Return to patch central?

General Accounting Office auditors are advising federal

decision-makers to consider offering a software patch-management service for civilian agencies.

Homeland Security Department officials had offered such a service as recently as February, when they chose to drop it.

In a report released June 2, GAO officials said the federal government must deal more aggressively with the growing volume of security patches, which overwhelms the ability of agencies to manage them. More than half of the 24 agencies that GAO surveyed for the report indicated they lacked sufficient personnel and financial resources to manage the patching process effectively.

Robert Dacey, director of information security issues at GAO and principal author of the report, said a governmentwide patch-management effort would be more efficient and less expensive than the current piecemeal approach. But federal officials still face the challenge of working together to manage security patches.

"Because the management, architecture and resources of each agency vary, it is unlikely that a single solution will satisfy every need," Amit Yoran, director of DHS' National Cyber Security Division, testified last week before a House subcommittee chaired by Rep. Adam Putnam (R-Fla.). Earlier this year, DHS officials concluded that commercial alternatives are better than the free patch-management service the government had been offering to a small number of subscribers.

Yoran said a committee of the Chief Information Security Officers Forum is studying the patch-management problem to determine if one or more centralized services available to agencies could meet their needs. Forum members are senior agency officials responsible for cybersecurity.

When DHS officials dropped the federal patch-management service, they cited the low number of participants, the limited nature of the offering and the prohibitive cost of upgrading the service. The government had signed a $10 million contract with General Dynamics Corp. and its Veridian Corp. subsidiary in 2001 to provide such a service when few commercial tools and services were available.

But many companies now offer patch management as part of a package that includes vulnerability scanning, patch installation and asset management, according to officials at DHS and other organizations.

While federal managers search for the best way to deal with patch management, no one underestimates the software problems that agencies want to avoid, said Dacey, who testified last week before Putnam's subcommittee. Computer worms thrive by exploiting security holes in software and often spread faster than government agencies and businesses can patch the holes.

In January 2003, the Slammer computer worm caused network outages and slowed Internet traffic to a crawl. One of its targets was a nuclear power plant's network, Dacey said in his report. Nuclear Regulatory Commission officials said after Slammer infected the network, it prevented computers from communicating with one another and disrupted the operation of two important systems at the nuclear facility.

Most of the problems Dacey describes in the June 2 report are less dramatic than the Slammer incident. But although many federal agencies have good policies, some have not developed patch-management procedures. Agencies do not consistently perform risk assessments of their software vulnerabilities, and most do not test all patches before installing them. GAO officials found that agencies also do not regularly monitor the status of the patches.

As federal officials consider how to deal with patch management, some security experts say the government should not form another centralized service.

A governmentwide procurement through SmartBuy, a federal program for purchasing commonly used software, could achieve better results, said Alan Paller, director of research for the SANS Institute, a nonprofit research and education group specializing in systems and network management and security.

"The goal," he said, "should be a governmentwide procurement of patch-management software, so agencies can get it inexpensively and implement it quickly."

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group