The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7926	DSN02.03	SV-8412r1_rule	ECND-1 ECND-2 ECSC-1	Medium

Description
Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice. The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect various systems. If appropriate actions are not taken, systems/assets may be open to a potential compromise. The DOD IAVM requirement is: Receipt of IAVM alerts will be acknowledged within 5 days and a report of compliance status provided within 30 days. For IAVM bulletins, receipt must also be acknowledged within 5 days, and a report of compliance status must be provided within 60 days. For IAVM technical advisories, receipt must be acknowledged within 5 days, but no compliance status report is required. Although DOD organizations are not required to report compliance for technical advisories, DISA organizations are required to provide a report of compliance status within 60 days.

Description

Requirement: The IAO will ensure that all IAVM notices are responded to within the time period specified within the notice. The JTF-GNO (DoD CERT) automatically sends out IAVM notices that affect various systems. If appropriate actions are not taken, systems/assets may be open to a potential compromise. The DOD IAVM requirement is: Receipt of IAVM alerts will be acknowledged within 5 days and a report of compliance status provided within 30 days. For IAVM bulletins, receipt must also be acknowledged within 5 days, and a report of compliance status must be provided within 60 days. For IAVM technical advisories, receipt must be acknowledged within 5 days, but no compliance status report is required. Although DOD organizations are not required to report compliance for technical advisories, DISA organizations are required to provide a report of compliance status within 60 days.

STIG	Date
Defense Switched Network (DSN) STIG	2015-06-30

Details

Check Text ( C-7307r1_chk )
Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix Text (F-7977r1_fix)
Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.

Fix Text (F-7977r1_fix)

Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.