FedCIRC fields free patch service
Managers can get patches they really need, GSA's Sallie McDonald says.
Henrik G. DeGyor
Adrift in a sea of software patches? Not sure which ones you need? A new General Services Administration service is supposed to help systems chiefs with just such problems.
GSA has awarded a five-year, $10.8 million task order to Veridian Corp. to validate and disseminate software patches for federal IT administrators.
The task order to the Arlington, Va., company came through the governmentwide Safeguard program. The patch service, which will use technology from SecureInfo Corp. of San Antonio, will be available by free subscription in mid-February from GSA's Federal Computer Incident Response Center.
'Making these services available at no cost is strategic,' FTS commissioner Sandra Bates said. 'Agencies can cut down the overhead to manage individual systems, freeing up resources for other areas.'
IT managers can receive notice of software patches to plug only their specific vulnerabilities, and they can download the patches from a dedicated FedCIRC server.
'It's no secret that most security incidents could be avoided if managers apply patches for known vulnerabilities,' said Sallie McDonald, assistant commissioner in the Office of Information Assurance and Critical Infrastructure at GSA's Federal Technology Service. 'This will make it easier for security managers to concentrate on patches they really need.'Fixed not infected
Veridian will integrate the technology, market the service and evaluate vendors' patches 'to make sure they are effective and secure,' said Jim Jaeger, vice president of Veridian's Cyber Assurance Group in San Antonio.
An effective patch fixes what it is supposed to fix, he said, and a secure one doesn't introduce new bugs.
'Finding patches that have bugs is the exception, but the effects on the network can be serious,' Jaeger said. Only about 10 percent or 15 percent of patches are ineffective, he added.
Jaeger said his laboratory could validate a patch and have it ready for distribution a few hours after its release. 'We will be validating patches on the same hardware and software configurations the agencies are using,' he said.
SecureInfo will handle the distribution with its InSite Enterprise Vulnerability Management tool. Users must have the InSiteEVM client to profile their agencies' systems. InSiteEVM can import information from network scanners but cannot automatically create profiles.
Administrators are alerted only to problems affecting their systems, SecureInfo chief operating officer John M. Linton said. They also get e-mail or pager alerts about applicable patches after validation.
Jaeger said IT administrators typically receive notice of up to 40 patches a week, only a handful of which apply to their own systems, 'so this really cuts workload,' he said.