Cyber Eye: FedCIRC considers automatic patching

William Jackson

The Federal Computer Incident Response Center is looking at expanding its Patch Authentication and Dissemination Capability, which helps agencies keep up with vulnerabilities in their software. Later this year, enrolled agencies could choose to have their patches automatically installed.

The service validates vendors' security patches, alerts administrators and provides a secure server for downloads. Agencies must profile their systems so that they can be alerted only to vulnerabilities and patches that apply to them.

The current capability gives administrators an early warning they can act upon, said Mike Garcia, vice president of marketing and product management for SecureInfo Corp. of San Antonio. But they must take the trouble to detail their enterprise profiles as well as install and keep track of the patches.

'The new system would take it one step further,' automating asset profiling and remediation, Garcia said.

FedCIRC program managers are meeting with agency executives to see how much demand there is for the extra capability.

SecureInfo, with Veridian Corp. of Arlington, Va., operates the capability for FedCIRC under a $10.8 million, five-year task order. Veridian tests the vendor patches to verify they work as advertised, and SecureInfo digitally signs and posts them on its secure servers, at https://padc.fedcirc.gov.

SecureInfo said the number of federal users has grown by about 25 percent in the last three months, but FedCIRC wants to increase the user base even more.

The new element, SecureInfo Enterprise Vulnerability Remediation, will be introduced next month as an extension of the vendor's Enterprise Vulnerability Management service for commercial customers.

Whether it becomes part of PADC will depend on how much agencies want it. Profiling would require the presence of a passive agent on a network, and automating installation would take away some control from administrators, which many are reluctant to give up.

Current PADC guidelines suggest that administrators test the validated patches before installation.

Garcia said he has gotten mixed response from government users about automating both processes. 'That tells me people want a choice,' he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above