Information Security: Continued Action Needed to Improve Software Patch Management

GAO-04-706 Published: Jun 02, 2004. Publicly Released: Jun 02, 2004.
Jump To:
Skip to Highlights

Flaws in software code can introduce vulnerabilities that may be exploited to cause significant damage to federal information systems. Such risks continue to grow with the increasing speed, sophistication, and volume of reported attacks, as well as the decreasing period of the time from vulnerability announcement to attempted exploits. The process of applying software patches to fix flaws, referred to as patch management, is a critical process to help secure systems from attacks. The Chairmen of the House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census requested that GAO assess the (1) reported status of 24 selected agencies in performing effective patch management practices, (2) patch management tools and services available to federal agencies, (3) challenges to performing patch management, and (4) additional steps that can be taken to mitigate the risks created by software vulnerabilities.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should take provide guidance for agencies to report on key aspects of their patch management practices in their annual FISMA reports. This guidance could address measures relating to agencies' implementation of common patch management practices, such as documented policies and procedures, their testing of new patches in their specific computing environments prior to installation, and the frequency with which systems are monitored to ensure that patches are installed.
Closed – Implemented
In its FY 2004 FISMA reporting template, dated August 23, 2004, OMB included a question on (1) whether an agency has configured requirements that address patching security vulnerabilities; and (2) how many successful incidents occurred for known vulnerabilities for which a patch was available.
Office of Management and Budget The OMB Director should determine the feasibility of providing selected centralized patch management services to federal civilian agencies. OMB should coordinate with DHS to build on lessons learned regarding PADC's limitations and weigh the costs against potential benefits. These services could potentially provide patch management functions such as centralized access to available tools and services, testing capabilities, and development of training.
Closed – Not Implemented
In September 2006, OMB noted that it is the responsibility of the agencies to ensure latest patches are installed. While patch management is addressed at CIO council meetings, OMB plans to take no further actions.

Full Report

GAO Contacts