Information assurance vulnerability alert

An information assurance vulnerability alert (IAVA) is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by the U.S. Computer Emergency Readiness Team (US-CERT) for U.S. Department of Defense (DoD) systems.

These selected vulnerabilities are relevant to the mandated baseline, or minimum configuration, of all hosts residing on the Global Information Grid. US-CERT analyzes each vulnerability and determines if it is necessary or beneficial to the Department of Defense to release it as an IAVA.^[1] Implementation of IAVA policy is intended to ensure that DoD components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD computer system assets that could degrade mission performance.

The IAVA program was established by a DoD policy memorandum in 1999.^[2] Since then, the DoD has generally transitioned from the term information assurance to cybersecurity.^[3]

US-CERT is managed by National Cybersecurity and Communications Integration Center (NCCIC), which is part of Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS). CISA, which includes the NCCIC, realigned its organizational structure in 2017, integrating like functions previously performed independently by US-CERT and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Information Assurance Vulnerability Management (IAVM) program

The combatant commands, services, agencies and field activities are required to implement vulnerability notifications in the form of alerts, bulletins, and technical advisories.^[4] United States Cyber Command (USCYBERCOM) has the authority to direct corrective actions, which may ultimately include disconnection of any enclave, or affected system on the enclave, not in compliance with the IAVA program directives and vulnerability response measures (i.e. communication tasking orders or messages). USCYBERCOM coordinates with all affected organizations to determine operational impact to the DoD before instituting a disconnection.

Identifiers for vulnerabilities in the IAVA program can be mapped to the identifiers in the Common Vulnerabilities and Exposures (CVE) system.^[5]

Background

The Deputy Secretary of Defense issued an Information Assurance Vulnerability Alert (IAVA) policy memorandum on December 30, 1999.^[2] Current events of the time demonstrated that widely known vulnerabilities exist throughout DoD networks, with the potential to severely degrade mission performance.^[2] The policy memorandum instructed the Defense Information Systems Agency to develop and maintain an IAVA database system that would ensure a positive control mechanism for system administrators to receive, acknowledge, and comply with system vulnerability alert notifications.^[2] The IAVA policy requires the Component Commands, Services, and Agencies to register and report their acknowledgement of and compliance with the IAVA database.^[2] According to the policy memorandum, the compliance data to be reported should include the number of assets affected, the number of assets in compliance, and the number of assets with waivers.^[2] According to the memorandum, the alert system should:

Identify a system administrator to be the point of contact for each relevant network system,
Send alert notifications to each point of contact,
Require confirmation by each point of contact acknowledging receipt of each alert notification,
Establish a date for the corrective action to be implemented, and enable DISA to confirm whether the correction has been implemented.

On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS) and established CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC). NCCIC realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

References

^ Foreman, Park (2009-08-26). Vulnerability Management. CRC Press. pp. 197–199. ISBN 978-1-4398-0151-2.
^ ^a ^b ^c ^d ^e ^f "DoD Compliance With the Information Assurance Vulnerability Alert Policy". Office of Inspector General, United States Department of Defense. December 1, 2000. Retrieved 14 March 2026.
^ "information assurance vulnerability alert (IAVA)". NIST Computer Security Resource Center. Retrieved 2026-03-14.
^ "Information Assurance (IA) and Support to Computer Network Defense (CND) [CJCSI 6510.01F]" (PDF). Chairman of the Joint Chiefs of Staff. U.S. Department of Defense. 9 February 2011. Retrieved 14 March 2026.
^ "Making Security Measurable - Vulnerability Management". MITRE. October 18, 2012. Retrieved 2026-03-14.

External links

DoD IA Policy Chart DoD IA Policy Chart
[1] IAVA Site

[1] Foreman, Park (2009-08-26). Vulnerability Management. CRC Press. pp. 197–199. ISBN 978-1-4398-0151-2.

[:0-2] ^ ^a ^b ^c ^d ^e ^f "DoD Compliance With the Information Assurance Vulnerability Alert Policy". Office of Inspector General, United States Department of Defense. December 1, 2000. Retrieved 14 March 2026.

[3] "information assurance vulnerability alert (IAVA)". NIST Computer Security Resource Center. Retrieved 2026-03-14.

[4] "Information Assurance (IA) and Support to Computer Network Defense (CND) [CJCSI 6510.01F]" (PDF). Chairman of the Joint Chiefs of Staff. U.S. Department of Defense. 9 February 2011. Retrieved 14 March 2026.

[5] "Making Security Measurable - Vulnerability Management". MITRE. October 18, 2012. Retrieved 2026-03-14.

[1]

[2]

[3]

[4]

[5]

Information Assurance Vulnerability Management (IAVM) program

Background

See also

References

External links