Agencies need help with patch management, GAO says

The government should consider providing centralized patch management services to help agencies with the chore of keeping IT systems protected against software vulnerabilities, according to a new General Accounting Office .GAO found that most agencies are struggling to keep up with the task of installing software patches, often lacking consistent policies and resources for handling the critical job. It recommended that the Office of Management and Budget study the feasibility of a service that could handle at least part of the job.It also said that more specific OMB guidance could help.“Although OMB and federal agencies recognize that implementing common practices for effective patch management can help agencies mitigate the risk of attack and improve their overall security posture, the results of our survey indicate that agencies are not consistently performing these common practices,” the report said.Software patches are fixes for security flaws found in programs. Vulnerabilities can be exploited by attackers, often through automated attacks carried by worms. Keeping patches up-to-date is a critical but time-consuming job. The GAO study of 24 executive branch agencies found that although they are building system inventories, a vital first step in the process, most have no formal process for patching and many do not test patches before they are deployed. Installing untested patches could introduce new problems.A centralized service could help ease the burden on individual agencies. It would take the place of the failed Patch Authentication and Dissemination Capability.PADC was a free service launched in February 2003 by the Federal Computer Incident Response Center, but saw little use by agencies because of its limited abilities. It was shut down one year later, “because of low levels of usage, the cost to upgrade services, and negative agency feedback on the usefullness,” GAO said in its report, released Wednesday.FedCIRC has no plans to replace the service, but GAO concluded that by building on the lessons learned from PADC, a useful service could be developed to provide centralized patch testing, educational tools and access to tools and services to help automate the process.OMB said it would consider the feasibility of such a service, but noted in its response to GAO that “ultimately it remains each agency and system owner’s responsibility to maintain the security of their systems.”