There’s nothing more important than security. Your agency’s resources and data need protection from threats and malware hitting your system from outside your network. You need a stable, secure infrastructure protected by Avue’s Three Rings of Security: Data, Physical and Personnel. At Avue, rock-solid, reliable security has always been the foundation of our software platforms.
Avue Compliance with Section 508
The Avue platform has been entirely developed with accessibility standards in mind, per Section 508 of the Rehabilitation Act of 1973 (as amended). All Avue features and functionality have been carefully examined and tested with leading assistive technologies. Furthermore, Avue’s customer agencies have also tested the usability and accessibility of the entire application including a major on-site test with one client that had a very large disabled employee unit (nearly 100) that all needed to use assistive technologies. In all cases, employees were able to use all aspects of the application, from applying for positions through the most detailed aspects for power users, such as ad hoc report generation.
In addition to the initial steps undertaken to achieve compliance, maintaining Avue’s Section 508 compliance is an ongoing effort. Actual users requiring assistive technologies are everyday users of the Avue system and Avue is constantly working with its customers to improve its interface. Each new functionality enhancement to the Avue system is tested and viewed for ongoing Section 508 compliance as the system is upgraded. Unlike other products, all of the Avue system, not simply portions of it, is Section 508 compliant, including Avue’s robust reporting tools. An example of this continuing commitment has been Avue’s work with the National Federation of the Blind (NFB) beginning in the summer of 2011 in which Avue’s system has been extensively tested in the NFB’s state of the art assistive technology lab to ensure that Avue not merely meets the Section 508 standards, but is engineered to perform at the very best possible level with assistive technologies.
Avue’s Section 508 record is sterling-it has never had a formal complaint. Avue’s compliance goes beyond mere promises, as Avue had to affirmatively demonstrate its compliance as part of achieving HRLoB certification. To become and remain a certified HRLoB product, Avue has to comply with a lengthy and rigorous list of requirements, including specific references for Section 508 compliance.
Finally, because Avue is proud of its record of Section 508 compliance and eager to provide all Avue’s clients with complete assurance to this effect, the Avue Master Subscription Agreement (MSA) now contains an express warranty to the client that the Avue system is, and will continue to be in every respect, fully compliant with Section 508.
Avue Security Capabilities
In accordance with OMB M-08-21, Avue incorporates security and FISMA requirements as a standard part of our “all-you-can-eat” subscription. It is not an added cost or an à la carte feature that clients opt in for, but rather an embedded part of the Avue offering. In accordance with DTM 08-027, Avue specifically provides Security for Unclassified DoD Information on Non-DoD Information Systems in accordance with NIST standards. Avue C&A audits have been achieved by client agencies under NIST 800-53 rev 3 in an identical manner to that which they would assess any other internal system. Avue currently has an ATO with the Department of Justice that is valid through 2013.
All data in use and at rest is encrypted using FIPS 140-2 certified technologies to guard against unauthorized users and cyber threats. Authorized access in Avue is restricted to applications and data using role-based security and permissions. Each user is a named, unique user and is provided with unique user identification and password. System privileges are configured based on the user’s role (e.g. HR Specialist, Manager, Employee, System Admin, DBA, etc.), approval level, delegations, and special permissions to provide a separation of duties for control to the least privileged user role. User accounts and emails and the roles provided to each user are managed in the system by Avue and updated at the request of the Agency. The system banner and login screens display pre-established security and privacy statements. Access to Personally Identifiable Information (PII) data, is specifically restricted to only those individuals who have an Agency-designated Privileged User Role for reports generation and output. All other users with access to online reports or data feeds are restricted to data access that does not include PII. Additionally, users are not able to view, scrape, or print PII that is contained in the system for operations purposes as it is masked for those users that are not granted full data access. All roles and access levels are agency configurable, up to and including access to system features, password length, and user credential expiration rules. All changes and actions taken in regard to user accounts and agency configurations are captured in the User Management Audit Log and stamped with the time, date, and User ID for audit trail logging.
Avue is fully compliant with the OMB Memorandum M-07-16: Safeguarding Against Responding to the Breach of Personally Identifiable Information, issued 22 May 2007. Avue operates in full accordance with the requirements of this Memorandum. Avue also meets the requirements of former OPM Director Linda Springer’s Memorandum of 19 June 2007: Guidance on Protecting Federal Employee Social Security Numbers and Combating Identity Theft. Avue already uses strict access restriction, and audit capability on use of PII, and agency specific rules of behavior in the standard workflow provided in the Avue system to enable clients to meet these requirements. Avue does not use an applicant’s SSN as a “key” field in the system and does not collect applicant SSNs at all.
Personnel Security Requirements
Avue security currently meets all required NIST and FISMA standards and has been certified and accredited by several Federal client agencies. Avue’s personnel security covers Avue data center physical security, operations, internal networks, database and data access, and personnel clearances. Avue’s provides all employees with annual security training in addition to the standard policies and procedures laid out in the Avue Personnel and Policy Manual on the Rules of Behavior and Client Confidentiality clauses. As with subscriber agency clients, Avue provides role-based security all the way down to the individual user level for access control and separation of duties for Avue employees. Every staff member is highly qualified, and subjected to a background investigation prior to being given systems-level or even user-level access. Currently, all Avue staff members have submitted SF-86 Background Investigation Forms and Finger Prints to client agencies for processing and clearance adjudication and have received their appropriate clearances to handle agency information. Staff members that have access to Avue’s Data Centers are strictly limited as to their specific roles and all have current Federal Government clearances.
System Security Plan (SSP)
Avue has an implemented and maintained plan describing its security program, and how that plan satisfies the security requirements identified by NIST and our Federal Agency Clients, including how improved security-related processes and technologies are to be incorporated into the contract as they become available and any new ways of Accreditation such as FedRAMP. The Avue SSP covers: (1) Organizational security roles which identify least privileged roles; (2) Physical security of Contractor systems and facilities; (3) Risk assessment procedures; (4) Maintenance and testing of security systems; (5) Security monitoring procedures; (6) Procedures and timeframes for resolving security deficiencies and all POA&M; and (7) Procedures for the prevention of and response to security breaches.
Certification and Accreditation Compliance and Vulnerability Monitoring
Avue has achieved an accreditation memo from DOJ for the Avue system using a DOJ-approved C&A package and in accordance with NIST SP 800-37 and 800-53 rev. 3. Avue will continue to support and facilitate the DOJ as well as all other Federal Agency Client specific C&A process, and will continually evolve the capabilities of the system to support new threats to the system and incorporate technological advances in security-related areas. Avue provides all Federal Agency Clients with compliance reporting for continuous monitoring through the Avue vulnerability management program which supports monthly scanning using tools such as Foundstone, App Detective, and Security Expressions — other scans can be used as needed and identified. Avue has additionally implemented tools such as IBM ISS X-Force continuous monitoring services and reporting and Splunks tool for system log auditing and alerts.
Along with our Department of Justice sponsor, Avue will be pursuing the first government-wide ATO provided by FedRAMP. Avue meets the all of FedRAMP requirement for their first round assessment including being a multi-tenant cloud offering with existing Federal contracts, clients, and active ATO’s.