Agencies need help with patch management, GAO says

The government should consider providing centralized patch management services to help agencies with the chore of keeping IT systems protected against software vulnerabilities, according to a new General Accounting Office report.

GAO found that most agencies are struggling to keep up with the task of installing software patches, often lacking consistent policies and resources for handling the critical job. It recommended that the Office of Management and Budget study the feasibility of a service that could handle at least part of the job.

It also said that more specific OMB guidance could help.

“Although OMB and federal agencies recognize that implementing common practices for effective patch management can help agencies mitigate the risk of attack and improve their overall security posture, the results of our survey indicate that agencies are not consistently performing these common practices,” the report said.

Software patches are fixes for security flaws found in programs. Vulnerabilities can be exploited by attackers, often through automated attacks carried by worms. Keeping patches up-to-date is a critical but time-consuming job.

The GAO study of 24 executive branch agencies found that although they are building system inventories, a vital first step in the process, most have no formal process for patching and many do not test patches before they are deployed. Installing untested patches could introduce new problems.

A centralized service could help ease the burden on individual agencies. It would take the place of the failed Patch Authentication and Dissemination Capability.

PADC was a free service launched in February 2003 by the Federal Computer Incident Response Center, but saw little use by agencies because of its limited abilities. It was shut down one year later, “because of low levels of usage, the cost to upgrade services, and negative agency feedback on the usefullness,” GAO said in its report, released Wednesday.

FedCIRC has no plans to replace the service, but GAO concluded that by building on the lessons learned from PADC, a useful service could be developed to provide centralized patch testing, educational tools and access to tools and services to help automate the process.

OMB said it would consider the feasibility of such a service, but noted in its response to GAO that “ultimately it remains each agency and system owner’s responsibility to maintain the security of their systems.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.