Industry asked to help with patches

GSA request for information

The General Services Administration last week called on industry to help define a system for agencies to stay on top of the abundance of software patches that companies issue to cover security vulnerabilities in their products.

The GSA Office of Information Assurance and Critical Infrastructure Protection issued a request for information for the system, which would address an awareness problem among agencies worldwide.

Many security breaches happen when attackers take advantage of vulnerabilities for which patches are available, but system administrators have not applied the patches.

The distributed denial-of-service attack that took down electronic commerce sites a year ago this month occurred primarily because patches had not been applied on systems attackers used to flood the sites, according to officials. Furthermore, audits by the General Accounting Office and agency inspectors in general often find that the failure to apply security patches opens significant vulnerabilities in federal systems security.

The Federal Computer Incident Response Capability, the central organization for cyberattack warning and response in civilian agencies, has been working with agencies to find and use patches that are already available and also to ensure that new patches are applied as they are released.

The proposed new system is intended to provide customized notification about new and updated patches based on the systems agencies have in place.

Officials are asking for input on a system that can:

Collect patches and revisions from vendors for the systems used by agencies. Validate the authenticity and functionality of the patches or revisions. Authenticate the patch or revision through some form of digital signature. Distribute notices to agencies announcing the availability of the patch or revision and include a summary of the vulnerability and any instructions for installation. Filter distribution of the notices according to each agency's infrastructure so they only get the patches that pertain to their systems. Establish a trusted repository from which agencies can retrieve the authenticated patch/revision, with an electronically signed receipt. Responses to the RFI are due to GSA, via e-mail, by March 16.