U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

Enterprise Patch Management: Draft Publications Available for Comment
November 17, 2021

The National Cybersecurity Center of Excellence (NCCoE) has released two draft publications on enterprise patch management for public comment. Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions. However, keeping software up-to-date with patches remains a problem for most organizations.

Draft NIST Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, discusses common factors affecting enterprise patch management and recommends creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk. Draft SP 800-40 Revision 4 will replace SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies.

Draft NIST SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, builds upon the work in SP 800-40 Revisions 3 and 4. SP 1800-31 describes an example solution that demonstrates how tools can be used to implement the inventory and patching capabilities organizations need for routine and emergency patching situations, as well as implementing workarounds and other alternatives to patching.

The public comment period for these drafts is open through January 10, 2022. See the publication details for copies of the drafts and instructions for submitting comments. You can also contact us at cyberhygiene@nist.gov.

NOTE: A call for patent claims is included in each of these draft publications. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Related Topics

Security and Privacy: patch management, vulnerability management

Technologies: software & firmware

Applications: enterprise

Laws and Regulations: Executive Order 14028

Created November 15, 2021, Updated November 17, 2021