Fed patch service needs work, agencies tell GAO

GAO response (PDF)

Commercial security patch tools and services offer better solutions for federal agencies than a free service from the Homeland Security Department, but the Office of Management and Budget may still want to require use of the DHS service once improvements are made, according to the General Accounting Office.

Patch management is a critical issue for agency officials, who are facing greater threats as the number of basic software vulnerabilities increases. Officials at DHS' Federal Computer Incident Response Center intended for the free Patch Authentication and Dissemination Capability (PADC) to address that problem, but funding constraints restricted the contract to about 2,000 accounts for the entire government.

According to Robert Dacey, GAO's director of information security issues, agency officials said that FedCIRC can't offer enough accounts and trails commercial companies in capabilities and functionality. Dacey provided a written response to questions from Rep. Adam Putnam (R-Fla), chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Putnam held a hearing in September on the security problems caused by worms and viruses.

Forty-seven agencies have signed up for PADC, and several of them have pilot tests using the limited number of accounts now available. FedCIRC is looking at how to broaden and enhance the service.

OMB officials can require agencies to use the FedCIRC service, given the importance of patch management to solving many basic security concerns, Dacey wrote. However, possible changes in the PADC service should have a large impact on any decision, he said.

Featured

  • Comment
    customer experience (garagestock/Shutterstock.com)

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected