The protection of Navy shipboard networks is critical to national security. An important part of maintaining a secure network posture is the timely application of software maintenance patches.
In response to this need, the Computer and Network Security Branch at Space and Naval Warfare (SPAWAR) Systems Center Pacific (SSC Pacific) developed the Vulnerability Remediation Asset Manager (VRAM), a new Web portal initiative designed to assist ships in achieving Information Assurance Vulnerability (IAV) compliance.
The tool is used by both the Computer Network Defense-in-Depth Baseline Assessment (CNDIDBA) teams and shipboard personnel to verify shipboard IAV compliancy.
An independent team of Computer Network Defense (CND) experts executes a CNDIDBA during each ship's unit level training phase. The CNDIDBA consists of an IAV compliance scan, a password policy assessment and various security checks on the Common PC Operating System Environment (COMPOSE).
The independent CNDIDBA team performs the IAV compliance portion using the Secure Configuration Compliance Validation Initiative (SCCVI) tool. Each ship must complete a baseline assessment every 24 months or within 60 days following a systems upgrade or major configuration change to the network.
COMPOSE combines commercial off-the-shelf and government off-the-shelf products that deliver directory services, e-mail, Web acceleration, office automation applications, collaboration tools and antivirus software for the Integrated Shipboard Network System (ISNS), Combined Enterprise Regional Information Exchange System (CENTRIXS), Sensitive Compartmented Information (SCI) networks, and Submarine Local Area Network (SubLAN).
COMPOSE delivers these services to the warfighter in a secure software bundle that aligns to the latest Defense Information Systems Agency (DISA) standards and guidelines.
SCCVI is currently employed as eEye Digital Security's Retina© Network Security Scanner; it is DISA's tool of choice for network vulnerability scanning within the Defense Department. Its use is mandated by Navy Cyber Defense Operations Command (NCDOC) Computer Tasking Order (CTO) 06-02. Monthly scans are also conducted by ship's personnel to identify and mitigate network vulnerabilities as they are discovered. This requirement, mandated by NCDOC CTO 06-02, is in response to increased attacks on Navy networks.
To assist the fleet with meeting these monthly requirements, Program Executive Officer for Command, Control, Communications, Computers and Intelligence (PEO C4I), Program Manager Warfare for Tactical Networks (PMW 160) fielded SCCVI on afloat networks.
SCCVI enables the fleet to scan its networks and aggressively track compliance within the IAV Management (IAVM) program. SCCVI provides the ship's information assurance manager an independent analysis of installed IAV patches.
Missing patches identified by SCCVI are downloaded, from SPAWAR's Naval Networks Web site, installed and pushed to the vulnerable machines.
The Naval Networks Web site is the only authorized repository for downloading patches for all PMW 160 programs of record (POR) such as the COMPOSE network systems. Each ship is responsible for achieving 100 percent compliance for all networked systems for which an IAV exists and for which a fix has been released by the respective POR office.
However, a major difficulty with the use of SCCVI is that it does not cross-reference scan results with patches released by the respective POR office. For example, results for a SCCVI scan for COMPOSE would include all missing patches whether or not the patches are approved by the COMPOSE program office.
Until recently, it was the responsibility of either the ship's IAM or the CNDIDBA team to manually parse SCCVI results and determine which IAVs were ship's force fixable or unfixable patches.
Fixable IAVs are patches