Security Program Controls/Technologies, Content

Patch Management Planning and Processes: Updated NIST Guidance

Share
Credit: Pixabay

Despite increasing cyber attacks and warnings from cybersecurity experts, patch management remains a dangerous problem for many organizations. With that in mind, the National Cybersecurity Center of Excellence (NCCoE) has released two National Institute of Standards and Technology (NIST) draft publications on enterprise patch management.

Even though patching is generally regarded as necessary to lower cyber risk and meet compliance requirements, it has not always been considered a priority, the NIST wrote in the first document. But, with cyber attacks increasing in number and severity, patching has now risen to mission critical status.

Still, there are a number of hurdles in patch management’s way. For one, business/mission owners may believe that patching negatively affects productivity because of downtime for maintenance, NIST said.

Nonetheless, leadership and business/mission owners should view patching as a “normal and necessary part of reliably achieving the organization’s missions,” the document reads. Leadership, business/mission owners, and security/technology management teams should jointly create an enterprise patch management strategy that “simplifies and operationalizes patching while also improving its reduction of risk,” the NIST said.

As for the second document, its goal is to help organizations “balance security with mission impact and business objectives,” the agency said. The project uses commercially available tools for asset discovery, prioritization, patch implementation tracking and verification and includes guidance for organizations to set policies and processes for the entire patching lifecycle.

The NCCoE is seeking comments on the draft publications by January 10, 2022.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.