Federal Manager's Daily Report

Federal agencies need to more consistently conduct risk

assessments related to software vulnerabilities and security


patches, and test all patches prior to deployment, the

General Accounting Office has said.

It said agencies typically have to install patches quickly,

across heterogeneous systems, ensure that mobile systems

receive the latest patches, minimize downtime when patching

high-availability systems, and dedicate limited resources

toward patch management.

GAO called on the Office of Management and Budget to issue

guidance to agencies to provide more refined information

on patch management practices, and determine the feasibility

of providing selected centralized patch management services.

Information on key aspects of agencies’ patch management

practices — such as their documentation of patch management

policies and procedures and the frequency with which systems

are monitored to ensure that patches are installed — could

provide the Office of Management and Budget, Congress, and

agencies themselves with consistent data that could better

enable an assessment of the effectiveness of an agency’s

patch management processes, said GAO.

It also said a government wide service might lower costs to

— and resource requirements of–individual agencies,

while facilitating the implementation of selected patch

management practices.