Information assurance vulnerability alert
An information assurance vulnerability alert (IAVA) is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by US-CERT, https://www.us-cert.gov/ US-CERT is managed by National Cybersecurity and Communications Integration Center (NCCIC), which is part of Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS). CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC) realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These selected vulnerabilities are the mandated baseline, or minimum configuration of all hosts residing on the GIG. US-CERT analyzes each vulnerability and determines if it is necessary or beneficial to the Department of Defense to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD computer system assets that would potentially degrade mission performance.
Information assurance vulnerability management (IAVM) program
[edit]The combatant commands, services, agencies and field activities are required to implement vulnerability notifications in the form of alerts, bulletins, and technical advisories. USCYBERCOM has the authority to direct corrective actions, which may ultimately include disconnection of any enclave, or affected system on the enclave, not in compliance with the IAVA program directives and vulnerability response measures (i.e. communication tasking orders or messages). USCYBERCOM will coordinate with all affected organizations to determine operational impact to the DoD before instituting a disconnection.
Background
[edit]On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS) and established CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC). NCCIC realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to the memorandum, the alert system should:
- Identify a system administrator to be the point of contact for each relevant network system,
- Send alert notifications to each point of contact,
- Require confirmation by each point of contact acknowledging receipt of each alert notification,
- Establish a date for the corrective action to be implemented, and enable DISA to confirm whether the correction has been implemented.
The Deputy Secretary of Defense issued an Information Assurance Vulnerability Alert (IAVA) policy memorandum on December 30, 1999. Current events of the time demonstrated that widely known vulnerabilities exist throughout DoD networks, with the potential to severely degrade mission performance. The policy memorandum instructs the DISA to develop and maintain an IAVA database system that would ensure a positive control mechanism for system administrators to receive, acknowledge, and comply with system vulnerability alert notifications. The IAVA policy requires the Component Commands, Services, and Agencies to register and report their acknowledgement of and compliance with the IAVA database. According to the policy memorandum, the compliance data to be reported should include the number of assets affected, the number of assets in compliance, and the number of assets with waivers.
See also
[edit]- Attack (computing)
- Computer security
- Information security
- IT risk
- Threat (computer)
- Vulnerability (computing)
- Security Technical Implementation Guide
- Security Content Automation Protocol
External links
[edit]- [1] Office of the Inspector General, DoD Compliance with the Information Assurance Vulnerability Alert Policy, Dec 2001.
- [2] Chairman of the Joint Chiefs of Staff Instruction, 6510.01E, August 2007.
- DoD IA Policy Chart DoD IA Policy Chart
- [3] IAVA Site