Industry asked to help with patches

GSA request for information

The General Services Administration last week called on industry to help define a system for agencies to stay on top of the abundance of software patches that companies issue to cover security vulnerabilities in their products.

The GSA Office of Information Assurance and Critical Infrastructure Protection issued a request for information for the system, which would address an awareness problem among agencies worldwide.

Many security breaches happen when attackers take advantage of vulnerabilities for which patches are available, but system administrators have not applied the patches.

The distributed denial-of-service attack that took down electronic commerce sites a year ago this month occurred primarily because patches had not been applied on systems attackers used to flood the sites, according to officials. Furthermore, audits by the General Accounting Office and agency inspectors in general often find that the failure to apply security patches opens significant vulnerabilities in federal systems security.

The Federal Computer Incident Response Capability, the central organization for cyberattack warning and response in civilian agencies, has been working with agencies to find and use patches that are already available and also to ensure that new patches are applied as they are released.

The proposed new system is intended to provide customized notification about new and updated patches based on the systems agencies have in place.

Officials are asking for input on a system that can:

Collect patches and revisions from vendors for the systems used by agencies. Validate the authenticity and functionality of the patches or revisions. Authenticate the patch or revision through some form of digital signature. Distribute notices to agencies announcing the availability of the patch or revision and include a summary of the vulnerability and any instructions for installation. Filter distribution of the notices according to each agency's infrastructure so they only get the patches that pertain to their systems. Establish a trusted repository from which agencies can retrieve the authenticated patch/revision, with an electronically signed receipt. Responses to the RFI are due to GSA, via e-mail, by March 16.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.