The DoD information system vulnerabilities are alerted with messages called Information Assurance Vulnerability Alerts (IAVA). Vulnerabilities are evaluated to see what impact (if any) the might have and sent out by to all branches and units withing the organization. This is done in accordance with DoDD 8500.1, Information Assurance directive.
Implementation of security-related software patches directed through the DoD IAVA program shall not be delayed pending evaluation of changes that may result from the patches. — DoDI 8500.2 Compliance with DoD-directed solutions, such as USSTRATCOM Command Tasking Orders (CTOs), Information Assurance Vulnerability Alerts (IAVAs), and Information Operation Conditions (INFOCONs) shall be a management review item. — DoDI 8500.2
Information assurance vulnerability alert are technical advisories, alerts and vulnerabilities of applications, operating systems, and servers identified by DoD Computer Emergency Response Team which is a division of the United States Cyber Command.
Information Assurance Vulnerability Management (IAVM) is the process of the getting the IAVAs out to all Combatant Commands/Services/Agencies/Field Activities (CC/S/A/FAs). Specifically, the IAVM process:
- Establishes positive control of the Department of Defense (DoD) Information Assurance Vulnerability Alert (IAVA) system
- Provides access to vulnerability notifications that require action
- Requires acknowledgement of action messages
- Requires compliance and reporting status
- Tracks compliance and reporting
- Conducts random compliance checks