UCF STIG Viewer Logo

VIVM-1 Vulnerability Management


A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place. Wherever system capabilities permit, mitigation is independently validated through inspection and automated vulnerability assessment or state management tools.  Vulnerability assessment tools have been acquired, personnel have been appropriately trained, procedures have been developed, and regular internal and external assessments are conducted. For improved interoperability, preference is given to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities.

MAC / CONF Impact Subject Area
Medium Vulnerability and Incident Management


1. Newly identified vulnerabilities in operating system and application software.
2. Software received from vendor and installed without service packs and patches (new and re-built systems).
3. Software no longer supported by vendor.
4. Loss of configuration and change management (CCM) discipline.
5. Loss of Certification and Accreditation integrity.

1. Command has an IAVM policy.
2. Command has detailed IAVM implementation procedures and processes, timelines, organizational and individual responsibilities, actions in response to vulnerability exploitation.
3. Command has designated in writing"Critical Servers& Infrastructure Components," "Servers & Infrastructure Components," and "Workstations" for IAVM prioritization?
4."Critical Servers and Infrastructure Components"designations are consistent with assigned Mission Assurance Categories?
5. There is a process for complying with and internally reporting IAV Bulletins and Technical Advisories, as well as Alerts.
6. Command uses DOD-provided, enterprise-wide or interoperable Combatant Commander/Service/Agency (CC/S/A)-procured tools and solutions to support IAVM program.
7. Primary and secondary IAVM representatives are designated in writing.
8. Receipts of IAV Alerts and Bulletins are timely acknowledged.
9. Vulnerability notifications and remediation procedures&resources are promulgated to all subordinate organizations.
10. All subordinate organizations comply with IAVAs or develop and implement mitigation plans.
11. Compliance by assets is reported using the Vulnerability Management System (VMS) web application.
12. Positive configuration control of all IT assets is maintained.
13. All contracts for IT assets and services reflect requirements of the IAVM program.
14. Monitor implementation or mitigation plans for all centrally-managed programs.
15. Conduct IAVM program compliance checks of subordinate organizations.


  • DoDI O-8530.2, Enclosure (6), Support to Computer Network Defense, 09 March 2001
  • CJCSM 6510.01 (Change 1, 10 Aug 04) , Enclosure B, Appendix A