Patch system in the works

Supplemental appropriations request

The General Services Administration expects to award a contract today to a team led by Science Applications International Corp. to set up a governmentwide system to notify agencies about security holes in commercial software products and the availability of patches to fix them.

The security patch dissemination system is seen as critical to the security of government operations. People who create computer viruses or hack into Web sites frequently do so by exploiting small flaws in operating systems or applications.

In many cases, security patches — small blocks of code — are available online from vendors or popular security organizations, but agencies often do not know about, seek or apply patches until it is too late.

The $1.5 million, one-year task order expected to be awarded via the GSA Safeguard contract will enable agencies to get notification about patches from commercial software vendors for systems on their networks.

"This will help agencies correct what, to me, is one of the largest problems that exists," said Sallie McDonald, GSA's assistant commissioner for information assurance and critical infrastructure protection.

Agency officials whom GSA's Federal Computer Incident Response Center (FedCIRC) talked to last week were "very excited" about the award, McDonald said.

Security officials at the Office of Management and Budget and other federal organizations have encouraged agencies to address the patch problem. However, they admit that most systems administrators are simply overwhelmed by the number of patches issued for their own systems, much less those for systems they do not even use.

Using the new system, administrators will be able to provide SAIC and its subcontractor, Vigilinx Inc., with a profile of their network systems, McDonald said. This will ensure that they receive only the patches that apply to their systems.

The system, hosted on the FedCIRC Web site, will give systems administrators a single point for all patches, said Gene Hunt, corporate vice president of SAIC's system security and engineering operation. The SAIC team will provide patches and test whether they actually work, he said.

The team also will use the system to alert subscribers about potential vulnerabilities and, when possible, tell them what steps they can take to address problems before a patch is available. Once a patch is available, the SAIC team will notify subscribers, test the patch, then tell subscribers it is available via download.

The system also will improve security management by listing for managers the available patches and which ones their systems administrators have downloaded, Hunt said. When a patch is downloaded, the system also will automatically send an e-mail to FedCIRC, he said.

SAIC will start marketing the service to agencies this week, and it should be fully operational in June, McDonald said. GSA is paying for the full cost of the system and service, so it is free for agencies.

"It's really going to help them do their jobs better," she said.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.