Fed patch service needs work, agencies tell GAO

GAO response (PDF)

Commercial security patch tools and services offer better solutions for federal agencies than a free service from the Homeland Security Department, but the Office of Management and Budget may still want to require use of the DHS service once improvements are made, according to the General Accounting Office.

Patch management is a critical issue for agency officials, who are facing greater threats as the number of basic software vulnerabilities increases. Officials at DHS' Federal Computer Incident Response Center intended for the free Patch Authentication and Dissemination Capability (PADC) to address that problem, but funding constraints restricted the contract to about 2,000 accounts for the entire government.

According to Robert Dacey, GAO's director of information security issues, agency officials said that FedCIRC can't offer enough accounts and trails commercial companies in capabilities and functionality. Dacey provided a written response to questions from Rep. Adam Putnam (R-Fla), chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Putnam held a hearing in September on the security problems caused by worms and viruses.

Forty-seven agencies have signed up for PADC, and several of them have pilot tests using the limited number of accounts now available. FedCIRC is looking at how to broaden and enhance the service.

OMB officials can require agencies to use the FedCIRC service, given the importance of patch management to solving many basic security concerns, Dacey wrote. However, possible changes in the PADC service should have a large impact on any decision, he said.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.