Fed patch service needs work, agencies tell GAO
- By Diane Frank
- Oct 24, 2003
GAO response (PDF)
Commercial security patch tools and services offer better solutions for federal agencies than a free service from the Homeland Security Department, but the Office of Management and Budget may still want to require use of the DHS service once improvements are made, according to the General Accounting Office.
Patch management is a critical issue for agency officials, who are facing greater threats as the number of basic software vulnerabilities increases. Officials at DHS' Federal Computer Incident Response Center intended for the free Patch Authentication and Dissemination Capability (PADC) to address that problem, but funding constraints restricted the contract to about 2,000 accounts for the entire government.
According to Robert Dacey, GAO's director of information security issues, agency officials said that FedCIRC can't offer enough accounts and trails commercial companies in capabilities and functionality. Dacey provided a written response to questions from Rep. Adam Putnam (R-Fla), chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
Putnam held a hearing in September on the security problems caused by worms and viruses.
Forty-seven agencies have signed up for PADC, and several of them have pilot tests using the limited number of accounts now available. FedCIRC is looking at how to broaden and enhance the service.
OMB officials can require agencies to use the FedCIRC service, given the importance of patch management to solving many basic security concerns, Dacey wrote. However, possible changes in the PADC service should have a large impact on any decision, he said.