Back to central patching?

GAO report on software patch management, GAO-04-706

In a new study, officials at the General Accounting Office say the federal government must deal more aggressively with the growing volume of software security patches that overwhelms the ability of agencies to manage.

A report on the study released this week describes uneven patch-management practices across the federal government and recommends two changes in the status quo.

The auditors suggest that the Office of Management and Budget, which monitors federal agencies' security practices, require agencies to report to OMB on their patch-management practices. And they recommend that the federal government consider whether a centralized patch-management service for civilian agencies should be revived.

A similar service that began in February 2003 was discontinued in February 2004, in part because of negative feedback from agencies about the usefulness of the system. But the report says that OMB officials agree with GAO auditors that a service that would include patch testing should be reconsidered.

Summarizing the problems with which federal agencies struggle, the report cites the growing volume and increasing frequency of needed patches, the complexity of patching many different types of systems, the difficulty of keeping laptops protected with up-to-date patches and the insufficient funds to assess security vulnerabilities and apply patches.

In their study, GAO auditors found that only 16 of 24 federal agencies have agencywide patch-management policies and only 14 of the 24 have established patch-management procedures. Only 10 agencies reported that they tested all patches before installing them on operational systems.

GAO conducted the study from September 2003 to May 2004 using a Web-based survey of 24 federal agencies and departments.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.