Information Assurance: Vulnerability Management System (VMS) Compliance

About the Client

Resources Information Technology Program Office (RITPO) develops, operates, and manages a world-side array of information systems containing sensitive healthcare provider and patient data for the Department of Defense (DoD) healthcare program.

Situation/Problem to be Solved

Recently, RITPO was mandated to use the Defense Information Systems Agency Vulnerability Management System (VMS) as a security control. The mandate meant RITPO was responsible for registering all its production, test, and development assets in the VMS database and using the VMS application and methodology as the principal means for addressing all Information Assurance Vulnerability Management (IAVM) activities and reporting.

This mandate presented RITPO with a formidable challenge. Their systems environment was highly distributed and complex, encompassing thousands of servers and hundreds of environments around the world. Also, their existing Information Assurance (IA) team lacked significant experience applying the intricate IAVM methodology implemented by VMS logic.

TeAM's Solution

As part of an IA Engineering Support contract, TeAM developed the VMS Compliance Plan - a step-by-step, structured roadmap for achieving VMS compliance across the RITPO enterprise. To support the RITPO VMS compliance plan, TeAM developed a detailed implementation schedule for rolling out the plan across 102 sites worldwide.

To cost-effectively implement the RITPO VMS Compliance Plan, TeAM instituted a rigorous training program for two security engineers who then assume day-to-day responsibility for implementing the RITPO VMS Compliance Plan. TeAM also established data coding standards for all registered RITPO assets and managed the development and implementation of an organizational framework for tracking RITPO assets by project and MTF location. Finally, TeAM developed and implemented a streamlined process which reduced the expected wait time for a new VMS account from over six months to approximately two weeks.

Benefits to Client

As a result of TeAM’s leadership, RITPO came into compliance with DoD-prescribed IAVM methodology, began automatically measuring and reporting its exposure to security vulnerabilities and significantly strengthened the security posture of its various system assets and environments. Additionally, TeAM’s methodology and processes were adopted by the overall Program Management Office for use in four other DoD Project Offices.