Lessons learned: NASA patch management

In little more than a year, NASA managed to deploy an automated patch management system that now covers more than 80,000 devices, about 94 percent of the space agency’s computers.

The result is what IT security officer Michael Castagna calls “a rather robust defense,” that has reduced after-hours security alerts to systems administrators from a daily occurrence to once or twice a year. Along the way, Castagna and company learned a few lessons.

“First, understand your infrastructure,” he advised. That does not mean you have to be familiar with every device on the network, but you need to understand which systems are critical and what the vulnerabilities are.

Next, have sound policies in place—both for internal organizations and external organizations that connect with you—for how security patching is to be done. Then develop procedures to monitor and enforce those policies.

“Only after you’ve done those things should you begin evaluating tools,” Castagna said.

Once you’ve selected your tools, Mark Page, the enterprise architecture lead at Kennedy Space Center who spearheaded the NASA program, lists four things necessary for successful deployment.

First, get management support, at the CIO level if possible. “I could not have done the project if I did not have upper management support,” he said.

Next, be flexible and willing to compromise. Some mission-critical systems might not fit neatly into your patch management plans.

Also, understand contracts. “We sold the [patch management] product to our administrators as a monitoring tool,” Page said, because existing IT contracts allowed monitoring of systems without contract modifications.

And finally, don’t forget training. “Something I didn’t think about was turnover,” Page said. The average NASA employee “life span” is only about 18 months in many areas, and a lot of retraining was necessary.

“If you are going to do a project of this kind, you are going to have to build training into the budget on an ongoing basis,” Page said.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected