Patch Management Planning and Processes: Updated NIST Guidance
Despite increasing cyber attacks and warnings from cybersecurity experts, patch management remains a dangerous problem for many organizations. With that in mind, the National Cybersecurity Center of Excellence (NCCoE) has released two National Institute of Standards and Technology (NIST) draft publications on enterprise patch management.
- The first volume, entitled Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP) 800-40 Revision 4, calls for an enterprise patch management strategy to streamline processes and procedures to fix system and network flaws to lower risk.
- A second draft publication, entitled Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, offers an example of how organizations can use tools for routine and emergency patching and includes suggested workarounds and alternatives.
Even though patching is generally regarded as necessary to lower cyber risk and meet compliance requirements, it has not always been considered a priority, the NIST wrote in the first document. But, with cyber attacks increasing in number and severity, patching has now risen to mission critical status.
Still, there are a number of hurdles in patch management’s way. For one, business/mission owners may believe that patching negatively affects productivity because of downtime for maintenance, NIST said.
Nonetheless, leadership and business/mission owners should view patching as a “normal and necessary part of reliably achieving the organization’s missions,” the document reads. Leadership, business/mission owners, and security/technology management teams should jointly create an enterprise patch management strategy that “simplifies and operationalizes patching while also improving its reduction of risk,” the NIST said.
As for the second document, its goal is to help organizations “balance security with mission impact and business objectives,” the agency said. The project uses commercially available tools for asset discovery, prioritization, patch implementation tracking and verification and includes guidance for organizations to set policies and processes for the entire patching lifecycle.
The NCCoE is seeking comments on the draft publications by January 10, 2022.