Information Assurance Vulnerabil Alert SYstem

1 IA-00109 Information Assurance VulnerabilDISA Internal Process andIItYAlertSYstemJacqueline Price 17) 267-99979 February 1999 Form SF298 Citation DataReport Date("DD MON YYYY") 09021999 Report TypeN/ADates Covered ( to)("DD MON YYYY") Title and Subtitle Information Assurance Vulnerability Alert DISA InternalProcess and SYstem Contract or Grant Number Program Element Number Authors Project Number Task Number Work Unit Number Performing Organization Name(s) and Address(es) DISAP erforming Organization Number(s) Sponsoring/Monitoring Agency Name(s) and Address(es) Monitoring Agency Acronym Monitoring Agency Report Number(s) Distribution/Availability Statement Approved for public release, distribution unlimitedSupplementary Notes Abstract Subject Terms "IATAC COLLECTION"Document Classification unclassifiedClassification of SF298 unclassifiedClassification of Abstract unclassified Limitation of Abstract unlimitedNumber of Pages 22 REPORT DOCUMENTATION PAGEForm ApprovedOMB No.

2 074-0188 Public reporting burden for this collection of Information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing this collection of Information . Send comments regarding this burden estimate or any other aspect of this collection of Information ,including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 205031. AGENCY USE ONLY (Leave blank)2. REPORT DATE2/9/993.

3 REPORT TYPE AND DATES COVEREDB riefing4. TITLE AND SUBTITLEI nformation Assurance Vulnerability Alert DISA InternalProcess and System5. FUNDING NUMBERS6. AUTHOR(S)Jacqueline Price Snouffer7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)8. PERFORMING ORGANIZATION REPORT NUMBERIATACI nformation Assurance Technology AnalysisCenter3190 Fairview Park DriveFalls Church VA 220429. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES)10. SPONSORING / MONITORING AGENCY REPORT NUMBERD efense Technical Information CenterDTIC-IA8725 John J. Kingman Rd, Suite 944Ft. Belvoir, VA 2206011. SUPPLEMENTARY NOTES12a. DISTRIBUTION / AVAILABILITY STATEMENT A12b. DISTRIBUTION CODE13.

4 ABSTRACT (Maximum 200 Words)This briefing outlines DISA's internal procedure for tracking IAVAs. It discusses thepolicy, procedures, organizations responsible for tracking the IAVAs, and the securityfeatures of the SUBJECT TERMSDISA, vulnerability15. NUMBER OF PAGES16. PRICE CODE17. SECURITY CLASSIFICATION OF REPORTU nclassified18. SECURITY CLASSIFICATION OF THIS PAGEUNCLASSIFIED19. SECURITY CLASSIFICATION OF ABSTRACTUNCLASSIFIED20. LIMITATION OF ABSTRACTNoneIAVA BackgroundDOD has mandated that all C/S/A develop amethodology for ensuring:- Vulnerability Alert notifications are received by SystemAdministrators- Vulnerabilities are corrected within 30 days- Periodic/Random validation of SYstem statusIAVA-VCTS26)t)s=:cel dTddceT13+(I00943m0 Ece0cts( )G0il As>VCTS Security FeaturesNIPRNET/SIPRNETPKI Server Certificate128 Bit SSL Encryption-7.

5 L Netscape orl IE Userid- Password- FilteringProxy Serverl NTFS Permissionsl SQL Server Permissionsl Encrypted Datal Daily Backupsl Monitoring6 IAVA-VCTS0&G00mTd. Il wEl0lfl0s0xu0kBACKGROUNDIAVA-VCTSV ulnerability Compliance TrackingSystem (VCTS) Capabilitiesl Notification of Alert to registered users based onfunctionl Acknowledgement of receipt by systeml Process for requesting waiversl Tracking of closure/posture of vulnerabilitiesIAVA-VCTS10 VCTS Registration ProcessbDISAForm41 RSA ChambersburgCreate User s NT AccountLoad IP AddressCreate User ProfilePrepare User Package5 Days or LessLReturn Receipt via FAXUser Account Activatedwithin 24 hoursDMC Chambersburg fax:717-267-9055 DSN: 570 LFEDEX1 dayIAVA-VCTS11 zw0x0c0 User Typesl SYstem /Network Administrators- Recieves only those bulletins for systems they have registered orhave been given update authority for- Requests waiver- Cannot view SYstem data that they have not been given explicitpermission toIAVA-VCTS15 Current Reports Availablel ISSMIXO- Compliance Summary Report by Vulnerability (VM02)- Active Users by Organization (VM03)- Registered Systems by Organization (VM04)- Waiver Summary Spreadsheet (VM08)l SA/ISSM/XO- Compliance/Acknowledgement Report by SYstem (VSO 1)- Compliance/Acknowledgement Report by Vulnerability (VS02)

6 IAVA-VCTS16V Enhancementsl Link to Accredited SYstem /Major Program- Allow for oversight by Program Management Office- Allow for Waiver Request/Granting for entire Program- Allow Email by PM0 to SA(s)- Multiple accreditor based on SYstem /program- Allow Accreditor to review site and SYstem status- Allow Accreditor to review asset/component Information - Cross Oganizational browsing at program levelIAVA-VCTS18V Enhancementsl Fully automate waiver process- Through ISSM/Program/Technical/Adjudication Chain- Process for Major Programs to be determined by Program- Multiple DAAs- Ability to establish different waiver processes dependingon program or systeml Specifications out for comment on 1 March 1999 IAVA-VCTS19V Requested Enhancementsl Status Information - Update status after completion- Allow browse by X0, ISSM, PMO.

7 CIO- Provide list of N/A reasonsl Allow ISSM to enter Organizational Commentl Acknowledgement- Unacknowledge Receipt- Confirm AcknowledgementIAVA-VCTS20 V Requested EnhancementsSubscription to bulletinsl ISSM to give permission to a SYstem within theirorganization to any registered SAl Supporting reports for new functionalityIAVA-VCTS21