Information Assurance Vulnerability Alert
   HOME

TheInfoList



Click Here for Items Related To - Information Assurance Vulnerability Alert
OR:
Information Assurance Vulnerability Alert on:   [Wikipedia]   [Google]   [Amazon]

{{Unreferenced, date=August 2010 An information assurance vulnerability alert (IAVA) is an announcement of a computer
application software Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a c ...
or
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
notification in the form of alerts, bulletins, and technical advisories identified by US-CERT, https://www.us-cert.gov/ US-CERT is managed by National Cybersecurity and Communications Integration Center (NCCIC), which is part of Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS). CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC) realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These selected vulnerabilities are the mandated baseline, or minimum configuration of all hosts residing on the
GIG Gig or GIG may refer to: Arts and entertainment * ''Gig'' (Circle Jerks album) (1992) * ''Gig'' (Northern Pikes album) (1993) * ''The Gig'', a 1985 film written and directed by Frank D. Gilroy * GIG, a character in ''Hot Wheels AcceleRacers'' ...
. US-CERT analyzes each
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
and determines if it is necessary or beneficial to the
Department of Defense Department of Defence or Department of Defense may refer to: Current departments of defence * Department of Defence (Australia) * Department of National Defence (Canada) * Department of Defence (Ireland) * Department of National Defense (Philippin ...
to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD computer system assets that would potentially degrade mission performance.


Information assurance vulnerability management (IAVM) program

The combatant commands, services, agencies and field activities are required to implement vulnerability notifications in the form of alerts, bulletins, and technical advisories.
USCYBERCOM United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integr ...
has the authority to direct corrective actions, which may ultimately include disconnection of any enclave, or affected system on the enclave, not in compliance with the IAVA program directives and vulnerability response measures (i.e. communication tasking orders or messages).
USCYBERCOM United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integr ...
will coordinate with all affected organizations to determine operational impact to the DoD before instituting a disconnection.


Background

On November 16, 2018, President Trump signed into law the
Cybersecurity and Infrastructure Security Agency Act of 2018 The Cybersecurity and Infrastructure Security Agency Act of 2018 (, ) was signed by president Donald Trump on November16, 2018 to create the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security. References ...
. This landmark legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS) and established CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC). NCCIC realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to the memorandum, the alert system should: * Identify a system administrator to be the point of contact for each relevant network system, * Send alert notifications to each point of contact, * Require confirmation by each point of contact acknowledging receipt of each alert notification, * Establish a date for the corrective action to be implemented, and enable
DISA Disa is the heroine of a Swedish legendary saga, which was documented by Olaus Magnus, in 1555. It is believed to be from the Middle Ages, but includes Old Norse themes. It was elaborated by Johannes Messenius in his drama ''Disa'', which was th ...
to confirm whether the correction has been implemented. The
Deputy Secretary of Defense The deputy secretary of defense (acronym: DepSecDef) is a statutory office () and the second-highest-ranking official in the Department of Defense of the United States of America. The deputy secretary is the principal civilian deputy to the se ...
issued an Information Assurance Vulnerability Alert (IAVA) policy memorandum on December 30, 1999. Current events of the time demonstrated that widely known vulnerabilities exist throughout DoD networks, with the potential to severely degrade mission performance. The policy memorandum instructs the
DISA Disa is the heroine of a Swedish legendary saga, which was documented by Olaus Magnus, in 1555. It is believed to be from the Middle Ages, but includes Old Norse themes. It was elaborated by Johannes Messenius in his drama ''Disa'', which was th ...
to develop and maintain an IAVA
database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
system that would ensure a positive control mechanism for system administrators to receive, acknowledge, and comply with system vulnerability alert notifications. The IAVA policy requires the Component Commands, Services, and Agencies to register and report their acknowledgement of and compliance with the IAVA
database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
. According to the policy memorandum, the compliance data to be reported should include the number of assets affected, the number of assets in compliance, and the number of assets with waivers.


See also

*
Attack (computing) A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
*
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
*
Threat (computer) In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application. A threat can be either a negative " intentional" event (i.e. hacking: ...
*
Vulnerability (computing) Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
*
Security Technical Implementation Guide A Security Technical Implementation Guide or STIG is a configuration standard consisting of cybersecurity requirements for a specific product. The use of STIGs enables a methodology for securing protocols within networks, servers, computers, and lo ...
*
Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Fed ...


External links



Office of the Inspector General, DoD Compliance with the Information Assurance Vulnerability Alert Policy, Dec 2001.

Chairman of the Joint Chiefs of Staff Instruction, 6510.01E, August 2007.
DoD IA Policy Chart
DoD IA Policy Chart

IAVA Site Security compliance United States Department of Defense information technology Cyberwarfare