This activity is about establishing the formal structure and methodology for dealing with vulnerabilities across the entire DoD enterprise. It mandates that the DoD Enterprise collaborates with Components to establish and manage a comprehensive Vulnerability Management program. This isn’t just about running vulnerability scanners; it’s about defining how vulnerabilities are systematically identified, assessed, prioritized, and remediated across the entire vast and diverse environment. At a minimum, the program must encompass the tracking and management of public vulnerabilities based on DoD applications and services, recognizing that flaws in deployed software are a primary attack vector. 

A key organizational element for this activity is that each Component is responsible for establishing a vulnerability management team comprised of key stakeholders. This team is not just technical; it convenes to discuss and manage vulnerabilities in accordance with established Enterprise policy and standards. This emphasizes the governance and cross-functional collaboration necessary for an effective program. 

This activity is essential because a structured vulnerability management program provides important information needed to reduce the attack surface, prioritize remediation efforts, and validate the security posture of all assets within a Zero Trust framework.

The outcomes for Activity 3.3.2 Part 1 highlight the foundational elements being established: 

1. Components establish a vulnerability management governance team with appropriate stakeholder membership.
2. Enterprise provides a vulnerability management policy and standard for minimum tracking and management of public vulnerabilities based on DoD applications and services.

The ultimate end state for this activity is to Provide structure and an approach to addressing vulnerabilities in accordance with Enterprise policy. This sets the stage for a mature, proactive security posture against software weaknesses..

Solutions for Achieving Vulnerability Management Program Part 1 (Activity 3.3.2)

Implementing Activity 3.3.2 Part 1 requires defining clear processes, establishing cross-functional teams, and leveraging tools that can systematically identify and track vulnerabilities across the enterprise:

1. Leveraging the Enterprise Vulnerability Management Policy and Standards:
   • The DoD Enterprise provides a comprehensive policy and standards for vulnerability management. This policy, detailed in DoDI 8531.01, defines what assets are in scope (all software, firmware, and hardware), process steps, use of the Common Vulnerability Scoring System (CVSS) for vulnerability prioritization, and reporint requirements. 
   • Component teams are responsible for implementing these policies within their specific environments.
2. Establishing a Vulnerability Management Governance Team (Component-Level): 
   • Role: Components must form dedicated teams responsible for overseeing vulnerability management. This team typically includes representatives from security operations (SecOps), IT operations (NetOps/SysOps), application development (DevSecOps), risk management, and potentially business unit owners. This aligns with the responsibility of DoD Component Heads to establish such programs.
   • Process: This team will establish internal processes for vulnerability identification, assessment, prioritization, remediation planning, and reporting, all in accordance with the DoD vulnerability management program.
3. Implementing Minimum Tracking and Management of Public Vulnerabilities: 
   • Components will implement vulnerability scanning procedures using guidelines like NIST SP 800-115  and use the Common Vulnerability and Exposure (CVE) website to identify publicly known cybersecurity vulnerabilities.
   • This involves establishing processes for tracking public vulnerabilities as they relate to DoD applications and services, and correlating these with the enterprise’s application/code inventory (from Activity 3.1.1)

While comprehensive scanning tools are key, this phase focuses on establishing the process for tracking public vulnerabilities (those found in common software, operating systems, etc.) as they relate to DoD applications and services.

This involves subscribing to public vulnerability databases (e.g., NVD/CVE, CISA KEV), correlating these with the enterprise’s application/code inventory (from Activity 3.1.1), and tracking their presence and remediation status.

Key Items to Consider:

• Asset Inventory as Foundation: An accurate and up-to-date asset and application/code inventory (from Activities 2.1.1, 3.1.1) is fundamental; you can’t manage vulnerabilities you don’t know about.
• Automation Mindset (for future phases): While this phase focuses on structure and process, lay the groundwork for future automation by considering API-first tools that can integrate vulnerability data into CI/CD pipelines (as in 3.2.1) and SOAR platforms.
• Continuous Improvement: The program should include mechanisms for regular review and adaptation to the evolving threat landscape, as part of the cyclical nature of the DoD VM process.

For the Technical Buyer:

Activity 3.3.2 Part 1 is creating the structure for comprehensive vulnerability management across your enterprise, all within the established framework, such as DoDI 8531.01. This isn’t just about buying scanners; it’s about establishing the governance, defining the policies (aligned with Enterprise standards), and forming the dedicated Component-level teams that will systematically identify, track, and manage vulnerabilities. For technical buyers, success here means collaborating at the enterprise level to align with the DoD VM process, selecting the right central VM platform that can integrate with your asset inventory and various security testing tools, and, crucially, establishing cross-functional vulnerability management teams within each Component. This structured approach provides the necessary framework for continuous vulnerability reduction, enabling you to proactively mitigate threats and strengthen your overall Zero Trust posture from the software layer outwards. This foundational work sets the stage for the next phase, Activity 3.3.3, where you will focus on fully operationalizing this robust vulnerability management program.

Pillar: Application & Workload

Capability: 3.3 Software Risk Management

Activity: 3.3.2 Vulnerability Management Program Part 1

Phase: Target Level

Predecessor(s): 5.1.1 Define Granular Control Access Rules & Policies Part 1

Successor(s): The remaining Application and Workload Activities can be downloaded in a single PDF here.

3.3.3 Vulnerability Management Program Part 2

3.3.1 Approved Binaries/Code