Often delegated to the back burner, software patching needs to become a bigger priority for federal government, the Government Accountability Office warns.
According to recent testimony from Gregory C. Wilshusen, the GAO’s director of information security, cyber incidents reported by federal agencies jumped from 5,503 in fiscal year 2006 to 77,183 in FY 2015, an increase of more than 1,300 percent — and poor patch management shoulders some of the blame.
“Federal agencies consistently fail to apply critical security patches in a timely manner on their systems, sometimes years after the patch is available,” Wilshusen said in a statement before the President’s Commission on Enhancing National Cybersecurity.
Those patch delays open the door for hackers to exploit security software vulnerabilities. But there are steps every agency can take to improve patch management, from consistently monitoring for patch releases to executing periodic security compliance scans.
Here are three strategies that can help agencies minimize their risk of outdated patches:
1. Set Up Automation and Internal Processes
“The best way to create an internal process for patch management is to implement automated tools with automated reporting on patch compliance for all systems,” explains Beth Anne Killoran, CIO at the Department of Health and Human Services (HHS).
She suggests that, as part of their internal process, agencies report patch compliance to an integrated project team whose makeup extends beyond IT professionals and cybersecurity experts.
“Engage system owners and stakeholders to ensure they understand the need for minimizing vulnerabilities and keeping IT systems up to date with current protective measures,” Killoran says.
2. Train Your Staff Accordingly
If agency staff do not understand the importance of patch management, they may not take it as seriously as they should.
Killoran says HHS combats this issue by requiring everyone, including system administrators, to participate in recurring role-based training, which addresses patch management as part of a larger program.
“We also provide periodic reporting of patch compliance to staff and management and require that system owners maintain their systems at supported levels,” she adds.
3. Put Patch Updates in Writing
According to Alan Paller, director of research at the SANS Institute, a cooperative IT research and education organization, a common reason that agencies miss patches is that they don’t build patch updates into their IT systems integration (SI) contracts.
“Federal News Radio reported more than 300,000 critical vulnerabilities at NASA because the SI contract did not require the vendor to patch systems,” he explains, citing a problem common to federal agencies. “The fundamental solution for federal IT security associated with out-of-date patches is putting two clauses in every procurement: Use one of the 14 Department of Defense–approved configurations on delivery and require 24-hour patching by the system integrator.”
If your agency already has a contract in place that doesn’t have patching included, Paller offers this advice: “Renegotiate the contract.”