|
JTF CapMed Software Test Request Worksheet v1.0
|
The Joint Task Force (JTF) National Capital Region Medical (CapMed) Software Test Request Worksheet is for Commercial Off-The-Shelf (COTS) products ONLY. Client-Server applications will be rejected.
Instructions:
-
This Worksheet is to be completed by the Software Sponsor.
-
All questions on the following pages must be addressed.
-
Upon completion, submit the form to the JTF CapMed IA Team via email, jtfcapmeddropbox@nsoc.med.osd.mil.
-
An installation and configuration guide that addresses security issues is required with submission of the Worksheet. Configuration guidelines: - Center for Internet Security (http://www.cisecurity.org/)
- DISA (http://iase.disa.mil/stigs/index.html)
- NIST (http://checklists.nist.gov/)
- vendor documentation
-
Submission of additional requirements, such as specialty hardware required for
software functionality, is coordinated with the JTF CapMed Lead Engineer.
-
Please note “Software Testing Request: Product name and version number” in the subject line of all email correspondence.
Upon approval of the Worksheet, testing of the product will be coordinated among the JTF CapMed Lead Engineer and Software Sponsor.
Once testing concludes, all Software Sponsors will receive a copy of the JTF CapMed Software Risk Assessment Report submitted to the Certifying Authority (CA). Products approved by the CA will receive a certification and the product will be added to the JTF CapMed Approved Products List.
Required Information/Question
|
Response
|
1
|
Sponsor Name
|
Joseph D. Rogers
|
2
|
Sponsor Organization
|
Centers for Disease Control &Prevention
|
3
|
Sponsor Phone
|
770-488-4701
|
4
|
Sponsor Email
|
Jdr0@cdc.gov
|
5
|
Date of Submission
|
February 1, 2012
|
6
|
Software Name
|
Registry Plus™ Central Registry System(CRS) Plus
|
7
|
Software Version *must be the version being deployed*
|
CRS Plus Version
|
8
|
Software Vendor
|
Centers for Disease Control &Prevention
|
9
|
Vendor/Product Web site
|
http://www.cdc.gov/cancer/npcr/tools/registryplus/index.htm
|
10
|
Software Function
Describe the purpose for the software (e.g., what is the product’s function).
|
CRS Plus is the main central registry database program in the Registry Plus suite. CRS Plus links incoming abstracts with the existing database, using software–assisted consolidation into patient, cancer, and facility tables.
|
11
|
Software Architecture
Provide a high level description of how the software works and its architecture. Identify any external connections that are required for the software to operate.
|
Central Registry System (CRS) Plus is a client-server application that stores the registry database on a server computer and runs the client application on individual workstations. As part of the installation package, CRS Plus comes with Microsoft® Access as the default database. To be fully functional, the registry database must be moved to a Microsoft SQL Server before implementing the production environment. CRS Plus is an application that runs on and stores the data in a Microsoft SQL Server database. The application must be accessible from the Inside the installed network since the product is not wen accessible. See website: http://www.cdc.gov/cancer/npcr/tools/registryplus/crsp.htm and http://www.cdc.gov/cancer/npcr/pdf/registryplus/registry_plus_requirements.pdf for more details.
|
12 a
|
Is this Commercial-Off-The-Shelf (COTS) software? Definition:
Commercially available Off-The-Shelf (COTS) is a Federal Acquisition Regulation (FAR) term defining non-developmental item (NDI) of supply that is both commercial and sold in substantial quantities in the commercial marketplace, and that can be procured or utilized under government contract in the same precise form as available to the general public. This is a DoD IS
and requires compliance with IA Program.
|
yes no
|
12 b
|
Is the software freeware/shareware and is the source code unavailable?
Mark yes if software is public domain and is only available in binary format (no source code). Binary or machine executable public domain software products and other software products with limited or no warranty, such as those commonly known as freeware or shareware, are not used in Department of Defense (DoD) information systems unless they are necessary for the mission and no alternative solutions are available. Such products are assessed for information assurance impacts and approved for use by the Designated Accrediting Authority (DAA). The assessment acknowledges that such software products are difficult or impossible to review, repair, or extend, given the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government.
|
yes no
|
13 a
|
Is this an Information Assurance (IA) or IA-enabled product?
Definition of IA Product:
Product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non- repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices.
Definition of IA-Enabled Information Technology Product:
Product or technology for which primary role is not security, but provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems.
|
IA Product:
yes
no
IA-Enabled IT Product: yes
no
|
13 b
|
If yes to either, has the product been evaluated under Common Criteria or another NSA approved process. Provide details.
|
no yes
|
14
|
Does the software use mobile code (e.g., ActiveX, Javascript)?
If yes, explain what type of mobile code and how DoD mobile code policy is being satisfied.
|
yes no
|
15
|
What types of data will this application
Process and/or store (e.g., sensitive, classified, HIPAA)?
Describe the methods used by the software to protect the data it processes/stores (e.g., encryption).
|
CRS Plus is a highly secure application that can be used to store confidential patient data within a central registry safely. Security is achieved by a combination of software features and network infrastructure. See website: http://www.cdc.gov/cancer/npcr/pdf/registryplus/registry_plus_requirements.pdf for more details.
|
16
|
Does the software communicate outside of the local network?
If yes, list the Ports/Protocols within Appendix A.
|
yes no
|
17 a
|
Does the software communicate over the local network?
|
yes no
|
17 b
|
Is the connection encrypted?
If yes, identify the encryption mechanism (e.g., SSL/TLS/PCT, Secure Shell (SSH), IPSec, COE SSAF).
|
yes
no
CRS Plus exists completely within the network and does not access the web server or conduct the exchange of data over the Internet.
|
18
|
Have the cryptographic modules been validated by National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2? NIST FIPS 140-2 validated cryptography (e.g., DoD PKI class 3 or 4 token) is used to implement encryption (e.g., AES, 3DES, DES, Skipjack), key exchange (e.g., FIPS 171), digital signature (e.g., DSA, RSA, ECDSA), and hash (e.g., SHA-1, SHA-256, SHA-384, SHA-512). Newer standards are applied as available. The validated modules product list is available at http://csrc.nist.gov/cryptval/.
|
yes no
|
19
|
Is the software developed by a foreign (non-US) company?
If yes, in which country does the company reside?
|
yes no
|
20
|
Does the National Vulnerability Database (NVD) Web site show any known vulnerabilities for this software? List each vulnerability and explain how you plan to mitigate each. (http://nvd.nist.gov)
|
yes no
|
|
21
|
Has the software product lifecycle been reflected in the budget, implementation plan, and operations plan?
Sponsors must have the ability to support, sustain, and maintain the product once in use.
|
Yes
No
Registry Plus is a suite of publicly available free software programs for collecting and processing cancer registry data. The Registry Plus suite can be used separately or together for routine or special data collection. These software programs, compliant with national standards, are made available by CDC to implement the National Program of Cancer Registries, established by Public Law 102-515.
|
22
|
How will the software be provided to the JTF CapMed IA Team?
List a point-of-contact or Web site where the software can be obtained.
|
It will be provided for download through a CDC maintained FTP site.
|
23
|
How will the user guide be provided (e.g. attachment, Web site)?
|
Information from the site http://www.cdc.gov/cancer/npcr/tools/registryplus/index.htm is helpful, especially the linked document: http://www.cdc.gov/cancer/npcr/pdf/registryplus/registry_plus_requirements.pdf
|
24
|
What is the installation key code?
|
There is no installation code required.
|
25
|
Are there usernames or passwords associated with the application after initial login, if required (e.g., login to a website, administrator privileges)?
|
yes no
|
26 a
|
Does the application provide data protection through user names and passwords?
|
yes no
|
26 b
|
Are the user names and passwords encrypted?
|
yes no
|
26 c
|
Are the user names and passwords configurable?
|
yes no
|
27
|
Identify any associated Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and/or National Security Agency (NSA) Security Configuration Guides.
|
|
APPENDIX A: PORTS AND PROTOCOLS LIST
Source / Direction
|
Destination /
Direction
|
Port
|
Protocol
|
Service
|
Description and Purpose
|
Software
name
|
From
|
SMTP
email
Server
|
To
|
25
|
SMTP
|
E-mail
|
Sends out e-mails pulled from local
database
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
FOR OFFICIAL USE ONLY (FOUO)
Dostları ilə paylaş: |