Cyber Eye: FedCIRC considers automatic patching
- By William Jackson
- Sep 24, 2003
The Federal Computer Incident Response Center is looking at expanding its Patch Authentication and Dissemination Capability, which helps agencies keep up with vulnerabilities in their software. Later this year, enrolled agencies could choose to have their patches automatically installed.
The service validates vendors' security patches, alerts administrators and provides a secure server for downloads. Agencies must profile their systems so that they can be alerted only to vulnerabilities and patches that apply to them.
The current capability gives administrators an early warning they can act upon, said Mike Garcia, vice president of marketing and product management for SecureInfo Corp. of San Antonio. But they must take the trouble to detail their enterprise profiles as well as install and keep track of the patches.
'The new system would take it one step further,' automating asset profiling and remediation, Garcia said.
FedCIRC program managers are meeting with agency executives to see how much demand there is for the extra capability.
SecureInfo, with Veridian Corp. of Arlington, Va., operates the capability for FedCIRC under a $10.8 million, five-year task order. Veridian tests the vendor patches to verify they work as advertised, and SecureInfo digitally signs and posts them on its secure servers, at https://padc.fedcirc.gov
SecureInfo said the number of federal users has grown by about 25 percent in the last three months, but FedCIRC wants to increase the user base even more.
The new element, SecureInfo Enterprise Vulnerability Remediation, will be introduced next month as an extension of the vendor's Enterprise Vulnerability Management service for commercial customers.
Whether it becomes part of PADC will depend on how much agencies want it. Profiling would require the presence of a passive agent on a network, and automating installation would take away some control from administrators, which many are reluctant to give up.
Current PADC guidelines suggest that administrators test the validated patches before installation.
Garcia said he has gotten mixed response from government users about automating both processes. 'That tells me people want a choice,' he said.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.