Guide to Enterprise Patch Management Technologies

Souppaya, Murugiah; Scarfone, Karen

doi:https://doi.org/10.6028/NIST.SP.800-40r3

SP 800-40 Rev. 3

Withdrawn on April 06, 2022. Superseded by SP 800-40 Rev. 4

Guide to Enterprise Patch Management Technologies

Documentation Topics

Date Published: July 2013

Supersedes: SP 800-40 Version 2 (11/16/2005)

Author(s)

Murugiah Souppaya (NIST), Karen Scarfone (Scarfone Cybersecurity)

Abstract

Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics for measuring the technologies’ effectiveness. Draft NIST SP 800-40 Revision 3 replaces the previous release (version 2), which was published in 2005.

Keywords

patch management; remediation; software patches; information security; vulnerability management

Control Families

Configuration Management; Incident Response; Maintenance; Risk Assessment; System and Information Integrity

Documentation

Publication:
SP 800-40 Rev. 3 (DOI)
Local Download

Supplemental Material:
Press Release (other)

Document History:
07/22/13: SP 800-40 Rev. 3

Topics

Security and Privacy
incident response; maintenance; patch management; risk assessment; vulnerability management

Technologies
networks; software & firmware

Applications
enterprise

Laws and Regulations
Federal Information Security Modernization Act; OMB Circular A-130