Oneva Technical Reference Model (TRM) Waiver Request Form

OneVA Technical Reference Model (TRM) Waiver Request Form

Purpose Projects and offices may request approval to use tools and technologies that meet the following guidelines: 1. Are unapproved on the OneVA Technical Reference Model (TRM), 2. Are pending evaluation and publication on the OneVA TRM, 3. Have constraints requiring a waiver prior to use, or 4. A project/office cannot operate within constraints listed on a published OneVA TRM entry.

Note: Waivers cannot be granted for tools and technologies that are prohibited on the OneVA TRM.

OneVA TRM waivers are reviewed and approved by the Strategic Technology Alignment Team (STAT) on a rolling basis. This document is required to formally request an OneVA TRM waiver.

Instructions Complete each field in this document and provide details of the office requesting this waiver, along with a clear justification. Please remove all blue instructional text when finished. Once completed, please submit to the STAT inbox at [email protected].

Key Notes  Begin working with your applicable Information Security Officers (ISOs) as soon as possible when planning to request a waiver. ISOs are crucial to the early identification of risks and vulnerabilities that may lead to a denied request.  If the tool you are requesting will handle Personal Health Information (PHI) or Personally Identifiable Information (PII), you must also submit a Plan of Action and Milestones (POA&M) from RiskVision.

 If the tool you are requesting is cloud-based, you must visit the Enterprise Security Change Control Board (ESCCB) for a Memorandum of Understanding (MOU). Please visit https://esccb.va.gov for more details.

 Submitters must include a link to the applicable TRM entry. If a product (or version number) is not currently listed on the TRM, a TRM evaluation request must be submitted prior to requesting a waiver.

Response Technology Name Note the name of the technology being requested within this waiver. Technology Version Note the version number of the technology being requested within this Number waiver. Link to TRM Entry Provide a link to the TRM entry containing the TRM’s final decision. If a TRM evaluation request was submitted, please provide that link here. Waiver Sponsor Name Note the name of the waiver sponsor (must be government staff), a VA email and Contact address, and a telephone number. Information Office or Project Name Provide the name of the office/facility that requires the use of the non-TRM- compliant technology. Office or Project Describe the mission and scope of the office or project. Response Description Waiver Justification Explain, in detail, why this waiver is being requested. Explicitly describe the specific business need that this particular technology fulfills, noting why existing TRM-compliant tools are not adequate. Also include a brief explanation of any negative impacts that may result from the waiver not being approved. Transition Plan Provide the details of a transition plan away from use of the non-compliant product. Please include details of the transition timeline. Is funding in Place? Yes☐ No ☐ Please select the box that describes available funding to transition to a compliant solution and a short description of the available funding for your project. Do you have an Yes☐ No ☐ Authority to Operate Note whether the system has an Authority to Operate (ATO). If there is an (ATO)? ATO, note whether the technology being requested is specifically addressed, the expiration date, and any conditions. Office of Information Before submitting waiver documentation, projects must coordinate with their Security (OIS) Analysis Information Security Officers (ISOs) to analyze risks and determine if a comprehensive risk assessment is required. If required, please include a copy of the risk assessment (i.e. POA&M) completed in RiskVision with this waiver request. Critical Decision Review CD1: Dates CD2: For projects in the Veterans-focused Integrated Process (VIP), please include dates for Critical Decisions 1 and 2, if known. Will your tool be Yes ☐ No ☐ deployed on a medical Please select the applicable answer. Virtual LAN? System/Server Please provide a list of system and/or server names this tool will be deployed Numbers on. Is technology cloud- Yes ☐ No ☐ based? If yes, please answer questions and follow guidelines on the next page. Cloud Technology Yes ☐ No ☐ Is your system currently operating in a cloud environment, to include a hybrid or on/off-premises cloud?

Yes ☐ No ☐ If not, would you like more detailed information and resources to assist in a technical evaluation on moving to cloud services? Questions for Cloud-based Technologies Please have a technical contact answer the following questions if the OneVA TRM waiver being requested is for a cloud-based tool.

Important note: Cloud-based requests must be reviewed by the Enterprise Security Change Control Board (ESCCB). Prior to submitting the waiver request, please begin coordinating with the ESCCB at [email protected].

Response Is the cloud provider FISMA/FedRAMP Yes ☐ No ☐ compliant? Please select the applicable answer. Does the cloud solution comply with the Statement on Auditing Standards No. 70 (SAS70), the Health Insurance Portability Yes ☐ No ☐ and Accountability Act (HIPAA), or the Please select the applicable answer. Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)? Does the cloud provider have a Yes ☐ No ☐ Comprehensive Disaster Recovery Plan? Please select the applicable answer. Does the cloud provider offer Yes☐ No ☐ multitenancy? If so, what mitigations are in Please select the box that describes whether cloud place to protect the environment? provider offers multitenancy and, if Yes, a short description of the mitigations in place to protect the environment. Type of cloud service: Software as a Service (SaaS) ☐ Platform as a Service (PaaS) ☐ Infrastructure as a Service (IaaS) ☐ Does this cloud solution reduce technology Yes ☐ No ☐ complexity? Please select the applicable answer. Does the cloud vendor offer robust Please provide a brief description of the vendor’s maturity integration capabilities? and the integration capabilities available to VA.