Patch Management Planning and Processes: Updated NIST Guidance

Credit: Pixabay

Despite increasing cyber attacks and warnings from cybersecurity experts, patch management remains a dangerous problem for many organizations. With that in mind, the National Cybersecurity Center of Excellence (NCCoE) has released two National Institute of Standards and Technology (NIST) draft publications on enterprise patch management.

Even though patching is generally regarded as necessary to lower cyber risk and meet compliance requirements, it has not always been considered a priority, the NIST wrote in the first document. But, with cyber attacks increasing in number and severity, patching has now risen to mission critical status.

Still, there are a number of hurdles in patch management’s way. For one, business/mission owners may believe that patching negatively affects productivity because of downtime for maintenance, NIST said.

Nonetheless, leadership and business/mission owners should view patching as a “normal and necessary part of reliably achieving the organization’s missions,” the document reads. Leadership, business/mission owners, and security/technology management teams should jointly create an enterprise patch management strategy that “simplifies and operationalizes patching while also improving its reduction of risk,” the NIST said.

As for the second document, its goal is to help organizations “balance security with mission impact and business objectives,” the agency said. The project uses commercially available tools for asset discovery, prioritization, patch implementation tracking and verification and includes guidance for organizations to set policies and processes for the entire patching lifecycle.

The NCCoE is seeking comments on the draft publications by January 10, 2022.

Return Home

No Comments

Leave a Reply

Your email address will not be published.