Information Security:

Continued Action Needed to Improve Software Patch Management

GAO-04-706: Published: Jun 2, 2004. Publicly Released: Jun 2, 2004.

Additional Materials:


Gregory C. Wilshusen
(202) 512-3317


Office of Public Affairs
(202) 512-4800

Flaws in software code can introduce vulnerabilities that may be exploited to cause significant damage to federal information systems. Such risks continue to grow with the increasing speed, sophistication, and volume of reported attacks, as well as the decreasing period of the time from vulnerability announcement to attempted exploits. The process of applying software patches to fix flaws, referred to as patch management, is a critical process to help secure systems from attacks. The Chairmen of the House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census requested that GAO assess the (1) reported status of 24 selected agencies in performing effective patch management practices, (2) patch management tools and services available to federal agencies, (3) challenges to performing patch management, and (4) additional steps that can be taken to mitigate the risks created by software vulnerabilities.

Based on agency-reported data, agencies generally are implementing important common practices for effective patch management, such as performing systems inventories and providing information security training. However, they are not consistently performing others, such as risk assessments and testing all patches before deployment. Additional information on key aspects of agencies' patch management practices--such as their documentation of patch management policies and procedures and the frequency with which systems are monitored to ensure that patches are installed--could provide OMB, Congress, and agencies themselves with consistent data that could better enable an assessment of the effectiveness of an agency's patch management processes. Several automated tools and services are available to assist agencies in performing patch management. These tools and services typically include a wide range of functionality, including methods to inventory computers, identify relevant patches and workarounds, test patches, and report network status information to various levels of management. A centralized resource could provide agencies with selected services such as the testing of patches, a patch management training curriculum, and development of criteria for patch management tools and services. A governmentwide service could lower costs to--and resource requirements of--individual agencies, while facilitating their implementation of selected patch management practices. Agencies face several challenges to implement effective patch management practices, including (1) quickly installing patches while implementing effective patch management practices, (2) patching heterogeneous systems, (3) ensuring that mobile systems receive the latest patches, (4) avoiding unacceptable downtime when patching high-availability systems, and (5) dedicating sufficient resources toward patch management. Agency officials and computer security experts identified a number of additional steps that can be taken by vendors, the security community, and the federal government to assist agencies in mitigating the risks created by software vulnerabilities. For example, more rigorous software engineering practices by software vendors could reduce the number of software vulnerabilities and the need for patches. In addition, the research and development of more capable technologies could help secure information systems against cyber attacks. Also, the federal government could use its substantial purchasing power to influence software vendors to deliver more secure systems.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In its FY 2004 FISMA reporting template, dated August 23, 2004, OMB included a question on (1) whether an agency has configured requirements that address patching security vulnerabilities; and (2) how many successful incidents occurred for known vulnerabilities for which a patch was available.

    Recommendation: The Director of OMB should take provide guidance for agencies to report on key aspects of their patch management practices in their annual FISMA reports. This guidance could address measures relating to agencies' implementation of common patch management practices, such as documented policies and procedures, their testing of new patches in their specific computing environments prior to installation, and the frequency with which systems are monitored to ensure that patches are installed.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Not Implemented

    Comments: In September 2006, OMB noted that it is the responsibility of the agencies to ensure latest patches are installed. While patch management is addressed at CIO council meetings, OMB plans to take no further actions.

    Recommendation: The OMB Director should determine the feasibility of providing selected centralized patch management services to federal civilian agencies. OMB should coordinate with DHS to build on lessons learned regarding PADC's limitations and weigh the costs against potential benefits. These services could potentially provide patch management functions such as centralized access to available tools and services, testing capabilities, and development of training.

    Agency Affected: Executive Office of the President: Office of Management and Budget


Explore the full database of GAO's Open Recommendations »

Jan 19, 2021

Jan 13, 2021

Dec 16, 2020

Dec 9, 2020

Dec 3, 2020

Nov 30, 2020

Nov 24, 2020

Nov 23, 2020

Nov 18, 2020

Looking for more? Browse all our products here