Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 1800-31 (Initial Preliminary Draft)

Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways

Date Published: September 2020
Comments Due: October 9, 2020 (public comment period is CLOSED)
Email Questions to: cyberhygiene@nist.gov

Author(s)

Murugiah Souppaya (NIST), Kevin Stine (NIST), Mark Simos (Microsoft), Sean Sweeney (Microsoft), Karen Scarfone (Scarfone Cybersecurity)

Announcement

Volume A of the preliminary draft practice guide, Improving Enterprise Patching for General IT Systems, is available for public comment. The National Cybersecurity Center of Excellence (NCCoE) is following an experimental agile process for this practice guide. Instead of posting all volumes at the same time, a preliminary draft of one volume will be posted for comment as work continues on the implementation of the demonstration solution and the development of other parts of the practice guide.

Addressing Patching Challenges  

The NCCoE is writing this guide in collaboration with cybersecurity technology providers to identify actionable approaches that can help organizations improve enterprise patching practices for general information technology (IT) systems. Cybersecurity attacks bring home the dangers of operating computers with unpatched software. We know the risks, however, keeping software up-to-date with patches is an ongoing problem for many organizations for a host of reasons including timing and balancing security with mission impact and business objectives.

Future volumes of this guide will include both process and tool usage improvements. Once available, the full practice guide can help your organization improve its security and reduce the likelihood of privacy breaches with sensitive personal information by:

  • overcoming common obstacles involving enterprise patching for general IT systems
  • achieving a comprehensive security hygiene program based on existing standards, guidance, and recommended practices

We Value Your Insights

We are seeking your feedback on the proposed approach and example solution outlined in Volume A, which discusses how existing tools can be used to implement:

  • the patching and inventory capabilities organizations need to handle both routine and emergency patching situations
  • workarounds, isolation methods, or other alternatives to patching

The solution will also demonstrate recommended security practices for patch management systems themselves.

Abstract

Keywords

N/A
Control Families

None selected

Documentation

Publication:
SP 1800-31A (Prelim. Draft)

Supplemental Material:
Project homepage

Document History:
09/10/20: SP 1800-31 (Draft)
11/17/21: SP 1800-31 (Draft)
04/06/22: SP 1800-31 (Final)

Topics

Security and Privacy

patch management, vulnerability management

Applications

enterprise