OMB likes Air Force's patch strategy

An Air Force initiative to deliver standardized and securely configured Microsoft software throughout the service could serve as a governmentwide model for software distribution and patch management, Air Force and industry officials say.

Air Force officials will soon start delivering common configurations of Microsoft operating systems and applications to the Air Force's nine major commands, said Brig. Gen. Ronnie Hawkins, director of communications operations in the service's Office of the Deputy Chief of Staff for Installation and Logistics. Command leaders must use those common configurations or risk being kicked off the network. The move prepares Air Force systems to receive automatically installed and confirmed patches of the company's software this spring.

"We'll decide which configurations will be acceptable in the Air Force," Hawkins said. "We'll then implement these configurations and then lock the desktops down."

Karen Evans, director of the Office of Management and Budget's Office of E-Government and Information Technology, said she likes the Air Force's plan so much that she thinks it should be implemented at all federal agencies.

Evans approached Air Force officials last month about the idea after they signed two Microsoft consolidation contracts in November 2004 to streamline the service's software and support contracts with the company, said John Gilligan, the service's chief information officer. The contracts are worth $500 million over the next six years.

OMB officials declined to discuss the initiative.

"The service's process shows that good security is cheaper than bad security," said Alan Paller, director of research at the SANS Institute, a security training firm in Bethesda, Md.

"If you were Evans, wouldn't you want to take what the Air Force is doing governmentwide?" Paller asked. "The service gets savings by consolidating contracts, better security by having the patches earlier, and no manual patching."

Gilligan stressed that the program is still in its infancy, but he credited Evans for taking steps to improve software standardization, configuration and security governmentwide. She traveled to Microsoft's headquarters in Redmond, Wash., two weeks ago to discuss the idea with company officials.

"Microsoft has to feel good about it," Paller said.

Company officials could not be reached for comment.

The initiative mirrors one Evans signed in 2003 when she was the Energy Department's CIO. She persuaded Oracle officials to sign an enterprisewide contract under which the company shipped database software with the department's preferred security settings already configured.

Air Force officials have also spoken with Pentagon officials about applying the standard configuration approach throughout the Defense Department, Gilligan said. He said he believes the rest of the military will go that route soon.

Two weeks ago, officials at the Air Force, National Security Agency, Defense Information Systems Agency, National Institute of Standards and Technology, Center for Internet Security and Microsoft met to agree on a couple of suites of common Microsoft software configurations, Hawkins said.

"The teaming effort has been tremendous," he said. "The willingness to share information is astonishing. This has been very refreshing."

"This is the best thing going on in information security in the world because the good guys are now working together, and that can turn the tide against the bad guys who have always done that," Paller said.

The company's operating systems

will come with the same registries and services. "Most organizations have nonstandard setups," he said. "Automated patching only works if people agree to use the same configurations."

Air Force officials met with federal chief information security officers last December to discuss the details of their Microsoft consolidation contracts and how they will achieve standardization of the company's software and automatically install the patches servicewide. Paller said the Air Force, like many organizations, will get early access to the patches.

Service officials will get the patches and can test them before Microsoft officials publicly announce their release. They plan to distribute and install the patches on the Air Force's 525,000 computers within 48 hours of their release, he said. n

Patch pipeline

Air Force officials have standardized and securely configured Microsoft

software to protect their networks from hackers and worms. Now, Karen Evans, the government's top information technology official, wants to distribute that secure

software governmentwide.

She and John Gilligan, the service's chief information officer, believe the initiative would improve agencies'

ability to protect their networks.

Gilligan said the software could be distributed to government agencies through the Homeland Security Department.

— Frank Tiboni