Annex H22 IA Vulnerability Management

Question 0

Three (3) functions of the IAVM Program

Answer 0

IA Vulnerability alert (vulnerability is severe, compulsory)

IA Vulnerability bulletin (vulnerability does not pose immediate risk)

Technical Advisory (vulnerability generally categorized as low risk)

Question 1

IA Vulnerability Management Program (IAVM)

Answer 1

Provide management over mitigating vulnerabilities that are found in DoD info systems
Identifying and correcting vulnerabilities

Question 2

Eight (8) steps associated with the Marine Corps IAVM

Answer 2

1: DISA identifies vulnerabilities of significance to the DoD and reports them to the JTF-GNO
2: The MCNOSC acknowledges receipt of IAVA and IAVB within 5 working days to JTF-GNO
3: The MCNOSC will issue IAVM messages, which will be tailored to the specific info tech environment of the USMC
4: Configuration Control Authorities (Program Offices) issue approval to apply IAVM corrective actions to Centrally Managed Systems
5: Implementation of IAVM message corrective actions
6: Reporting of IAVM compliance is a third echelon reporting responsibility for USMC assets in NMCI AOR, non NMCI managed assets and deployed networks
7: Compliance verification: The MCNOSC will validate MCEN compliance via vulnerability analysis tools and report these results to the USMC DAA
8: The MCNOSC will compile and submit an aggregated service component report of IAVM compliance and extensions to JTF GNO