Patch system in the works

Supplemental appropriations request

The General Services Administration expects to award a contract today to a team led by Science Applications International Corp. to set up a governmentwide system to notify agencies about security holes in commercial software products and the availability of patches to fix them.

The security patch dissemination system is seen as critical to the security of government operations. People who create computer viruses or hack into Web sites frequently do so by exploiting small flaws in operating systems or applications.

In many cases, security patches — small blocks of code — are available online from vendors or popular security organizations, but agencies often do not know about, seek or apply patches until it is too late.

The $1.5 million, one-year task order expected to be awarded via the GSA Safeguard contract will enable agencies to get notification about patches from commercial software vendors for systems on their networks.

"This will help agencies correct what, to me, is one of the largest problems that exists," said Sallie McDonald, GSA's assistant commissioner for information assurance and critical infrastructure protection.

Agency officials whom GSA's Federal Computer Incident Response Center (FedCIRC) talked to last week were "very excited" about the award, McDonald said.

Security officials at the Office of Management and Budget and other federal organizations have encouraged agencies to address the patch problem. However, they admit that most systems administrators are simply overwhelmed by the number of patches issued for their own systems, much less those for systems they do not even use.

Using the new system, administrators will be able to provide SAIC and its subcontractor, Vigilinx Inc., with a profile of their network systems, McDonald said. This will ensure that they receive only the patches that apply to their systems.

The system, hosted on the FedCIRC Web site, will give systems administrators a single point for all patches, said Gene Hunt, corporate vice president of SAIC's system security and engineering operation. The SAIC team will provide patches and test whether they actually work, he said.

The team also will use the system to alert subscribers about potential vulnerabilities and, when possible, tell them what steps they can take to address problems before a patch is available. Once a patch is available, the SAIC team will notify subscribers, test the patch, then tell subscribers it is available via download.

The system also will improve security management by listing for managers the available patches and which ones their systems administrators have downloaded, Hunt said. When a patch is downloaded, the system also will automatically send an e-mail to FedCIRC, he said.

SAIC will start marketing the service to agencies this week, and it should be fully operational in June, McDonald said. GSA is paying for the full cost of the system and service, so it is free for agencies.

"It's really going to help them do their jobs better," she said.