Lessons learned: NASA patch management

In little more than a year, NASA managed to deploy an automated patch management system that now covers more than 80,000 devices, about 94 percent of the space agency’s computers.

The result is what IT security officer Michael Castagna calls “a rather robust defense,” that has reduced after-hours security alerts to systems administrators from a daily occurrence to once or twice a year. Along the way, Castagna and company learned a few lessons.

“First, understand your infrastructure,” he advised. That does not mean you have to be familiar with every device on the network, but you need to understand which systems are critical and what the vulnerabilities are.

Next, have sound policies in place—both for internal organizations and external organizations that connect with you—for how security patching is to be done. Then develop procedures to monitor and enforce those policies.

“Only after you’ve done those things should you begin evaluating tools,” Castagna said.

Once you’ve selected your tools, Mark Page, the enterprise architecture lead at Kennedy Space Center who spearheaded the NASA program, lists four things necessary for successful deployment.

First, get management support, at the CIO level if possible. “I could not have done the project if I did not have upper management support,” he said.

Next, be flexible and willing to compromise. Some mission-critical systems might not fit neatly into your patch management plans.

Also, understand contracts. “We sold the [patch management] product to our administrators as a monitoring tool,” Page said, because existing IT contracts allowed monitoring of systems without contract modifications.

And finally, don’t forget training. “Something I didn’t think about was turnover,” Page said. The average NASA employee “life span” is only about 18 months in many areas, and a lot of retraining was necessary.

“If you are going to do a project of this kind, you are going to have to build training into the budget on an ongoing basis,” Page said.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.