DISA releases IAVA-to-CVE mapping

A diagram of the IAVM-to-CVE workflow.
Image courtesy Robert A. Martin and MITRE.

The DOD keeps its own catalog of system vulnerabilities, the IAVM. You can think about this as the computer security alerting system for the DOD. If you get an IAVM, it will tell you what the vulnerability is, how critical it is, and if you need to patch it immediately.

The rest of the world keeps track of vulnerabilities using MITRE’s Common Vulnerability Enumeration, or CVE. Most commercial tools (like Yum) understand CVEs: you get a CVE, you drop it into your patching system, and away you go.

But if you’re in the DOD, it’s not that easy. You’re given new IAVMs almost every day. The most automated you could ever make the process is to have a human log in to the IAVM website with their DOD-issued smart card, read the IAVM information, hope to God the JTF-GNO mapped the IAVM to a CVE, otherwise find the CVE that matches the IAVM you were given, and then drop that CVE into your patch system. That’s tedious, which means nobody ever does it.

If we’re ever going to get to a world where we’re doing real-time threat monitoring, which we we’re slouching towards at a breakneck pace, we need IAVMs mapped to CVEs. And wouldn’t you know it, but that’s exactly what DISA did. They were quiet about it, but thanks to a tweet from C3i Security, I found this:


Boom. IAVM-to-CVE mappings in XML. They provided an Excel spreadsheet as well, but I’m sure they were just joking.

So DOD security nerds rejoice: we finally have machine-readable mappings for IAVMs. I don’t say this often, but: thanks, DISA!

[Update: If you’re a Red Hat customer and you’ve gotten this far, you’ll also enjoy Red Hat’s IAVM Mapper tool, available on the customer portal.]

5 thoughts on “DISA releases IAVA-to-CVE mapping

  1. I have sen references to the IAVM 2012 benchmark file, can it be imported in SCAP and checked?


  2. I totaly agree the IAVA process slows down the vulnerablity process. CVE is the way to go. The IAVA process many years ago may have been a good process but we should map directly to CVEs and stop putting in added steps to getting vulerablity information out to the security community.


Comments are closed.