Industry asked to help with patches

GSA request for information

The General Services Administration last week called on industry to help define a system for agencies to stay on top of the abundance of software patches that companies issue to cover security vulnerabilities in their products.

The GSA Office of Information Assurance and Critical Infrastructure Protection issued a request for information for the system, which would address an awareness problem among agencies worldwide.

Many security breaches happen when attackers take advantage of vulnerabilities for which patches are available, but system administrators have not applied the patches.

The distributed denial-of-service attack that took down electronic commerce sites a year ago this month occurred primarily because patches had not been applied on systems attackers used to flood the sites, according to officials. Furthermore, audits by the General Accounting Office and agency inspectors in general often find that the failure to apply security patches opens significant vulnerabilities in federal systems security.

The Federal Computer Incident Response Capability, the central organization for cyberattack warning and response in civilian agencies, has been working with agencies to find and use patches that are already available and also to ensure that new patches are applied as they are released.

The proposed new system is intended to provide customized notification about new and updated patches based on the systems agencies have in place.

Officials are asking for input on a system that can:

Collect patches and revisions from vendors for the systems used by agencies. Validate the authenticity and functionality of the patches or revisions. Authenticate the patch or revision through some form of digital signature. Distribute notices to agencies announcing the availability of the patch or revision and include a summary of the vulnerability and any instructions for installation. Filter distribution of the notices according to each agency's infrastructure so they only get the patches that pertain to their systems. Establish a trusted repository from which agencies can retrieve the authenticated patch/revision, with an electronically signed receipt. Responses to the RFI are due to GSA, via e-mail, by March 16.

Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.