Information Assurance: Vulnerability Management System (VMS) Compliance
About the Client
The Resources Information Technology Program Office (RITPO) develops, operates, and manages a worldwide array of information systems. Those systems contain sensitive healthcare provider and patient data for the Department of Defense (DoD) healthcare program.
Situation/Problem to Be Solved
Recently, RITPO was mandated to use the Defense Information Systems Agency Vulnerability Management System (VMS) as a security control. The mandate meant that RITPO was responsible for (1) registering all of its production, test, and development assets in the VMS database; and (2) using the VMS application and methodology as the principal means for addressing all Information Assurance Vulnerability Management (IAVM) activities and reporting.
This mandate presented RITPO with a formidable challenge. Their systems environment was highly distributed and complex, encompassing thousands of servers and hundreds of environments around the world. Also, their existing Information Assurance (IA) team lacked significant experience in applying the intricate IAVM methodology implemented by VMS logic.
As part of an IA Engineering Support contract, TeAM developed the VMS Compliance Plan, a step-by-step, structured roadmap for achieving VMS compliance across the RITPO enterprise. To support the RITPO VMS compliance plan, TeAM also developed a detailed implementation schedule for rolling out the plan across 102 sites worldwide.
To cost effectively implement the RITPO VMS Compliance Plan, TeAM instituted a rigorous training program for two security engineers. After the training, the engineers assumed day-to-day responsibility for implementing the RITPO VMS Compliance Plan.
TeAM established data coding standards for all registered RITPO assets; managed the development and implementation of an organizational framework for tracking RITPO assets by project and MTF location; and developed and implemented a streamlined process that reduced the expected wait time for a new VMS account from over six months to approximately two weeks.
Benefits to Client
As a result of TeAM’s leadership, RITPO (1) complied with DoD-prescribed IAVM methodology; (2) began to automatically measure and report its exposure to security vulnerabilities; and (3) significantly strengthened the security posture of its various system assets and environments.
TeAM’s methodology and processes were adopted by the overall Program Management Office for use in four other DoD Project Offices.