Patch service outsources security

'If you don't have your environment mapped out, you won't know what patches you need.'

'OMB's Mark Forman

'The places that do security best, outsource,' former presidential cyberadviser Richard Clarke said about the Federal Computer Incident Response Center's free Patch Authentication and Dissemination Capability.

PADC, FedCIRC's first centrally funded security service, could become a model for future services, Clarke said. Budget schedules and acquisition regulations often keep agencies from installing needed fixes fast enough, he said, and managed services are a way around that'even for some classified systems.

'The government has to get more comfortable with outsourcing,' Clarke said. He acknowledged that managers are wary of turning over security duties to outsiders, but they have to 'get over it,' he said. 'Every major company in the country is turning over its security in some manner to managed services.'

Under a $10.8 million, five-year task order, Veridian Corp. of Arlington, Va., and SecurInfo Corp. of San Antonio will host PADC for FedCIRC.

Studies have shown repeatedly that most system intrusions exploit known vulnerabilities for which patches are available. But keeping track of the vulnerabilities and the status of patches is complex and time-consuming on a large system.

PADC will simplify patch management by giving administrators only the information relevant to their systems and ensuring that the patches are genuine and effective.

PADC operation was not affected by FedCIRC's move from the General Services Administration's Federal Technology Service to the new Homeland Security Department, said Sallie McDonald, assistant FTS commissioner for information assurance and critical infrastructure protection.

Agencies with PADC accounts receive alerts about new vulnerabilities discovered for their specific systems as well as patches or other fixes available. Veridian tests and validates patches, and SecurInfo digitally signs and stores them on a secure server. Agency managers can access the service at padc.fedcirc.gov and download patches from the secure server.

Patch protection

The validated patches will be protected by Triple Data Encryption Standard encryption and transmitted over Secure Sockets Layer connections.

PADC will gather vulnerability and patch information from industry and government sources around the world. Patches for high-priority vulnerabilities will be available within two hours, medium-priority ones within eight hours and those with low priority within 24 hours, Veridian program manager Steve Kanclerowicz said.

An agency can register for a pool of PADC licenses. The account manager'a senior IT security official'designates junior managers and defines user privileges. Users should have access only to information and patches for their designated part of a network.

PADC does not scan the agency network and cannot see into it. The senior account manager profiles the hardware and software in use. PADC uses the profile to tailor alerts.

A profile is essential to overall system security, said Mark Forman, Office of Management and Budget associate director for IT and electronic government. 'It is critical for federal users to download patches in a timely manner,' he said during the PADC introduction. 'If you don't have your environment mapped out, you won't know what patches you need.'

Managers are supposed to note installation of each patch in their profiles. PADC will use that information to generate reports on the vulnerability status of patches of each system.

More information is available at www.fedcirc.com or from the management center at 202-708-5060

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above