Federal agencies need to more consistently conduct risk
assessments related to software vulnerabilities and security
patches, and test all patches prior to deployment, the
General Accounting Office has said.
It said agencies typically have to install patches quickly,
across heterogeneous systems, ensure that mobile systems
receive the latest patches, minimize downtime when patching
high-availability systems, and dedicate limited resources
toward patch management.
GAO called on the Office of Management and Budget to issue
guidance to agencies to provide more refined information
on patch management practices, and determine the feasibility
of providing selected centralized patch management services.
Information on key aspects of agencies’ patch management
practices — such as their documentation of patch management
policies and procedures and the frequency with which systems
are monitored to ensure that patches are installed — could
provide the Office of Management and Budget, Congress, and
agencies themselves with consistent data that could better
enable an assessment of the effectiveness of an agency’s
patch management processes, said GAO.
It also said a government wide service might lower costs to
— and resource requirements of–individual agencies,
while facilitating the implementation of selected patch