Back to central patching?

GAO report on software patch management, GAO-04-706

In a new study, officials at the General Accounting Office say the federal government must deal more aggressively with the growing volume of software security patches that overwhelms the ability of agencies to manage.

A report on the study released this week describes uneven patch-management practices across the federal government and recommends two changes in the status quo.

The auditors suggest that the Office of Management and Budget, which monitors federal agencies' security practices, require agencies to report to OMB on their patch-management practices. And they recommend that the federal government consider whether a centralized patch-management service for civilian agencies should be revived.

A similar service that began in February 2003 was discontinued in February 2004, in part because of negative feedback from agencies about the usefulness of the system. But the report says that OMB officials agree with GAO auditors that a service that would include patch testing should be reconsidered.

Summarizing the problems with which federal agencies struggle, the report cites the growing volume and increasing frequency of needed patches, the complexity of patching many different types of systems, the difficulty of keeping laptops protected with up-to-date patches and the insufficient funds to assess security vulnerabilities and apply patches.

In their study, GAO auditors found that only 16 of 24 federal agencies have agencywide patch-management policies and only 14 of the 24 have established patch-management procedures. Only 10 agencies reported that they tested all patches before installing them on operational systems.

GAO conducted the study from September 2003 to May 2004 using a Web-based survey of 24 federal agencies and departments.