$TXT Created by ORMSBY,SKIP at MAILMAN.FO-OAKLAND.MED.VA.GOV (KIDS) on Wednesday, 06/02/04 at 07:54 ============================================================================= Run Date: JUN 24, 2004 Designation: XM*8*18 Package : XM - MAILMAN Priority: EMERGENCY Version : 8 SEQ #25 Status: Released Compliance Date: JUN 24, 2004 ============================================================================= Subject: AUTO-FORWARD RESTRICTIONS Category: - Routine - Enhancement () - Data Dictionary - Informational - Other Description: ============ Reference: Memorandum signed by Robert N. McFarland, Assistant Secretary for Information and Technology (005) Subject: Limits on the Use of Certain E-mail Features and Configurations The intent of the memorandum is to help ensure that sensitive VA information is not put at risk. This patch puts MailMan in compliance with the limits set forth by the memorandum. The memorandum can be viewed at: https://vaww.ocis.va.gov/portal/server.pt/gateway/PTARGS_0_2_19707_0_0_18/ Limits%20on%20the%20Use%20of%20Certain%20E-mail%20Features%20and%20Configu rations%20(EDMS%20209533)%20captured.pdf The following is the full text of the memorandum: ========================================================================== Memorandum Department of Veterans Affairs Date: MAY 24 2004 From: Assistant Secretary for Information and Technology (005) Subj: Limits on the Use of Certain E-mail Features and Configurations TO: Under Secretaries, Assistant Secretaries, and Other Key Officials 1. To help ensure that sensitive VA information is not put at risk, limits must be set on certain e-mail features and configurations. There are currently a number of VA systems that allow users to send and receive e-mail. These systems include e-mail clients such as Microsoft Outlook and Exchange, applications such as the Veterans Health lnformation Systems Technology Architecture (VistA), and the Burial Operations Support System. 2. Some of these systems have configuration options that allow e-mail messages to be automatically forwarded from one email address to another. Such options are normally used as a convenient way for users to receive work-related messages at another location while away from the office. Because the forwarding is done automatically, the user loses the ability to determine whether a specific message is appropriate for forwarding outside VA boundaries and over the Internet. 3. Auto-forwarding of e-mail messages to addressees outside VA may result in information intended for use within the VA network to be transmitted, viewed, andlor stored on mail systems outside of VA's control. This is clearly unacceptable and puts the Department at risk for Privacy Act or Health Insurance Portability and Accountability Act (HIPAA) violations. 4. Effective 30 days from the date of this memorandum, auto-forwarding of e-mail messages to addressees outside the VA network shall be strictly prohibited. Autoforwarding of e-mail inside the VA network (e.g., Blackberry) will continue to be authorized. The restriction shall be enforced, whenever possible, through software modifications andlor configuration changes at the e-mail gateways. In addition, auditing andlor monitoring of e-mail traffic shall be employed to verify compliance with this requirement. Once all Enterprise Cyber Security Infrastructure Program (ECSIP) gateways are operational and all Internet access has been migrated to the four ECSIP gateway locations, the auditing requirement will no longer be necessary. 5. Waivers to the auto-forwarding provisions may be requested through the respective facility lnformation Security Officer (ISO). Requests deemed appropriate by the facility IS0 will be forwarded for approval through the appropriate cyber security chain of command. Waiver requests must include documentation indicating why alternatives, such as remote access, cannot be implemented or provide the required capabilities. 6. In evaluating such waivers, the IS0 must ensure that all available alternative methods to access e-mail have been sufficiently explored. For waiver requests to auto-forward e-mail to appropriate partner agencies such as associated hospitals or educational institutions, a copy of the HlPAA Business Associate Agreement must be included in the request. Waivers to auto-forward e-mail to commercial e-mail providers, such as America Online or Hotmail, will require justification of extraordinary circumstances to be approved. ISOs will retain waivers on file and periodically validate accounts with auto-forward enabled. 7. Some VA e-mail systems allow users to send automatic replies indicating that they are unavailable during a particular timeframe (i.e., "out-of-office" notifications). It is important for VA e-mail users to remember that these out-of-ofice notifications may be sent outside of the VA network to anyone who sends a message to the user's address. Improperly constructed out-of-ofice notifications may include sensitive or private VA information that should not be shared with outside sources. A well constructed out-of-office notification contains the minimum detail necessary and should never include information that cannot be disclosed to the public. 8. Some VA e-mail distribution lists contain many addresses, including some that are outside the VA network (i.e., "special recipients"). There is no obvious indication when a distribution list contains outside addresses. If a sender is not careful, sensitive or private information may be sent outside the VA network to people who should not receive it, or even to inappropriate recipients within the VA network. Senders must examine distribution lists closely to ensure that they contain only suitable recipients. In addition, it is important to note that e-mail distribution lists may include other e-mail distribution lists (i.e., "nested lists"), and the members of each nested list must also be examined. 9. If there are any questions on this subject, please have a member of your staff contact William Buckingham, Acting Director, Technology and Integration Service (005S6), at (202) 273-5071. /sig./ Robert N. McFarland ========================================================================== 1. There will be no auto-forwarding to non-VA sites. MailMan will enforce this by checking auto-forward addresses each time they are used, and will delete any non-compliant ones. For VA sites, the post-init will populate the following new fields in the MAILMAN SITE PARAMETERS (#4.3) file: The AUTO-FORWARD LIMITS? (#31) will be set to YES, and ".VA.GOV" will be added to the AUTO-FORWARD APPROVED SITE (#31.1) multiple. VA sites should not alter the contents of these fields, or else the site will not be in compliance with the memorandum. Here are the fields: DBA clearance ============= Apr 15, 2003 STANDARD DATA DICTIONARY #4.3 -- MAILMAN SITE PARAMETERS FILE STORED IN ^XMB(1, DATA NAME GLOBAL DATA ELEMENT TITLE LOCATION TYPE -------------------------------------------------------------------------- 4.3,31 AUTO-FORWARD LIMITED? 3;1 SET '0' FOR NO; '1' FOR YES; LAST EDITED: APR 14, 2003 HELP-PROMPT: Should auto-forward capability be limited? DESCRIPTION: For security or privacy reasons, you may wish to limit the sites to which users may have their mail auto-forwarded. If so, set this field to YES, and enter the approved sites in the AUTO-FORWARD APPROVED SITE multiple. For VA sites, this field must be set to YES. The only approved sites are those ending in ".VA.GOV". If this field is set to YES, MailMan will limit auto-forwarding to only those sites whose names are in (or end in the ones in) the AUTO-FORWARD APPROVED SITE multiple. 4.3,31.1 AUTO-FORWARD APPROVED SITE 3.1;0 Multiple #4.33 4.33,.01 AUTO-FORWARD APPROVED SITE 0;1 FREE TEXT (Multiply asked) INPUT TRANSFORM: K:$L(X)>64!($L(X)<3) X LAST EDITED: APR 14, 2003 HELP-PROMPT: Answer must be 3-64 characters in length. DESCRIPTION: If the AUTO-FORWARD LIMIT? (#31) field is set to YES, auto-forward addresses are limited to sites which are listed here, or which end in those which are listed here. CROSS-REFERENCE: 4.33^B 1)= S ^XMB(1,DA(1),3.1,"B",$E(X,1,30),DA)="" 2)= K ^XMB(1,DA(1),3.1,"B",$E(X,1,30),DA) 2. Waivers must be requested through the site's local ISO. If (and only if) a user has a waiver to auto-forward to a non-VA site, the user should be assigned the new security key XM AUTO-FORWARD WAIVER, and the waivered site should be added to the following new multiple in the MAILMAN SITE PARAMETERS (#4.3) file: STANDARD DATA DICTIONARY #4.3 -- MAILMAN SITE PARAMETERS FILE STORED IN ^XMB(1, DATA NAME GLOBAL DATA ELEMENT TITLE LOCATION TYPE -------------------------------------------------------------------------- 4.3,31.2 AUTO-FORWARD WAIVER SITE 3.2;0 Multiple #4.34 LAST EDITED: APR 14, 2003 4.34,.01 AUTO-FORWARD WAIVER SITE 0;1 FREE TEXT (Multiply asked) INPUT TRANSFORM: K:$L(X)>64!($L(X)<3) X LAST EDITED: APR 14, 2003 HELP-PROMPT: Answer must be 3-64 characters in length. DESCRIPTION: If the AUTO-FORWARD LIMIT? (#31) field is set to YES, auto-forward addresses are limited to sites in the AUTO-FORWARD APPROVED SITE (#31.1) multiple. However, any user who has been assigned the XM AUTO-FORWARD WAIVER security key, may also auto-forward to the sites which are listed here, or which end in those which are listed here. CROSS-REFERENCE: 4.34^B 1)= S ^XMB(1,DA(1),3.2,"B",$E(X,1,30),DA)="" 2)= K ^XMB(1,DA(1),3.2,"B",$E(X,1,30),DA) New Security Key ================ NAME: XM AUTO-FORWARD WAIVER PERSON LOOKUP: LOOKUP KEEP AT TERMINATE: YES DESCRIPTION: If the AUTO-FORWARD LIMIT? (#31) field is set to YES, auto-forward addresses are limited to sites in the AUTO-FORWARD APPROVED SITE (#31.1) multiple. However, any user who has been assigned this security key, may also auto-forward to the sites which are listed in the AUTO-FORWARD WAIVER SITE (#31.2) multiple. To obtain this security key, the user must submit a request for a waiver through the site Information Security Officer (ISO). Only after the waiver has been granted may the user be assigned this key. Check with the ISO for details on the requirements for the waiver. New DIALOG Entries ================== DIALOG NUMBER: 38130.1 TYPE: ERROR PACKAGE: MAILMAN SHORT DESCRIPTION: You can't have your mail forwarded to a TEXT: You can't have your mail forwarded to a non-VA site. Waivers can be requested through your site Information Security Officer (ISO). ROUTINE NAME: XMXADDR3 DIALOG NUMBER: 38130.2 TYPE: ERROR PACKAGE: MAILMAN SHORT DESCRIPTION: You have been granted a waiver TEXT: You have been granted a waiver to have your mail forwarded to a non-VA site, but this site is not one of the sites for which a waiver has been granted. Please contact your site Information Security Officer (ISO) for further information. ROUTINE NAME: XMXADDR3 DIALOG NUMBER: 38130.3 TYPE: GENERAL MESSAGE PACKAGE: MAILMAN SHORT DESCRIPTION: Forwarding Address ignored. TEXT: Forwarding Address ignored. ROUTINE NAME: XMXADDR NOIS ==== -None- Blood Bank clearance ==================== May 27, 2004 EFFECT ON BLOOD BANK FUNCTIONAL REQUIREMENTS: Patch XM*8*18 contains changes to a package referenced in VHA IO SEPG SOP 192-023 "Review of VISTA Patches for Effects on VISTA Blood Bank Software . This patch does not alter or modify any VistA Blood Bank software design safeguards or safety critical elements functions. RISK ANALYSIS: Changes made by patch XM*8*18 have no effect on Blood Bank software functionality, therefore RISK is none. Thanks To Test Sites ==================== ALTOONA, PA System: VMS/CACHE COLUMBUS, OH(OPC) System: ALPHA/ISM (NT) NORTHERN CALIFORNIA HCS System: ALPHA/DSM PORTLAND, OR (C) System: VMS/CACHE WALLA WALLA, WA System: VMS/CACHE NOTE: This patch should be installed during off hours, when user activity is at a minimum. It has no patch prerequisites. ========================================================================== ROUTINES: The second line of the routine now looks like: ;;8.0;MailMan;**[patch list]**;Jun 28, 2002 Before After Name Checksum Checksum Patch List ------------------------------------------------------------------ XMS3 11387711 11418836 18 XMTDF 7250797 7274937 18 XMTDL1 4584627 4612350 18 XMTDT 8338601 8357661 18 XMVGROUP 13634422 13668722 18 XMVVITA 7297401 7642421 18 XMXADDR 16602920 16855980 18 XMXADDR3 8833831 11117868 18 XMXADDRG 16118455 16127990 18 XMYP18 * NEW * 173745 18 * Checksums produced by CHECK^XTSUMBLD This patch introduces the following new routines: XMYP18 is the post-init, and will be deleted once it's run. ========================================================================== INSTALLATION: NOTE: This patch should be installed during off hours, when user activity is at a minimum. It has no patch prerequisites. 1. Users may be on the system during installation of this patch. 2. DSM Sites: If any of these routines is mapped, disable mapping for the affected routine(s). 3. On the PackMan menu, use the 'INSTALL/CHECK MESSAGE' option. This loads the patch into a Transport Global on your system. 4. Users may be on the system. You do not need to stop TaskMan, but you should stop the background filer. 5. On the Manage MailMan:Local Delivery Management menu, use the following option to stop the background filer: STOP background filer Are you sure you want the BACKGROUND FILERS to STOP delivering mail? NO// YES === << Background filer will stop soon. >> 6. On the KIDS:Installation menu, use the following options to install the Transport Global: Verify Checksums in Transport Global Print Transport Global Compare Transport Global to Current System Backup a Transport Global Install Package(s) Select INSTALL NAME: XM*8.0*18 Loaded from Distribution ========= Install Questions for XM*8.0*18 Want KIDS to INHIBIT LOGONs during the install? YES// NO == Want to DISABLE Scheduled Options, Menu Options, and Protocols? YES// NO == Enter the Device you want to print the Install messages. You can queue the install by enter a 'Q' at the device prompt. Enter a '^' to abort the install. DEVICE: HOME// ------------------- 6. On the Manage MailMan:Local Delivery Management menu, use the following option to start the background filer: START background filer << Background filer will start soon. >> 7. DSM Sites: After patch has installed, rebuild your map set, if necessary. Routine Information: ==================== Routine Name: - XMS3 Routine Checksum: Routine Name: - XMTDF Routine Checksum: Routine Name: - XMTDL1 Routine Checksum: Routine Name: - XMTDT Routine Checksum: Routine Name: - XMVGROUP Routine Checksum: Routine Name: - XMVVITA Routine Checksum: Routine Name: - XMXADDR Routine Checksum: Routine Name: - XMXADDR3 Routine Checksum: Routine Name: - XMXADDRG Routine Checksum: ============================================================================= User Information: Entered By : BEUSCHEL,GARY Date Entered : MAY 19, 2003 Completed By: SINGH,GURBIR Date Completed: JUN 24, 2004 Released By : HARROD,PAUL Date Released : JUN 24, 2004 ============================================================================= Packman Mail Message: ===================== $END TXT