Back to central patching?

GAO report on software patch management, GAO-04-706

In a new study, officials at the General Accounting Office say the federal government must deal more aggressively with the growing volume of software security patches that overwhelms the ability of agencies to manage.

A report on the study released this week describes uneven patch-management practices across the federal government and recommends two changes in the status quo.

The auditors suggest that the Office of Management and Budget, which monitors federal agencies' security practices, require agencies to report to OMB on their patch-management practices. And they recommend that the federal government consider whether a centralized patch-management service for civilian agencies should be revived.

A similar service that began in February 2003 was discontinued in February 2004, in part because of negative feedback from agencies about the usefulness of the system. But the report says that OMB officials agree with GAO auditors that a service that would include patch testing should be reconsidered.

Summarizing the problems with which federal agencies struggle, the report cites the growing volume and increasing frequency of needed patches, the complexity of patching many different types of systems, the difficulty of keeping laptops protected with up-to-date patches and the insufficient funds to assess security vulnerabilities and apply patches.

In their study, GAO auditors found that only 16 of 24 federal agencies have agencywide patch-management policies and only 14 of the 24 have established patch-management procedures. Only 10 agencies reported that they tested all patches before installing them on operational systems.

GAO conducted the study from September 2003 to May 2004 using a Web-based survey of 24 federal agencies and departments.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.