Patch it up

The Federal Computer Incident Response Center expects this week to award a contract for a patch dissemination service to help federal agencies fix security vulnerabilities at the application and operating system levels, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration.

Agencies can subscribe for free to the service and give the center a profile of their networks' operating systems and applications so that agencies will receive only the patches that apply to their networks, McDonald said.

In addition to issuing security alerts, the new service will tell agencies the steps to take to mitigate vulnerabilities until patches can be developed. The service will test each patch before sending it out to agencies, she said.

Currently, agencies do not have to report to FedCIRC that they have applied the patches, but talks are under way to require agencies to adhere to the Office of Management and Budget's guidance that recommends such a provision, said Richard Clarke, chairman of the President's Critical Infrastructure Protection Board.