Date Published: August 31, 2018
Comments Due:
Email Questions to:
Author(s)
Murugiah Souppaya (NIST), Kevin Stine (NIST), Mark Simos (Microsoft), Sean Sweeney (Microsoft), Karen Scarfone (Scarfone Cybersecurity)
Announcement
The Critical Cybersecurity Hygiene: Patching the Enterprise project will examine how commercial and open source tools can be used to aid with the most challenging aspects of patching general IT systems, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle.
Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.
Cyber hygiene describes recommended mitigations for the small number of root causes responsible for many cybersecurity incidents. Implementing a few simple practices can address these common root causes. Patching is a particularly important component of cyber hygiene, but existing tools and processes are frequently insufficient to rapidly mitigate this risk in many environments and situations. The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle, in the form of a freely available NIST Cybersecurity Practice Guide.
Cyber hygiene describes recommended mitigations for the small number of root causes responsible for many cybersecurity incidents. Implementing a few simple practices can address these common root causes. Patching is a particularly important component of cyber hygiene, but existing tools and...
See full abstract
Cyber hygiene describes recommended mitigations for the small number of root causes responsible for many cybersecurity incidents. Implementing a few simple practices can address these common root causes. Patching is a particularly important component of cyber hygiene, but existing tools and processes are frequently insufficient to rapidly mitigate this risk in many environments and situations. The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle, in the form of a freely available NIST Cybersecurity Practice Guide.
Hide full abstract
Keywords
cyber hygiene; incidents; patching; security hygiene; software updates; vulnerabilities
Control Families
None selected
