information assurance vulnerabil alert system assurance vulnerabil disa internal process and ... and...
TRANSCRIPT
![Page 1: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/1.jpg)
.
IA-00109
Information Assurance VulnerabilDISA Internal Process and
I
ItY AlertSYstem
Jacqueline Price Snouffer
(7 17) 267-9997
9 February 1999
![Page 2: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/2.jpg)
Form SF298 Citation Data
Report Date("DD MON YYYY") 09021999
Report TypeN/A
Dates Covered (from... to)("DD MON YYYY")
Title and Subtitle Information Assurance Vulnerability Alert DISA InternalProcess and System
Contract or Grant Number
Program Element Number
Authors Project Number
Task Number
Work Unit Number
Performing Organization Name(s) and Address(es) DISA
Performing Organization Number(s)
Sponsoring/Monitoring Agency Name(s) and Address(es) Monitoring Agency Acronym
Monitoring Agency Report Number(s)
Distribution/Availability Statement Approved for public release, distribution unlimited
Supplementary Notes
Abstract
Subject Terms "IATAC COLLECTION"
Document Classification unclassified
Classification of SF298 unclassified
Classification of Abstract unclassified
Limitation of Abstract unlimited
Number of Pages 22
![Page 3: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/3.jpg)
REPORT DOCUMENTATION PAGEForm Approved
OMB No. 074-0188Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503
1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE
2/9/993. REPORT TYPE AND DATES COVERED
Briefing4. TITLE AND SUBTITLE
Information Assurance Vulnerability Alert DISA InternalProcess and System
5. FUNDING NUMBERS
6. AUTHOR(S)
Jacqueline Price Snouffer
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER
IATACInformation Assurance Technology AnalysisCenter3190 Fairview Park DriveFalls Church VA 220429. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING
AGENCY REPORT NUMBER
Defense Technical Information CenterDTIC-IA8725 John J. Kingman Rd, Suite 944Ft. Belvoir, VA 2206011. SUPPLEMENTARY NOTES
12a. DISTRIBUTION / AVAILABILITY STATEMENT
A
12b. DISTRIBUTION CODE
13. ABSTRACT (Maximum 200 Words)
This briefing outlines DISA's internal procedure for tracking IAVAs. It discusses thepolicy, procedures, organizations responsible for tracking the IAVAs, and the securityfeatures of the program.
14. SUBJECT TERMS
DISA, vulnerability15. NUMBER OF PAGES
16. PRICE CODE
17. SECURITY CLASSIFICATION OF REPORT
Unclassified
18. SECURITY CLASSIFICATION OF THIS PAGE
UNCLASSIFIED
19. SECURITY CLASSIFICATION OF ABSTRACT
UNCLASSIFIED
20. LIMITATION OF ABSTRACT
None
![Page 4: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/4.jpg)
IAVA Background
DOD has mandated that all C/S/A develop amethodology for ensuring:
- Vulnerability alert notifications are received by SystemAdministrators
- Vulnerabilities are corrected within 30 days
- Periodic/Random validation of system status
IAVA-VCTS 2
![Page 5: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/5.jpg)
6)t)s=:cel d
Tddce
T1
3+
(I00943m0
Ece
0cts(I0
.1
c)
G0il A
![Page 6: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/6.jpg)
s>
![Page 7: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/7.jpg)
![Page 8: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/8.jpg)
VCTS Security Features
NIPRNET/SIPRNET
PKI Server Certificate
128 Bit SSL Encryption-7 . .
l Netscape 4.05 orl IE 4.0
- Userid- Password- Data
.IP Filtering
Proxy Server
l NTFS Permissionsl SQL Server Permissionsl Encrypted Datal Daily Backupsl Monitoring 6IAVA-VCTS
![Page 9: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/9.jpg)
0&G00mT
d.
I
l w
El
0
l
fl0s0x
u0k
![Page 10: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/10.jpg)
BACKGROUND
IAVA-VCTS
![Page 11: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/11.jpg)
![Page 12: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/12.jpg)
Vulnerability Compliance TrackingSystem (VCTS) Capabilities
l Notification of alert to registered users based onfunction
l Acknowledgement of receipt by system
l Process for requesting waivers
l Tracking of closure/posture of vulnerabilities
IAVA-VCTS 10
![Page 13: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/13.jpg)
VCTS Registration Process
bDISAForm
41
RSA Chambersburg
Create User’s NT AccountLoad IP AddressCreate User ProfilePrepare User Package5 Days or Less
L
Return Receipt via FAXUser Account Activated
within 24 hours
DMC Chambersburg fax:717-267-9055
DSN: 570
L
FEDEX1 day
IAVA-VCTS 11
![Page 14: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/14.jpg)
“zw
![Page 15: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/15.jpg)
![Page 16: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/16.jpg)
0x0
c0
![Page 17: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/17.jpg)
User Types
l System/Network Administrators- Recieves only those bulletins for systems they have registered or
have been given update authority for
- Requests waiver
- Cannot view system data that they have not been given explicitpermission to
IAVA-VCTS 15
![Page 18: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/18.jpg)
Current Reports Available
l ISSMIXO- Compliance Summary Report by Vulnerability (VM02)
- Active Users by Organization (VM03)
- Registered Systems by Organization (VM04)
- Waiver Summary Spreadsheet (VM08)
l SA/ISSM/XO- Compliance/Acknowledgement Report by System (VSO 1)
- Compliance/Acknowledgement Report by Vulnerability (VS02)
IAVA-VCTS 16
![Page 19: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/19.jpg)
![Page 20: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/20.jpg)
V 2.0 Enhancements
l Link to Accredited System/Major Program- Allow for oversight by Program Management Office
- Allow for Waiver Request/Granting for entire Program
- Allow Email by PM0 to SA(s)
- Multiple accreditor based on system/program
- Allow Accreditor to review site and system status
- Allow Accreditor to review asset/component information
- Cross Oganizational browsing at program level
IAVA-VCTS 18
![Page 21: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/21.jpg)
V 2.0 Enhancements
l Fully automate waiver process- Through ISSM/Program/Technical/Adjudication Chain
- Process for Major Programs to be determined by Program
- Multiple DAAs
- Ability to establish different waiver processes dependingon program or system
l Specifications out for comment on 1 March 1999
IAVA-VCTS 19
![Page 22: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/22.jpg)
V 2.x Requested Enhancements
l Status Information- Update status after completion
- Allow browse by X0, ISSM, PMO, CIO
- Provide list of N/A reasons
l Allow ISSM to enter Organizational Comment
l Acknowledgement- Unacknowledge Receipt
- Confirm AcknowledgementIAVA-VCTS 20
![Page 23: Information Assurance Vulnerabil Alert SYstem Assurance Vulnerabil DISA Internal Process and ... and to the Office of Management and Budget, ... - Vulnerability alert notifications](https://reader036.vdocuments.mx/reader036/viewer/2022062907/5aa342547f8b9a1f6d8e58ae/html5/thumbnails/23.jpg)
’ V 2.x Requested Enhancements
Subscription to bulletins
l ISSM to give permission to a system within theirorganization to any registered SA
l Supporting reports for new functionality
IAVA-VCTS 21