Agencies need help with patch management, GAO says

The government should consider providing centralized patch management services to help agencies with the chore of keeping IT systems protected against software vulnerabilities, according to a new General Accounting Office report.

GAO found that most agencies are struggling to keep up with the task of installing software patches, often lacking consistent policies and resources for handling the critical job. It recommended that the Office of Management and Budget study the feasibility of a service that could handle at least part of the job.

It also said that more specific OMB guidance could help.

“Although OMB and federal agencies recognize that implementing common practices for effective patch management can help agencies mitigate the risk of attack and improve their overall security posture, the results of our survey indicate that agencies are not consistently performing these common practices,” the report said.

Software patches are fixes for security flaws found in programs. Vulnerabilities can be exploited by attackers, often through automated attacks carried by worms. Keeping patches up-to-date is a critical but time-consuming job.

The GAO study of 24 executive branch agencies found that although they are building system inventories, a vital first step in the process, most have no formal process for patching and many do not test patches before they are deployed. Installing untested patches could introduce new problems.

A centralized service could help ease the burden on individual agencies. It would take the place of the failed Patch Authentication and Dissemination Capability.

PADC was a free service launched in February 2003 by the Federal Computer Incident Response Center, but saw little use by agencies because of its limited abilities. It was shut down one year later, “because of low levels of usage, the cost to upgrade services, and negative agency feedback on the usefullness,” GAO said in its report, released Wednesday.

FedCIRC has no plans to replace the service, but GAO concluded that by building on the lessons learned from PADC, a useful service could be developed to provide centralized patch testing, educational tools and access to tools and services to help automate the process.

OMB said it would consider the feasibility of such a service, but noted in its response to GAO that “ultimately it remains each agency and system owner’s responsibility to maintain the security of their systems.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.