OMB likes Air Force's patch strategy

Other agencies could adopt service's effort to distribute secure Microsoft software

An Air Force initiative to deliver standardized and securely configured Microsoft software throughout the service could serve as a governmentwide model for software distribution and patch management, Air Force and industry officials say.

Air Force officials will soon start delivering common configurations of Microsoft operating systems and applications to the Air Force's nine major commands, said Brig. Gen. Ronnie Hawkins, director of communications operations in the service's Office of the Deputy Chief of Staff for Installation and Logistics. Command leaders must use those common configurations or risk being kicked off the network. The move prepares Air Force systems to receive automatically installed and confirmed patches of the company's software this spring.

"We'll decide which configurations will be acceptable in the Air Force," Hawkins said. "We'll then implement these configurations and then lock the desktops down."

Karen Evans, director of the Office of Management and Budget's Office of E-Government and Information Technology, said she likes the Air Force's plan so much that she thinks it should be implemented at all federal agencies.

Evans approached Air Force officials last month about the idea after they signed two Microsoft consolidation contracts in November 2004 to streamline the service's software and support contracts with the company, said John Gilligan, the service's chief information officer. The contracts are worth $500 million over the next six years.

OMB officials declined to discuss the initiative.

"The service's process shows that good security is cheaper than bad security," said Alan Paller, director of research at the SANS Institute, a security training firm in Bethesda, Md.

"If you were Evans, wouldn't you want to take what the Air Force is doing governmentwide?" Paller asked. "The service gets savings by consolidating contracts, better security by having the patches earlier, and no manual patching."

Gilligan stressed that the program is still in its infancy, but he credited Evans for taking steps to improve software standardization, configuration and security governmentwide. She traveled to Microsoft's headquarters in Redmond, Wash., two weeks ago to discuss the idea with company officials.

"Microsoft has to feel good about it," Paller said.

Company officials could not be reached for comment.

The initiative mirrors one Evans signed in 2003 when she was the Energy Department's CIO. She persuaded Oracle officials to sign an enterprisewide contract under which the company shipped database software with the department's preferred security settings already configured.

Air Force officials have also spoken with Pentagon officials about applying the standard configuration approach throughout the Defense Department, Gilligan said. He said he believes the rest of the military will go that route soon.

Two weeks ago, officials at the Air Force, National Security Agency, Defense Information Systems Agency, National Institute of Standards and Technology, Center for Internet Security and Microsoft met to agree on a couple of suites of common Microsoft software configurations, Hawkins said.

"The teaming effort has been tremendous," he said. "The willingness to share information is astonishing. This has been very refreshing."

"This is the best thing going on in information security in the world because the good guys are now working together, and that can turn the tide against the bad guys who have always done that," Paller said.

The company's operating systems

will come with the same registries and services. "Most organizations have nonstandard setups," he said. "Automated patching only works if people agree to use the same configurations."

Air Force officials met with federal chief information security officers last December to discuss the details of their Microsoft consolidation contracts and how they will achieve standardization of the company's software and automatically install the patches servicewide. Paller said the Air Force, like many organizations, will get early access to the patches.

Service officials will get the patches and can test them before Microsoft officials publicly announce their release. They plan to distribute and install the patches on the Air Force's 525,000 computers within 48 hours of their release, he said. n

Patch pipeline

Air Force officials have standardized and securely configured Microsoft

software to protect their networks from hackers and worms. Now, Karen Evans, the government's top information technology official, wants to distribute that secure

software governmentwide.

She and John Gilligan, the service's chief information officer, believe the initiative would improve agencies'

ability to protect their networks.

Gilligan said the software could be distributed to government agencies through the Homeland Security Department.

— Frank Tiboni

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group