Information Assurance Vulnerability Management (IAVM)


IAVM employs positive control mechanisms to mitigate potentially critical software vulnerabilities, through the rapid development and dissemination of actions to all Combatant Commands/Services/Agencies/Field Activities (CC/S/A/FAs).

Specifically, the IAVM process:

  • Establishes positive control of the Department of Defense (DoD) Information Assurance Vulnerability Alert (IAVA) system
  • Provides access to vulnerability notifications that require action
  • Requires acknowledgement of action messages
  • Requires compliance and reporting status
  • Tracks compliance and reporting
  • Conducts random compliance checks

IAVM focuses on software vulnerabilities while Computer Network Directives focus on protecting the Global Information Grid (GIG) network and hardware. The Computer Network Directives identify significant GIG threats, facilitate dissemination and implementation of GIG protective countermeasures, and identify emerging technologies and associated threats to integrate mitigations and provide response actions to Computer Network defense posture.

The US CYBER COMMAND, subordinate to the United States Strategic Command (STRATCOM), and the Defense Information Systems Agency (DISA) jointly manage the IAVM and Computer Network Directives. Both identify and publish vulnerabilities or directives. In addition, US CYBERCOM monitors and enforces IAVM and Computer Network Directives compliance across the GIG.

P&R IM's Expertise

As the designated CC/S/A/FAs representative, P&R IM manages the IAVM program and Computer Network Directives for Defense Human Resources Activity (DHRA). P&R IM produces required documentation, ensures timely reporting of compliance statistics for each IAVA and Computer Network Directive, aggregates acknowledgement and compliance reports, and updates the Vulnerability Management System (VMS) accordingly. P&R IM also provides IAVM guidance to DHRA offices requiring system patch management (the process of applying fix-it patches to defined software and hardware vulnerabilities).

Additionally, P&R IM collects and manages DHRA Plans of Actions and Milestones (POA&M) for open vulnerabilities. The POA&M process helps identify, assess, prioritize, and monitor the progress of corrective efforts for security weaknesses found in programs and systems. P&R IM's support limits DHRA's exposure to network attack and helps prevent unauthorized access to the DoD Non-classified Internet Protocol Router Network (NIPRNet) backbone.

For more information on IAVM, please contact the P&R IM Representative.