Information Assurance Vulnerability Alert
Encyclopedia
An information assurance vulnerability alert (IAVA) is an announcement of a computer application software
or operating system
vulnerability
notification in the form of alerts, bulletins, and technical advisories identified by DoD-CERT, a division of the United States Cyber Command. These selected vulnerabilities are the mandated baseline
, or minimum configuration of all hosts residing on the GIG
. USCYBERCOM analyzes each vulnerability
and determines if it is necessary or beneficial to the Department of Defense
to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD
Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD
computer system assets that would potentially degrade mission performance.
, services, agencies and field activities are required to implement vulnerability notifications in the form of alerts, bulletins, and technical advisories. USSTRATCOM via its sub-unified command USCYBERCOM has the authority to direct corrective actions, which may ultimately include disconnection of any enclave, or affected system on the enclave, not in compliance with the IAVA program directives and vulnerability response measures (i.e. communication tasking orders or messages). USSTRATCOM and USCYBERCOM will coordinate with all affected organizations to determine operational impact to the DoD
before instituting a disconnection.
issued a classified memorandum on Information Assurance
, that instructed the DISA
, with the assistance of the Military Departments, to develop an alert system that ensured positive control of information assurance. According to the memorandum, the alert system should:
The Deputy, Secretary of Defense
issued an Information Assurance Vulnerability Alert (IAVA) policy memorandum on December 30, 1999. Current events of the time demonstrated that widely known vulnerabilities exist throughout DoD networks, with the potential to severely degrade mission performance. The policy memorandum instructs the DISA
to develop and maintain an IAVA database
system that would ensure a positive control mechanism for system administrators to receive, acknowledge, and comply with system vulnerability alert notifications. The IAVA policy requires the Component Commands
, Services, and Agencies to register and report their acknowledgement of and compliance with the IAVA database
. According to the policy memorandum, the compliance data to be reported should include the number of assets affected, the number of assets in compliance, and the number of assets with waivers.
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
or operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
notification in the form of alerts, bulletins, and technical advisories identified by DoD-CERT, a division of the United States Cyber Command. These selected vulnerabilities are the mandated baseline
Baseline (configuration management)
Configuration management is the process of managing change in hardware, software, firmware, documentation, measurements, etc. As change requires an initial state and next state, the marking of significant states within a series of several changes becomes important...
, or minimum configuration of all hosts residing on the GIG
Global Information Grid
The Global Information Grid is an all-encompassing communications project of the United States Department of Defense.It is defined as a "globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to...
. USCYBERCOM analyzes each vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
and determines if it is necessary or beneficial to the Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD
United States Department of Defense
The United States Department of Defense is the U.S...
Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD
United States Department of Defense
The United States Department of Defense is the U.S...
computer system assets that would potentially degrade mission performance.
Information assurance vulnerability management program
The combatant commandsUnified Combatant Command
A Unified Combatant Command is a United States Department of Defense command that is composed of forces from at least two Military Departments and has a broad and continuing mission. These commands are established to provide effective command and control of U.S. military forces, regardless of...
, services, agencies and field activities are required to implement vulnerability notifications in the form of alerts, bulletins, and technical advisories. USSTRATCOM via its sub-unified command USCYBERCOM has the authority to direct corrective actions, which may ultimately include disconnection of any enclave, or affected system on the enclave, not in compliance with the IAVA program directives and vulnerability response measures (i.e. communication tasking orders or messages). USSTRATCOM and USCYBERCOM will coordinate with all affected organizations to determine operational impact to the DoD
United States Department of Defense
The United States Department of Defense is the U.S...
before instituting a disconnection.
Background
On February 15, 1998, the Deputy, Secretary of DefenseUnited States Deputy Secretary of Defense
The Deputy Secretary of Defense is the second-highest ranking official in the Department of Defense of the United States of America. The Deputy Secretary of Defense is appointed by the President, with the advice and consent of the Senate...
issued a classified memorandum on Information Assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
, that instructed the DISA
Defense Information Systems Agency
The Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...
, with the assistance of the Military Departments, to develop an alert system that ensured positive control of information assurance. According to the memorandum, the alert system should:
- Identify a system administrator to be the point of contact for each relevant network system,
- Send alert notifications to each point of contact,
- Require confirmation by each point of contact acknowledging receipt of each alert notification,
- Establish a date for the corrective action to be implemented, and enable DISADefense Information Systems AgencyThe Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...
to confirm whether the correction has been implemented.
The Deputy, Secretary of Defense
United States Deputy Secretary of Defense
The Deputy Secretary of Defense is the second-highest ranking official in the Department of Defense of the United States of America. The Deputy Secretary of Defense is appointed by the President, with the advice and consent of the Senate...
issued an Information Assurance Vulnerability Alert (IAVA) policy memorandum on December 30, 1999. Current events of the time demonstrated that widely known vulnerabilities exist throughout DoD networks, with the potential to severely degrade mission performance. The policy memorandum instructs the DISA
Defense Information Systems Agency
The Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...
to develop and maintain an IAVA database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
system that would ensure a positive control mechanism for system administrators to receive, acknowledge, and comply with system vulnerability alert notifications. The IAVA policy requires the Component Commands
Unified Combatant Command
A Unified Combatant Command is a United States Department of Defense command that is composed of forces from at least two Military Departments and has a broad and continuing mission. These commands are established to provide effective command and control of U.S. military forces, regardless of...
, Services, and Agencies to register and report their acknowledgement of and compliance with the IAVA database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
. According to the policy memorandum, the compliance data to be reported should include the number of assets affected, the number of assets in compliance, and the number of assets with waivers.
See also
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
External links
- http://www.dodig.osd.mil/Audit/reports/fy01/01-013.pdf Office of the Inspector General, DoD Compliance with the Information Assurance Vulnerability Alert Policy, Dec 2001.
- http://www.dtic.mil/cjcs_directives/cdata/unlimit/6510_01.pdf Chairman of the Joint Chiefs of Staff Instruction, 6510.01E, August 2007.
- DoD IA Policy Chart DoD IA Policy Chart