You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The table includes information about the status of TANF Data Portal's compliance with White House Cybersecurity Executive Order 14208 issued on May 12, 2021. This information is current as of 10/19/2021.
All new networked Federal information systems must be IPv6 enabled NLT FY2023
TDP is hosted in cloud.gov which supports ipv6 for external access to the application. For internal access to apps (e.g. frontend/backend app communication), only ipv4 is currently supported. Cloud.gov support team indicated that this constraint is due to current offerings available to gov for cloud services (some of which do not yet support IPv6), but planning to comply with this policy area is in-progress.
Any federal system not connected to an existing Authorized Trusted Internet Connection (TIC) Must provide equivalent security protection. This includes but is not limited to:
Data Loss Prevention Technologies to detect and prevent instances of exfiltration,
Asset Segmentation via network or microsegmention (service) technologies to divide physically or virtually asset communication paths to limit communication to only what is required.
The agency’s TIC is not traversed to access the system, which is hosted in cloud.gov. Sys admins currently only access the system via HHS GFE + PIV/CAC
Accelerate Patch management process to meet 15-day remediation for critical vulnerabilities and configuration weaknesses
We plan to update our configuration mgmt plan and any other security-related plans to note that critical vulnerabilities will be addressed within 15 days (instead of 30).
Adoption of multi-factor authentication and encryption for data at rest and in transit 180 Days from White House Executive Order issue date of 12 May 2021:
Data in transit protection requires leveraging unique web certificates (reduction/removal of general purpose [wildcard] certificates);
Data-at-rest requiring use of encrypted data storage options;
Expansion of HSPD-12 – all users with elevated privileges must be HSPD-12 compliant.
Acquiring new security tools and expanding scope/coverage of existing tools to improve detection of vulnerabilities and incidents ;
Expansion of Security Information and Event Management coverage – requires development support to configure log collection for application-level logs
Acquisition and deployment of Network based and Host based Intrusion Protection technologies in every environment hosting Federal Data
When our prod environment is set-up:
MFA requirement will be met (ACF users will authenticate with PIV/CAC via ACF AMS, and non-ACF users will authenticate with one of several options required to create a login.gov account);
Data encryption at-rest and in-transit requirement will be met. Data in S3 buckets, RDS, and ElasticSearch dbs are encrypted at rest (AES-256 encryption algorithm) by default;
All data flowing through TDP are encrypted in-transit via TLS;
Hspd-12 requirement for privileged users will be met (PIV/CAC is HSPD-12 compliant);
We are capturing logs of user activities (login/logout, data submissions, user mgmt), scanning data submissions for vulnerabilities, and scanning our application for security vulnerabilities on a nightly basis. These scans are also logged and accessible from the TDP backend (Django admin console);
Cloud.gov network intrusion detect information included here.
Revision 5 of National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. This update provides guidance on the next generation of the security and privacy controls framework, addressing a need for a more proactive and systematic approach to cybersecurity.
Most systems will need to go through the ATO process using the new control sets and will also only have a short time to comply with the EO.
Encryption must be FIPs 140-2 compliant.
Data at Rest – must be encrypted. ALL SYSTEMS that are funded by the gov’t. no matter where they live; must have their privileged access by using a PIV card and GFE. This includes low systems.
MFA Requirements. No more accessing systems with just User Name and password.
All systems must have BOD -18 – 01 compliant throughout the network.
Privacy Controls are now required for all systems that contain any PII.
We are standing by for a full list of updated privacy controls that moderate systems must comply with.
Encryption, MFA, and PIV requirements will be met before TDP is live. Work will be completed as part of release 1.
Cloud.gov’s TLS implementation and cipher suites are in compliance w BOD-18-01.