Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes

Flaws in software code can introduce vulnerabilities that may be exploited to cause significant damage to federal information systems. Such risks continue to grow with the increasing speed, sophistication, and volume of reported attacks, as well as the decreasing period of the time from vulnerability announcement to attempted exploits. The process of applying software patches to fix flaws--patch management--is critical to helping secure systems from attacks. At the request of the House Committee on Government Reform and the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, GAO reviewed the (1) reported status of 24 selected agencies in performing effective patch management practices, (2) tools and services available to federal agencies, (3) challenges to this endeavor, and (4) additional steps that can be taken to mitigate risks created by software vulnerabilities. This testimony highlights the findings of GAO's report, which is being released at this hearing.