|
|
| (54 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| ====AC-1 Access control policy and procedure====
| |
| This control recommends the organization develop, document, disseminate, review, and update an access control policy. Taking into account regulations, standards, policy, guidance, and law, this policy essentially details the security controls and enhancements "that specify how access is managed and who may access information under what circumstances."<ref name="NISTAccess18">{{cite web |url=https://csrc.nist.gov/Projects/Access-Control-Policy-and-Implementation-Guides |title=Access Control Policy and Implementation Guides |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=29 March 2018 |accessdate=23 July 2020}}</ref>
| |
|
| |
|
| '''Additional resources''':
| | ==The laws themselves== |
| * [https://csrc.nist.gov/Projects/Access-Control-Policy-and-Implementation-Guides NIST Access Control Policy and Implementation Guides]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 59
| |
| * [https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html OWASP Access Control Cheat Sheet]
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
| |
|
| |
|
| ====AC-2 Account management==== | | ===1. Federal Telecommunications Act of 1996, Section 255 ([https://www.law.cornell.edu/uscode/text/47/255 47 U.S.C. § 255 - Access by persons with disabilities])=== |
| This control recommends the organization develop a series of account management steps for its information systems. Among its many recommendations, it asks the organization to clearly define account types (e.g., individual, group, vendor, temporary, etc.), their associated membership requirements, and policy dictating how accounts should be managed; appoint one or more individuals to be in charge of account creation, approval, modification, compliance review, and removal; and provide proper communication to those account managers when an account needs to be modified, disabled, or removed.
| |
|
| |
|
| '''Additional resources''': | | <blockquote>'''(b) Manufacturing''' |
| * [https://www.scribd.com/document/14275780/Sample-Account-Management-Policy AAA Technical Writing LLC Sample Account Management Policy]
| | A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable. |
| * [https://csrc.nist.gov/publications/detail/sp/1800-18/draft NIST Special Publication 1800-18 (Draft)]
| |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
|
| |
|
| ====AC-2 (3) Account management: Disable inactive accounts====
| | '''(c) Telecommunications services''' |
| This control enhancement recommends the system have the ability to automatically disable an inactive account after a designated period of time.
| |
|
| |
|
| '''Additional resources''':
| | A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable. |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.28]
| |
|
| |
|
| ====AC-2 (4) Account management: Automated audit actions====
| | '''(d) Compatibility''' |
| This control enhancement recommends the system have the ability to automatically audit creation, modification, enabling, disabling, and removal actions performed on accounts, as well as notify designated individuals or roles of those actions.
| | Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.</blockquote> |
|
| |
|
| '''Additional resources''': | | The term '''disability''' is [https://www.law.cornell.edu/uscode/text/42/12102 defined here]. You can read the full entry, but the basics are: |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2]
| |
|
| |
|
| ====AC-2 (7) Account management: Role-based schemes====
| | <blockquote>'''(1) Disability''' The term “disability” means, with respect to an individual— |
| This control enhancement recommends the organization take additional action in regards to accounts with privileged roles. NIST defines privileged roles as "organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform." The organization should not only use a role-based mechanism for assigning privileges to an account, but also the organization should monitor the activities of privileged accounts and manage those accounts when the role is no longer appropriate.
| | :'''(A)''' a physical or mental impairment that substantially limits one or more major life activities of such individual; |
|
| |
|
| '''Additional resources''': | | :'''(B)''' a record of such an impairment; or |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.35] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4]
| |
|
| |
|
| ====AC-2 (11) Account management: Usage conditions====
| | :'''(C)''' being regarded as having such an impairment (as described in paragraph (3)).</blockquote> |
| This control enhancement recommends the system allow for the configuration of specific usage conditions or circumstances under which an account type can be used. Conditions or circumstances for account activity may include role, physical location, logical location, network address, or chronometric criterion (time of day, day of week/month).
| |
|
| |
|
| '''Additional resources''': | | The term '''readily achievable''' is [https://www.law.cornell.edu/uscode/text/42/12181 defined here]. It is defines as: |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.23]
| |
|
| |
|
| ====AC-3 Access enforcement====
| | <blockquote>'''(9) Readily achievable''' The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include— |
| This control recommends the system be capable of enforcing system access based upon the configured access controls (policies and mechanisms) put into place by the organization. This enforcement could occur at the overall information system level, or be more granular at the application and service levels.
| |
|
| |
|
| '''Additional resources''': | | :'''(A)''' the nature and cost of the action needed under this chapter; |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
| | :'''(B)''' the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility; |
| | :'''(C)''' the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and |
| | :'''(D)''' the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.</blockquote> |
|
| |
|
| ====AC-6 Least privilege==== | | ===2. Rehabilitation Act of 1973, Section 508, amended ([https://www.law.cornell.edu/uscode/text/29/794d 29 U.S.C. 794d] - Electronic and information technology)=== |
| This control recommends the organization use the principle of "least privilege" when implementing and managing accounts in the system. The concept of least privilege essentially "requires giving each user, service, and application only the permissions needed to perform their work and no more."<ref name="NetwrixBestPrac19">{{cite web |url=https://www.netwrix.com/guide_to_implementing_the_least_privilege_principle |title=Best Practice Guide to Implementing the Least Privilege Principle |publisher=Netwrix Corporation |date=05 April 2019 |accessdate=23 July 2020}}</ref>
| |
|
| |
|
| '''Additional resources''': | | There's a government website dedicated to Section 508: [https://www.section508.gov/ https://www.section508.gov/] The related laws and polices can be [https://www.section508.gov/manage/laws-and-policies/ found here]. The intro states (italics emphasis mine): |
| * [https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege CISA Least Privilege]
| |
| * [https://www.netwrix.com/guide_to_implementing_the_least_privilege_principle Netwrix ''Best Practice Guide to Implementing the Least Privilege Principle'']
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy LIMSpec 36.4]
| |
|
| |
|
| ====AC-6 (1) Least privilege: Authorize access to security functions====
| | <blockquote>In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) ''applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology''. Under Section 508, agencies must give ''disabled employees and members of the public'' access to information comparable to the access available to others. |
| This control enhancement recommends the organization provide access to specific security-related functions and information in the system to explicitly authorized personnel. In other words, one or more specific system administrators, network administrators, security officers, etc. should be given access to configure security permissions, monitoring, cryptographic keys, services, etc. required to ensure the system is correctly protected.
| |
|
| |
|
| '''Additional resources''':
| | The [https://www.access-board.gov/ U.S. Access Board] is responsible for developing Information and Communication Technology (ICT) accessibility ''standards'' to ''incorporate into regulations that govern Federal procurement practices.'' On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018. |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.18]
| |
|
| |
|
| ====AC-6 (4) Least privilege: Separate processing domains====
| | The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines ''in response to market trends and innovations in technology.'' The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, ''and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.''</blockquote> |
| This control enhancement recommends the system provide separate processing domains in order to make user privilege allocation more granular. This essentially means that through using virtualization, domain separation mechanisms, or separate physical domains, the overall information system can create additional fine layers of access control for a particular domain.
| |
|
| |
|
| '''Additional resources''':
| | In discussing ICT, the U.S. Access Board [https://www.access-board.gov/ict/#b-summary-of-key-provisions summarized the key provisions] as such: |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.16]
| |
|
| |
|
| ====AC-6 (9) Least privilege: Auditing use of privileged functions====
| | <blockquote>The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.</blockquote> |
| This control enhancement recommends the system perform auditing functions on any privileged functions that get executed in the system. This allows organizations to review audit records to ensure the effects of intentional or unintentional misuse of privileged functions is caught early and mitigated effectively.
| |
|
| |
|
| '''Additional resources''':
| | The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: [https://www.access-board.gov/ict/ https://www.access-board.gov/ict/] |
| * [https://www.centrify.com/resources/privileged-user-activity-auditing-the-missing-link-for-enterprise-compliance-and-security/ Centrify ''Privileged User Activity Auditing'']
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2]
| |
|
| |
|
| ====AC-7 Unsuccessful logon attempts====
| | The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in [https://www.access-board.gov/ict/#chapter-5-software Chapter 5: Software] and [https://www.access-board.gov/ict/#chapter-6-support-documentation-and-services Chapter 6: Support Documentation and Services]. (If for some reason LLX is in the hardware domain, they'll want to also consider[https://www.access-board.gov/ict/#chapter-4-hardware Chapter 4: Hardware] If you're curious about the underlying standards, you can find them in [https://www.access-board.gov/ict/#chapter-7-%C2%A0-referenced-standards Chapter 7: Referenced Standards]. |
| This control recommends the system be capable of not only enforcing a specific number of failed logon attempts in a given period of time, but also automatically locking or disabling an account until released by the system after a designated period of time, or manually by an administrator.
| |
|
| |
|
| '''Additional resources''':
| | Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: [https://www.section508.gov/develop/ https://www.section508.gov/develop/] |
| * [https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold Microsoft "Account lockout threshold"] (Specific to Windows 10, but information still broadly useful)
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.32]
| |
|
| |
|
| ====AC-8 System use notification==== | | ==Additional information== |
| This control recommends the system be configurable to allow the creation of a system-wide notification message or banner before logon that provides vital privacy, security, and authorized use information related to the system. The message or banner should remain on the screen until acknowledged by the user and the user logs on. Note that the wording of such message or banner may require legal review and approval before implementation.
| |
|
| |
|
| '''Additional resources''':
| | 1. The Section 508 website and its glossary mention LIMS under "[https://www.section508.gov/art/glossary/#S scientific instrument]," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT." |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.30]
| | |
| | 2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: [https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502 https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502] |
|
| |
|
| ====AC-10 Concurrent session control====
| | 3. Some additional posts and guides that may be revealing: |
| This control recommends the system be able to limit the number of concurrent (running at the same time) sessions (log ins) globally, for a given account type, for a given a user, or by using a combination of such limiters. NIST gives the example of wanting to tighten security by limiting the number of concurrent sessions for system administrators or users working in domains containing sensitive data.
| | * [https://www.levelaccess.com/how-do-i-determine-if-my-web-site-or-application-is-section-508-compliant/ How do I determine if my website or application is Section 508 compliant?] |
| | | * [https://ftp.cdc.gov/pub/Software/RegistryPlus/508%20Compliance/508softwareandos.doc GSA Guide For Making Software Applications and Operating Systems Accessible] (.doc file; NOTE: No date, so not sure if incorporates amended material, so be careful) |
| '''Additional resources''':
| | * [https://www.dhs.gov/publication/dhs-section-508-compliance-test-processes DHS Section 508 Compliance Test Processes] |
| * [https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html OWASP Session Management Cheat Sheet]
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.29]
| |
| | |
| ====AC-11 Session lock====
| |
| This control recommends the system be able to prevent further access to a system using a session lock, which activates after a defined period of inactivity or upon a user request. The session lock must be able to remain in place until the user associated with the session again goes through the system's identification and authentication process.
| |
| | |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.1] | |
| | |
| ====AC-14 Permitted actions without identification or authentication====
| |
| This control recommends the organization develop a list of user actions, if any, that can be performed on the system without going through the system's identification and authentication process. Any such list should be documented and provide supporting rationale as to why the authentication can be bypassed. This may largely pertain to public websites or other publicly accessible systems.
| |
| | |
| '''Additional resources''':
| |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
| | |
| ====AC-17 Remote access====
| |
| This control recommends the organization develop and document a remote access policy that addresses each type of remote access allowed into the system. Remote access involves communicating with the system through an external network, usually the internet. The policy should address the usage restrictions, configuration requirements, connection requirements, and implementation rules for the approved methods (e.g., wireless, broadband, Bluetooth, etc.). Some sort of access enforcement process should take place prior to allowing remote access (see AC-3 for said access enforcement).
| |
| | |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final NIST Special Publications 800-46, Rev. 2]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-113/final NIST Special Publications 800-113]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final NIST Special Publications 800-114, Rev. 1]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-121/rev-2/final NIST Special Publications 800-121, Rev. 2]
| |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
| | |
| ====AC-17 (1) Remote access: Automated monitoring and control====
| |
| This control enhancement recommends the system have the ability to monitor and control remote access methods. By enabling authorized individuals to audit the connection activity of remote users, compliance with remote access policies (see AC-17) can be ensured and cyber attacks caught early.
| |
| | |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.9] | |
| | |
| ====AC-17 (2) Remote access: Protection of confidentiality and integrity using encryption====
| |
| This control enhancement recommends the system have the ability to implement encryption mechanisms for remote access. This involves using "encryption to protect communications between the access device and the institution," using encryption "to protect sensitive data residing on the access device," or both.<ref name="RBIGuidelines">{{cite web |url=https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf |format=PDF |title=Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds |publisher=Reserve Bank of India |page=46 |accessdate=23 July 2020}}</ref>
| |
| | |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.1]
| |
| | |
| ====AC-18 Wireless access====
| |
| This control recommends the organization develop and document a wireless access policy, probably best done in conjunction with AC-17. NIST gives examples of wireless technologies such as microwave, packet radio, 802.11x, and Bluetooth. The policy should address the usage restrictions, configuration requirements, connection requirements, and implementation rules for the approved wireless technologies. Some sort of access enforcement process should take place prior to allowing a wireless connection to the system (see AC-3 for said access enforcement). In most cases this will be a built-in authentication protocol for the wireless network.
| |
| | |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-97/final NIST Special Publications 800-97]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-121/rev-2/final NIST Special Publications 800-121, Rev. 2]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-97/final NIST Special Publications 800-187]
| |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
| | |
| ====AC-19 Access control for mobile devices====
| |
| This control recommends the organization develop and document a mobile device (e.g., smart phone, tablet, e-reader) use and access policy. The policy should address the usage restrictions, configuration requirements, connection requirements, and implementation rules for the approved wireless technologies. Some sort of access enforcement process should take place prior to allowing a wireless connection to the system (see AC-3 for said access enforcement).
| |
| | |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final NIST Special Publications 800-114, Rev. 1] | |
| * [https://csrc.nist.gov/publications/detail/sp/800-124/rev-1/final NIST Special Publications 800-124, Rev. 1]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-164/draft NIST Special Publications 800-164, Draft]
| |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
| | |
| ====AC-20 Use of external information systems====
| |
| This control recommends the organization develop and document a policy concerning the use of external information systems to access, process, store, and transmit data from the organization's system. External information systems include (but are not limited to) personal devices, private or public computing devices in commercial or public facilities, non-federal government systems, and federal systems not operated or owned by the organization. This includes the use of cloud-based service providers. The organization should consider the trust relationships already established with contractors and other third parties when developing this policy.
| |
| | |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
| | |
| ====AC-22 Publicly accessible content====
| |
| This control recommend the organization develop and document policy on the use and management of public-facing components of the system, typically the public website. This control ensures that sensitive, protected, or classified information is not accessible by the general public. The organizational policy should address who's responsible for posting information to the public-facing system; how to verify the information being posted does not contain sensitive, protected, or classified information; and how to monitor the public-facing system to ensure any non-public information is removed upon discovery.
| |
| | |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |
The laws themselves
(b) Manufacturing
A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable.
(c) Telecommunications services
A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable.
(d) Compatibility
Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.
The term disability is defined here. You can read the full entry, but the basics are:
(1) Disability The term “disability” means, with respect to an individual—
- (A) a physical or mental impairment that substantially limits one or more major life activities of such individual;
- (B) a record of such an impairment; or
- (C) being regarded as having such an impairment (as described in paragraph (3)).
The term readily achievable is defined here. It is defines as:
(9) Readily achievable The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include—
- (A) the nature and cost of the action needed under this chapter;
- (B) the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility;
- (C) the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
- (D) the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.
2. Rehabilitation Act of 1973, Section 508, amended (29 U.S.C. 794d - Electronic and information technology)
There's a government website dedicated to Section 508: https://www.section508.gov/ The related laws and polices can be found here. The intro states (italics emphasis mine):
In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508, agencies must give disabled employees and members of the public access to information comparable to the access available to others.
The U.S. Access Board is responsible for developing Information and Communication Technology (ICT) accessibility standards to incorporate into regulations that govern Federal procurement practices. On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018.
The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines in response to market trends and innovations in technology. The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.
In discussing ICT, the U.S. Access Board summarized the key provisions as such:
The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.
The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: https://www.access-board.gov/ict/
The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in Chapter 5: Software and Chapter 6: Support Documentation and Services. (If for some reason LLX is in the hardware domain, they'll want to also considerChapter 4: Hardware If you're curious about the underlying standards, you can find them in Chapter 7: Referenced Standards.
Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: https://www.section508.gov/develop/
Additional information
1. The Section 508 website and its glossary mention LIMS under "scientific instrument," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT."
2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502
3. Some additional posts and guides that may be revealing:
