The objective of this audit was to determine whether the actions taken by DoD Components to identify, respond to, and mitigate vulnerabilities impacting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) complied with DoD requirements.
Ivanti, Inc. provides information technology management and software solutions, including virtual private network (VPN) systems, such as ICS, which allow users to remotely connect to a network over the Internet through a secure tunnel. Between January 10, 2024, and February 8, 2024, Ivanti disclosed five critically severe or highly severe common vulnerabilities and exposures (CVEs) affecting ICS and IPS. Those CVEs could allow malicious actors to execute commands on a victim’s network with elevated privileges. In response to the CVEs, Joint Force Headquarters‑DoD Information Network (JFHQ‑DODIN) issued multiple orders to the DoD Information Network areas of operation (DAOs).