OneVA Technical Reference Model (TRM) Waiver Request Form
Purpose
Projects and offices may request approval to use tools and technologies that meet the following guidelines:
1. Are unapproved on the OneVA Technical Reference Model (TRM),
2. Are pending evaluation and publication on the OneVA TRM,
3. Have constraints requiring a waiver prior to use, or
4. A project/office cannot operate within constraints listed on a published OneVA TRM entry.
Note: Waivers cannot be granted for tools and technologies that are prohibited on the OneVA TRM.
OneVA TRM waivers are reviewed and approved by the Strategic Technology Alignment Team (STAT) on a rolling basis. This document is required to formally request an OneVA TRM waiver.
Instructions
Complete each field in this document and provide details of the office requesting this waiver, along with a clear justification. Please remove all blue instructional text when finished. Once completed, please submit to the STAT inbox at .
Key Notes
· Begin working with your applicable Information Security Officers (ISOs) as soon as possible when planning to request a waiver. ISOs are crucial to the early identification of risks and vulnerabilities that may lead to a denied request.
· If the tool you are requesting will handle Personal Health Information (PHI) or Personally Identifiable Information (PII), you must also submit a Plan of Action and Milestones (POA&M) from RiskVision.
· If the tool you are requesting is cloud-based, you must visit the Enterprise Security Change Control Board (ESCCB) for a Memorandum of Understanding (MOU). Please visit https://esccb.va.gov for more details.
· Submitters must include a link to the applicable TRM entry. If a product (or version number) is not currently listed on the TRM, a TRM evaluation request must be submitted prior to requesting a waiver.
/Response
/Technology Name / Note the name of the technology being requested within this waiver.
Technology Version Number / Note the version number of the technology being requested within this waiver.
Link to TRM Entry / Provide a link to the TRM entry containing the TRM’s final decision. If a TRM evaluation request was submitted, please provide that link here.
Waiver Sponsor Name and Contact Information / Note the name of the waiver sponsor (must be government staff), a VA email address, and a telephone number.
Office or Project Name / Provide the name of the office/facility that requires the use of the non-TRM-compliant technology.
Office or Project Description / Describe the mission and scope of the office or project.
Waiver Justification / Explain, in detail, why this waiver is being requested. Explicitly describe the specific business need that this particular technology fulfills, noting why existing TRM-compliant tools are not adequate. Also include a brief explanation of any negative impacts that may result from the waiver not being approved.
Transition Plan / Provide the details of a transition plan away from use of the non-compliant product. Please include details of the transition timeline.
Is funding in Place? / Yes☐ No ☐
Please select the box that describes available funding to transition to a compliant solution and a short description of the available funding for your project.
Do you have an Authority to Operate (ATO)? / Yes☐ No ☐
Note whether the system has an Authority to Operate (ATO). If there is an ATO, note whether the technology being requested is specifically addressed, the expiration date, and any conditions.
Office of Information Security (OIS) Analysis / Before submitting waiver documentation, projects must coordinate with their Information Security Officers (ISOs) to analyze risks and determine if a comprehensive risk assessment is required. If required, please include a copy of the risk assessment (i.e. POA&M) completed in RiskVision with this waiver request.
Critical Decision Review Dates / CD1:
CD2:
For projects in the Veterans-focused Integrated Process (VIP), please include dates for Critical Decisions 1 and 2, if known.
Will your tool be deployed on a medical Virtual LAN? / Yes ☐ No ☐
Please select the applicable answer.
System/Server Numbers / Please provide a list of system and/or server names this tool will be deployed on.
Is technology cloud-based? / Yes ☐ No ☐
If yes, please answer questions and follow guidelines on the next page.
Cloud Technology / Yes ☐ No ☐
Is your system currently operating in a cloud environment, to include a hybrid or on/off-premises cloud?
Yes ☐ No ☐
If not, would you like more detailed information and resources to assist in a technical evaluation on moving to cloud services?
Questions for Cloud-based Technologies
Please have a technical contact answer the following questions if the OneVA TRM waiver being requested is for a cloud-based tool.
Important note: Cloud-based requests must be reviewed by the Enterprise Security Change Control Board (ESCCB). Prior to submitting the waiver request, please begin coordinating with the ESCCB at .
/Response
/Is the cloud provider FISMA/FedRAMP compliant? / Yes ☐ No ☐
Please select the applicable answer.
Does the cloud solution comply with the Statement on Auditing Standards No. 70 (SAS70), the Health Insurance Portability and Accountability Act (HIPAA), or the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)? / Yes ☐ No ☐
Please select the applicable answer.
Does the cloud provider have a Comprehensive Disaster Recovery Plan? / Yes ☐ No ☐
Please select the applicable answer.
Does the cloud provider offer multitenancy? If so, what mitigations are in place to protect the environment? / Yes☐ No ☐
Please select the box that describes whether cloud provider offers multitenancy and, if Yes, a short description of the mitigations in place to protect the environment.
Type of cloud service: / Software as a Service (SaaS) ☐
Platform as a Service (PaaS) ☐
Infrastructure as a Service (IaaS) ☐
Does this cloud solution reduce technology complexity? / Yes ☐ No ☐
Please select the applicable answer.
Does the cloud vendor offer robust integration capabilities? / Please provide a brief description of the vendor’s maturity and the integration capabilities available to VA.