Date Published: November 17, 2021
Comments Due:
Email Questions to:
Author(s)
Tyler Diamond (NIST), Alper Kerman (NIST), Murugiah Souppaya (NIST), Kevin Stine (NIST), Brian Johnson (MITRE), Chris Peloquin (MITRE), Vanessa Ruffin (MITRE), Mark Simos (Microsoft), Sean Sweeney (Microsoft), Karen Scarfone (Scarfone Cybersecurity)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has released two draft publications on enterprise patch management for public comment. Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions. However, keeping software up-to-date with patches remains a problem for most organizations.
Draft NIST Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, discusses common factors affecting enterprise patch management and recommends creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk. Draft SP 800-40 Revision 4 will replace SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies.
Draft NIST Special Publication (SP) 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, builds upon the work in SP 800-40 Revisions 3 and 4. SP 1800-31 describes an example solution that demonstrates how tools can be used to implement the inventory and patching capabilities organizations need for routine and emergency patching situations, as well as implementing workarounds and other alternatives to patching.
NOTE: A call for patent claims is included in Volumes B and C. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Despite widespread recognition that patching is effective and attackers regularly exploit unpatched software, many organizations do not adequately patch. There are myriad reasons why, not the least of which are that it’s resource-intensive and that the act of patching can reduce system and service availability. Also, many organizations struggle to prioritize patches, test patches before deployment, and adhere to policies for how quickly patches are applied in different situations. To address these challenges, the NCCoE is collaborating with cybersecurity technology providers to develop an example solution that addresses these challenges. This NIST Cybersecurity Practice Guide explains how tools can be used to implement the patching and inventory capabilities organizations need to handle both routine and emergency patching situations, as well as implement workarounds, isolation methods, or other alternatives to patching. It also explains recommended security practices for patch management systems themselves.
Despite widespread recognition that patching is effective and attackers regularly exploit unpatched software, many organizations do not adequately patch. There are myriad reasons why, not the least of which are that it’s resource-intensive and that the act of patching can reduce system and service...
See full abstract
Despite widespread recognition that patching is effective and attackers regularly exploit unpatched software, many organizations do not adequately patch. There are myriad reasons why, not the least of which are that it’s resource-intensive and that the act of patching can reduce system and service availability. Also, many organizations struggle to prioritize patches, test patches before deployment, and adhere to policies for how quickly patches are applied in different situations. To address these challenges, the NCCoE is collaborating with cybersecurity technology providers to develop an example solution that addresses these challenges. This NIST Cybersecurity Practice Guide explains how tools can be used to implement the patching and inventory capabilities organizations need to handle both routine and emergency patching situations, as well as implement workarounds, isolation methods, or other alternatives to patching. It also explains recommended security practices for patch management systems themselves.
Hide full abstract
Keywords
cyber hygiene; enterprise patch management; firmware; patch; patch management; software; update; upgrade; vulnerability management
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
