Security patch RFP delayed

FedCIRC

Related Links

The Federal Computer Incident Response Center is delaying its solicitation for a system that will automatically send out security patches to civilian agencies in order to expand the types of software that will be covered, officials said this week.

FedCIRC started working on the idea for an automated patch dissemination system late last year and planned to release a request for proposals by the end of August. But comments from agencies and industry revealed a feeling that the original RFP was too narrow because it focused only on operating systems, said Lawrence Hale, liaison director at FedCIRC.

"We need to broaden the scope of it somewhat," Hale said.

The rewrite, based on many agency requests, should be done in time to allow FedCIRC to release the RFP before the end of September. It will include patches for many of the standard applications used across government as well as for the commonly-used operating systems, he said.

"We've learned a lot about what's out there, and the capability of the vendors has improved," he said.

The idea behind the system is to raise the basic level of federal security by making it easier for agencies to fix vulnerabilities in commercial products.

Studies have shown that attackers continue to use the same vulnerabilities to get into systems, as in the case of the Code Red worm, because the administrators have not put on readily available software patches. But the same studies show that administrators are often simply overwhelmed by the sheer number of patches available, or they do not even realize that a vulnerability or a patch exists.

Using the patch dissemination system, agencies would be able to submit and update a profile of their operating systems and applications. This way, system administrators would only get the patches that apply to their network configuration.

"We recognize this as a strong need within government," Hale said. "We think it will really help the posture overall and establish a baseline."

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.