Notice ID: 36C10B23Q0393
Description
The United States Department of Veterans Affairs (VA) provides near-comprehensive healthcare services to military veterans at VA medical facilities throughout the country, including disability compensation, vocational rehabilitation, education assistance, home loans, life insurance, and burial and memorial benefits. Rapidly-changing technology paired with the increasing number of veterans and rising healthcare costs creates new challenges for VA to meet its mission to provide top-notch service to veterans. In response, VA is undertaking transformational steps to increase efficiency, reduce costs, and improve overall quality of service.
The purpose of this document is to provide VA System Owners and Stakeholders security guidelines and minimum security requirements for VA cloud deployments. Stakeholders include departments within VA that have the responsibility for managing and configuring cloud services. Cloud usage by VA will continue to evolve as updates and changes to hardware, software, configurations, etc., occur; therefore, this document is intended to be a living document that will be maintained and updated by the ESA Cloud team. This document is not intended to be an operational or detailed configuration management guide. This document was commissioned by the Chief, Enterprise Security Architecture / Director, Enterprise Security Architecture, and will undergo review by VA cloud stakeholders. It is the responsibility of VA System Owners and Stakeholders to work closely with the ESA Cloud team to understand the current security requirements and responsibilities. The guidelines and minimum security requirements herein were developed through a series of collaborative working sessions with VA stakeholders, in addition to leveraging VA policies, industry recommendations for cloud security (Cloud Security Alliance), and Federal guidance and standards from National Institute of Standards and Technology (NIST) and Federal Risk and Authorization Management Program (FedRAMP).
1.3. Cloud and VA Cloud computing differs from traditional on-premises computing in that security responsibilities are shared between the Cloud Service Provider (CSP) and the customer. The guidelines and minimum security requirements in this document are structured to address shared responsibility model as it applies to VA’s use of the cloud across the three generic cloud service models: Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service. The security responsibilities of VA and the CSP change depending on the service model in use. The cloud service model definitions, per VA 6517 and NIST Special Publication (SP) 800-145, are: Infrastructure-as-a-Service (IaaS): The capability available to the consumer is to provide processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications…
