NIST Patch Management Guides: What MSSPs, MSPs Need to Know

Old Ladder leading to the light. 3d Render. Freedom concept.

The National Cybersecurity Center of Excellence (NCCoE) has released two new final publications on enterprise patch management. The guides, from NIST (National Institute of Standards and Technology), may help MSSPs and MSPs as they seek to further mitigate vulnerabilities and associated end-customer risks.

The two NIST documents, initially offered as drafts in November 2021, surfaced in April 2022 as:

  1. Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (NIST Special Publication (SP) 800-40 Revision 4). The guide recommends that "leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and operationalizes patching while also improving its reduction of risk," NIST indicated.
  2. Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (NIST SP 1800-31). This second document essentially is a deeper dive that builds upon the first document. It "describes an example solution that demonstrates how tools can be used to implement the patching capabilities described in SP 800-40 Revision 4. It shows how organizations can use commercial tools for routine and emergency patching situations, as well as implementing temporary alternatives to patching," NIST noted.

Vulnerability Mitigation and Patch Management: Timely Response Required

Aligning patch management with vulnerability management remains a major priority for MSPs, MSSPs and the end-customers they serve. Among the reasons:

  • The average time between a vulnerability disclosure and patch availability is approximately nine days, according to Mandiant research.
  • While the majority of the observed vulnerabilities are zero-days, 42 percent of vulnerabilities are exploited after a patch had been released. For those non-zero-day vulnerabilities, there was a very small window (often only hours or a few days) between when the patch was released and the first observed instance of attacker exploitation, Mandiant noted.

Patch Management Software Market Forecast

Amid that backdrop, the patch management software market will have a compound annual growth rate (CAGR) of 10.59% from 2020 through 2025, Technavio forecasts. Within the MSP software market, most of the major RMM (remote monitoring and management) software companies have patch management tools available for service providers.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.