NCCoE Releases Final Guidance on Effective Enterprise Patch Management

Share this article on:

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems.

Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation.

“Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.”

While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’ business and mission owners. Despite vulnerabilities being regularly exploited by threat actors, many organizations either cannot or do not adequately patch. One of the main issues is the sheer number of patches and software/firmware upgrades that need to be performed and the time it takes to fully test patches before deployment and apply those patches across the entire organization. Many organizations also struggle with the prioritization of patching and fail to ensure that the most serious vulnerabilities are patched first.

NCCoE worked closely with cybersecurity technology providers to develop guidance – Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP-800-40) and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (SP-1800-31) – to help enterprises with patch management planning and implementation. The guidance documents discuss the challenges organizations need to overcome with patch management and recommend a strategy that can be adapted to simplify and operationalize patching to improve the reduction of risk.

By following the patch management guidance, organizations can ensure effective preventive maintenance to reduce the risk of data breaches, disruption to business processes, and other adverse security events.

Image Source: J. Stoughton/NIST

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On