Agencies need help with patch management, GAO says

The government should consider providing centralized patch management services to help agencies with the chore of keeping IT systems protected against software vulnerabilities, according to a new General Accounting Office report.

GAO found that most agencies are struggling to keep up with the task of installing software patches, often lacking consistent policies and resources for handling the critical job. It recommended that the Office of Management and Budget study the feasibility of a service that could handle at least part of the job.

It also said that more specific OMB guidance could help.

“Although OMB and federal agencies recognize that implementing common practices for effective patch management can help agencies mitigate the risk of attack and improve their overall security posture, the results of our survey indicate that agencies are not consistently performing these common practices,” the report said.

Software patches are fixes for security flaws found in programs. Vulnerabilities can be exploited by attackers, often through automated attacks carried by worms. Keeping patches up-to-date is a critical but time-consuming job.

The GAO study of 24 executive branch agencies found that although they are building system inventories, a vital first step in the process, most have no formal process for patching and many do not test patches before they are deployed. Installing untested patches could introduce new problems.

A centralized service could help ease the burden on individual agencies. It would take the place of the failed Patch Authentication and Dissemination Capability.

PADC was a free service launched in February 2003 by the Federal Computer Incident Response Center, but saw little use by agencies because of its limited abilities. It was shut down one year later, “because of low levels of usage, the cost to upgrade services, and negative agency feedback on the usefullness,” GAO said in its report, released Wednesday.

FedCIRC has no plans to replace the service, but GAO concluded that by building on the lessons learned from PADC, a useful service could be developed to provide centralized patch testing, educational tools and access to tools and services to help automate the process.

OMB said it would consider the feasibility of such a service, but noted in its response to GAO that “ultimately it remains each agency and system owner’s responsibility to maintain the security of their systems.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.