Agencies need help with patch management, GAO says

The government should consider providing centralized patch management services to help agencies with the chore of keeping IT systems protected against software vulnerabilities, according to a new General Accounting Office report.

GAO found that most agencies are struggling to keep up with the task of installing software patches, often lacking consistent policies and resources for handling the critical job. It recommended that the Office of Management and Budget study the feasibility of a service that could handle at least part of the job.

It also said that more specific OMB guidance could help.

“Although OMB and federal agencies recognize that implementing common practices for effective patch management can help agencies mitigate the risk of attack and improve their overall security posture, the results of our survey indicate that agencies are not consistently performing these common practices,” the report said.

Software patches are fixes for security flaws found in programs. Vulnerabilities can be exploited by attackers, often through automated attacks carried by worms. Keeping patches up-to-date is a critical but time-consuming job.

The GAO study of 24 executive branch agencies found that although they are building system inventories, a vital first step in the process, most have no formal process for patching and many do not test patches before they are deployed. Installing untested patches could introduce new problems.

A centralized service could help ease the burden on individual agencies. It would take the place of the failed Patch Authentication and Dissemination Capability.

PADC was a free service launched in February 2003 by the Federal Computer Incident Response Center, but saw little use by agencies because of its limited abilities. It was shut down one year later, “because of low levels of usage, the cost to upgrade services, and negative agency feedback on the usefullness,” GAO said in its report, released Wednesday.

FedCIRC has no plans to replace the service, but GAO concluded that by building on the lessons learned from PADC, a useful service could be developed to provide centralized patch testing, educational tools and access to tools and services to help automate the process.

OMB said it would consider the feasibility of such a service, but noted in its response to GAO that “ultimately it remains each agency and system owner’s responsibility to maintain the security of their systems.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.