Flaws in software code can introduce vulnerabilities that may be exploited to cause significant damage to federal information systems. Such risks continue to grow with the increasing speed, sophistication, and volume of reported attacks, as well as the decreasing period of the time from vulnerability announcement to attempted exploits. The process of applying software patches to fix flaws, referred to as patch management, is a critical process to help secure systems from attacks. The Chairmen of the House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census requested that GAO assess the (1) reported status of 24 selected agencies in performing effective patch management practices, (2) patch management tools and services available to federal agencies, (3) challenges to performing patch management, and (4) additional steps that can be taken to mitigate the risks created by software vulnerabilities.
Recommendations for Executive Action
|Office of Management and Budget||The Director of OMB should take provide guidance for agencies to report on key aspects of their patch management practices in their annual FISMA reports. This guidance could address measures relating to agencies' implementation of common patch management practices, such as documented policies and procedures, their testing of new patches in their specific computing environments prior to installation, and the frequency with which systems are monitored to ensure that patches are installed.|
|Office of Management and Budget||The OMB Director should determine the feasibility of providing selected centralized patch management services to federal civilian agencies. OMB should coordinate with DHS to build on lessons learned regarding PADC's limitations and weigh the costs against potential benefits. These services could potentially provide patch management functions such as centralized access to available tools and services, testing capabilities, and development of training.|