Frequently Asked Questions (FAQs)

  1. How do I submit Project Status Reports?
  2. Where can I find a government calendar listing the government holidays?
  3. If I need to get a firewall rule change implemented, when must my Request for Change (RFC) be submitted?
  4. Is a Request for change (RFC) required for a Vulnerability Assessment (VA)?
  5. Can a project team submit an RFC for a Go Live event before the Vulnerability Assessment has been signed off by Information Management?
  6. Can a project team submit an RFC to the OCIO without the approvals, as long as those approvals are in place by the requested change date?
  7. Are VAs only done on external facing applications?
  8. Does the Project Steering Committee, or the PMO decide if a VA is required?
  9. Can an ‘internal VA’ replace a VA?
  10. Does approval for a ‘VA Fast Track’ mean my project doesn’t require a VA?
  11. If my project has a change in scope, do I need to re-engage the Information Protection Division to review the VA recommendation?
  12. Can a project get a ‘go live’ even if all VA report items are not 100% mitigated?

1.  How do I submit Project Status Reports?

Project Managers (PMs) are required to submit project status reports online using the PPM application. Project Managers can access the PPM via a PMO provided url using their Active Directory user log on credentials. The url is only accessible within the GNL intranet (i.e. LAN, WAN or VPN).

If you are a PM looking for access to the PPM application, please contact the PMO at Project Management Office (PMO).

^ Top of Page

2.  Where can I find a government calendar listing the government holidays?

The website containing a list of government calendars can be found at here.

^ Top of Page

3. If I need to get a firewall rule change implemented, when must my Request for Change (RFC) be submitted?

Firewall rule changes are done by the OCIO on Tuesday and Thursday evenings. For any requests involving firewall rule changes, ensure the RFC is submitted at least 10 days prior to the Change Advisory Board (CAB) meeting reviewing the request. (i.e., Submit the request on a Tuesday for CAB meeting 10 business days in the future). This will allow for the required time for the various OCIO teams to complete their responsibilities associated with these types of requests. The Firewall Rule Change form must be submitted with the RFC.

^ Top of Page

4. Is a Request for change (RFC) required for a Vulnerability Assessment (VA)?

An RFC for a VA is required if:

  • The VA is being done in a shared production environment, or
  • The application / infrastructure requiring the VA is live (being used by the intended user community).

^ Top of Page

5. Can a project team submit an RFC for a Go Live event before the Vulnerability Assessment has been signed off by Information Protection?

No. The VA must be signed off by Information Protection before the Delivery Manager will approve the Request for Change for the Go Live Event.

^ Top of Page

6. Can a project team submit an RFC to the OCIO without the approvals, as long as those approvals are in place by the requested change date?

Approvals must be submitted with the RFC in order for your request to be processed. The RFC will not be submitted to Change Management for processing unless the required approvals are in place and submitted with the RFC.

^ Top of Page

7. Are VAs only done on external facing applications?

No, VAs are performed on internal and external applications and infrastructure. Other factors come into play for a VA recommendation such as the sensitivity of the information, the complexity of the environment, etc. With the growing number of users on the Government network, due diligence requires we assess possible internal threats as well external.

^ Top of Page

8. Does the Project Steering Committee, or the PMO decide if a VA is required?

No, only the Information Protection Division) can make a determination as to whether or not a VA is required.

^ Top of Page

9. Can an ‘internal VA’ replace a VA?

No, at this time the OCIO does not conduct internal VAs but the OCIO does have excellent scanning tools that can be used to prepare projects for the VA process, and also to re-scan after VAs have been completed to ensure all remediation has been done.

^ Top of Page

10. Does approval for a ‘VA Fast Track’ mean my project doesn’t require a VA?

No, a ‘VA Fast Track’ means that approval was provided to implement a system and/or infrastructure prior to the completion of the VA but a VA will still be completed post-production. The team that implemented the solution is still required to complete the VA and address the remediation efforts to OCIO’s satisfaction.

^ Top of Page

11. If my project has a change in scope, do I need to re-engage the Information Protection Division to review the VA recommendation?

Yes, you are required to contact the Information Protection Division to discuss a change in project scope to determine if it impacts the VA recommendation.

^ Top of Page

12. Can a project get a ‘go live’ even if all VA report items are not 100% mitigated?

Yes, while OCIO has a requirement to address all VA report items, OCIO recognizes that some issues fall outside the scope of the project team’s ability to mitigate prior to ‘go live’. If the project team provides valid justification for why some mitigation can’t take place prior to ‘go live’, the Information Protection Division will either accept the deviation or will continue to the track mitigation efforts where necessary.

^ Top of Page

Adobe® Acrobat® Reader software can be used for viewing PDF documents. Download Acrobat® Reader for free .