Lessons learned: NASA patch management

In little more than a year, NASA managed to deploy an automated patch management system that now covers more than 80,000 devices, about 94 percent of the space agency’s computers.

The result is what IT security officer Michael Castagna calls “a rather robust defense,” that has reduced after-hours security alerts to systems administrators from a daily occurrence to once or twice a year. Along the way, Castagna and company learned a few lessons.

“First, understand your infrastructure,” he advised. That does not mean you have to be familiar with every device on the network, but you need to understand which systems are critical and what the vulnerabilities are.

Next, have sound policies in place—both for internal organizations and external organizations that connect with you—for how security patching is to be done. Then develop procedures to monitor and enforce those policies.

“Only after you’ve done those things should you begin evaluating tools,” Castagna said.

Once you’ve selected your tools, Mark Page, the enterprise architecture lead at Kennedy Space Center who spearheaded the NASA program, lists four things necessary for successful deployment.

First, get management support, at the CIO level if possible. “I could not have done the project if I did not have upper management support,” he said.

Next, be flexible and willing to compromise. Some mission-critical systems might not fit neatly into your patch management plans.

Also, understand contracts. “We sold the [patch management] product to our administrators as a monitoring tool,” Page said, because existing IT contracts allowed monitoring of systems without contract modifications.

And finally, don’t forget training. “Something I didn’t think about was turnover,” Page said. The average NASA employee “life span” is only about 18 months in many areas, and a lot of retraining was necessary.

“If you are going to do a project of this kind, you are going to have to build training into the budget on an ongoing basis,” Page said.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected