to an individual. This encompasses information pertaining to examination, medical history, diagnosis, and findings or treatment, including laboratory examinations, X-rays, microscopic slides, photographs, and prescriptions. SOURCE: 45 C.F.R. § 160.103.

Individually Identifiable Information (III)

Individually Identifiable Information is any information pertaining to an individual that is retrieved by the individual’s name or other unique identifier, as well as Individually Identifiable Health Information regardless of how it is retrieved. Individually Identifiable Information is a subset of Personally Identifiable Information and is protected by the Privacy Act.

Individually Identifiable Health Information (IIHI)

Individually Identifiable Health Information is a subset of Health Information, including demographic information collected from an individual, that: (1) is created or received by a health care provider, health plan, or health care clearinghouse (e.g., a HIPAA-covered entity, such as VHA); (2) relates to the past, present, or future physical or mental condition of an individual, or provision of or payment for health care to an individual; and (3) identifies the individual or where a reasonable basis exists to believe the information can be used to identify the individual.Note: VHA uses the term individually-identifiable health information to define information covered by the Privacy Act and the Title 38 confidentiality statutes in addition to HIPAA.

Protected Health Information (PHI)

The HIPAA Privacy Rule defines PHI as Individually Identifiable Health Information transmitted or maintained in any form or medium by a covered entity, such as VHA.Note: VHA uses the term protected health information to define information that is covered by HIPAA but, unlike individually-identifiable health information, may or may not be covered by the Privacy Act or Title 38 confidentiality statutes. In addition, PHI excludes employment records held by VHA in its role as an employer.

Non-identifiable Information Non-identifiable Information is information from which all Unique Identifiers have been removed so that the information is no longer protected under the Privacy Act, 38 U.S.C. §5701, or 38 U.S.C. § 7332. However, Non-identifiable Information has not necessarily been de-identified and may still be covered by the HIPAA Privacy Rule unless all 18 Patient Identifiers listed in the Rule’s de-identification standards are removed.


Type DefinitionLimited Data Set A Limited Data Set is protected health information from which certain specified

direct identifiers of the individuals and their relatives, household members, and employers have been removed. These identifiers include name, address (other than town or city, state, or zip code), phone number, fax number, e-mail address, Social Security Number (SSN), medical record number, health plan number, account number, certificate and/or license numbers, vehicle identification, device identifiers, web universal resource locators (URL), internet protocol (IP) address numbers, biometric identifiers, and full-face photographic images. The two patient identifiers that can be used are dates and postal address information that is limited to town or city, State or zip code. Thus, a Limited Data Set is not De-identified Information, and it is covered by the HIPAA Privacy Rule. A Limited Data Set may be used and disclosed for research, health care operations, and public health purposes pursuant to a Data Use Agreement. SOURCE: 45 C.F.R. § 164.514(e)(2).

De-identified Information De-identified Information is health information that is presumed not to identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual because the 18 Patient Identifiers described in the HIPAA Privacy Rule have been removed. De-identified information is no longer covered by the Privacy Act, 38 U.S.C. § 5701, 38 U.S.C. § 7332, or the HIPAA Privacy Rule. SOURCE: 45 C.F.R. § 164.514(b)(2)(i).

Patient Identifiers Patient identifiers are the 18 data elements attributed to an individual under the HIPAA Privacy Rule that must be removed from health information for it to be de-identified and no longer covered by the HIPAA Privacy Rule. Please see VHA Handbook 1605.1, Privacy and Release of Information, Appendix B, De-identification of Data, for more detail.

Unique Identifier A Unique Identifier is an individual’s name, address, social security number, or some other identifying number, symbol, or code assigned only to that individual (e.g., medical record number and claim number). If these identifiers are removed, then the information is no longer Individually Identifiable Information and is no longer covered by the Privacy Act, 38 U.S.C. § 5701, or 38 U.S.C. § 7332. However, if the information was originally Individually Identifiable Health Information, then it would still be covered by the HIPAA Privacy Rule unless all 18 Patient Identifiers listed in the de-identification standard have been removed.Note: The VA Office of General Counsel has indicated that the first initial of last name and last four of the social security number (e.g., A2222) is not a unique identifier; therefore, inclusion of this number by itself does not make the information identifiable or sensitive.

D. 1. Relations among Different Types of InformationVA Sensitive Information/Data is the broadest term and generally encompasses all of the other terms with the exception of de-identified data.

Sensitive Personal Information and Personally Identifiable Information are synonymous and encompass Individually Identifiable Information, Individually Identifiable Health Information and Protected Health Information.


Individually Identifiable Information encompasses Individually-identifiable Health Information. It may or may not be Protected Health Information.

Health Information encompasses Individually Identifiable Health Information. It may or may not be Protected Health Information.

Individually Identified Health Information is maintained by VHA and is protected by the HIPAA Privacy Rule, as well as the Privacy Act and the Title 38 confidentiality statutes.

Non-identifiable Information is no longer protected by the Privacy Act, 38 U.S.C. § 5701, or 38 U.S.C. § 7332, but is covered by the HIPAA Privacy Rule unless it has been de-identified in accordance with the Rule.

De-identified Information may include VA Sensitive Information/Data, but it will not include any of the other types of data defined herein. De-identified Information is not Protected Health Information.

Patient Identifiers encompass Unique Identifiers. Patient Identifiers are the 18 data elements attributed to an individual under the HIPAA Privacy Rule. Unique Identifiers are those Patient Identifiers that identify or could be used to identify only one individual, such as name, address, or some other number, symbol, or code assigned only to that individual. Unique Identifiers can be used to retrieve information about an individual from a Privacy Act system of records.

Protected Health Information may consist of any of the other types of data defined herein except for De-identified Information. Protected Health Information includes Limited Data Sets and Non-identifiable Information.

Figure 2: Data Types

Protected Health Information may be comprised on any of these types of data, except for de-identified information.


Appendix E: INTERCONNECTION PORTS AND PROTOCOLS

Connection Type: [SSL/TLS]

Connection ID#: [Web Server – No Connection ID]

Gateway: [Web Server – No Gateway]

Note: Vendor Name to complete the table below before the MOU/ISA is signed. Add additional rows as needed.

Table 7: Interconnection Ports and ProtocolsDirection Protocol Port Purpose

In HTTPS 443 Vendor Name-CMS calls VA web servicesOut HTTPS 443 VA calls Vendor Name-CMS notification web services

Out HTTPS 443VA accesses Vendor Name-CMS VAPOC Portal for downloading final report
