Title

IAVMs are not addressed using RTS system vendor approved or provided patches. (Cat II impact)

Discussion

Requirement: The IAO will ensure that all IAVM notices relating to the installation of security or other patches for general-purpose operating systems and software on devices other than workstations is vetted through the system vendor and approved by the local DAA before installation. Many IPT / VoIP systems are based on general-purpose operating systems and applications such as databases and web servers (i.e., Windows XX, MS-SQL, IIS, Unix, LINUX, etc). The original vendors of these general-purpose software packages provide patches for their individual packages. A vendor of a IPT / VoIP system must test and approve these patches for use on their system before they are applied in the event that the OEM patch might break a portion of the IPT / VoIP system or degrade its security. The IPT / VoIP vendor may have to modify the OEM patch before releasing it to their customers. IPT / VoIP vendors must be immediately advised of IAVAs that apply to their systems so that they can test the required patch / mitigation and subsequently distribute an approved patch for their system (in accordance with VoIP0281) so that the site can maintain IAVA compliance.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix Text

Comply with policy. The ISSM/IAM/IAO will establish a policy to ensure that IAVMs are being acknowledged, implemented, and closed, in accordance with DOD policy. SAs will update affected systems in accordance with the IAVM recommendations. The ISSM/IAM/IAO will insure that systems, devices, and SAs are registered in the DISA/DoD VMS as a means for receipt and acknowledgement of IAVMs OR will insure that there is a clear and well defined path for receipt and acknowledgement of IAVMs.

Additional Identifiers

Rule ID: SV-8833r1_rule

Vulnerability ID: V-8338

Group Title: Vendor Patches not used to close IAVMs

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.