U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

White Paper (Draft)

[Project Description] Critical Cybersecurity Hygiene: Patching the Enterprise

Date Published: August 31, 2018
Comments Due: October 1, 2018 (public comment period is CLOSED)
Email Questions to: cyberhygiene@nist.gov


Murugiah Souppaya (NIST), Kevin Stine (NIST), Mark Simos (Microsoft), Sean Sweeney (Microsoft), Karen Scarfone (Scarfone Cybersecurity)


The Critical Cybersecurity Hygiene: Patching the Enterprise project will examine how commercial and open source tools can be used to aid with the most challenging aspects of patching general IT systems, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle.

Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.



cyber hygiene; incidents; patching; security hygiene; software updates; vulnerabilities
Control Families

None selected


Project Description

Supplemental Material:
Project homepage (other)

Document History:
08/31/18: White Paper (Draft)
03/30/20: White Paper (Final)


Security and Privacy
patch management; vulnerability management

software & firmware