Cyber Eye: Could we have little help here, please?
The Federal Computer Incident Response Center shut down its free patch-management service in February, one year after its launch, because of a resounding lack of user interest.
The Patch Authentication and Dissemination Capability set out to be a central resource for secure downloading of software patches, but it drew only a handful of users. The General Accounting Office, however, has advised the Office of Management and Budget that the idea merits revisiting.
'OMB should coordinate with Homeland Security to build on lessons learned regarding PADC's limitations and weigh the costs against potential benefits,' GAO recommended in a report released this month.
That's sound advice. Agencies are struggling to keep up with their software patches in the absence of consistent policies and adequate resources for this critical job.
PADC was little more than a pilot. It failed because it could not give enough help to harried IT administrators, who lacked the time to shape it into what they needed.
If OMB or the Homeland Security Department could extend a real helping hand, it would be gratefully accepted.
PADC's most immediate failing was scale. Although its services were free, only 2,000 accounts were available for the entire government. NASA alone requested 3,000 licenses'one per systems administrator.
The second failing was scope. PADC offered only notification and download services, which meant administrators had to upload profiles of their systems to receive the appropriate notifications. Such services are available commercially.
If agencies are going to get their hands around the patch situation, two things have to happen:
- IT systems must be accurately inventoried, and policies for configuration management must be set and enforced. Only agencies themselves can do this, and it must come first. The work is under way, mandated by the Federal Information Security Management Act, but it's a long way from complete.
- There must be a method for speedily testing patches before they are installed, with a minimum of disruption. Unless adequately tested, patches themselves can further endanger the systems they're meant to protect.
A centralized service could really help here, but it's unlikely to fully test all software patches for all agencies. Federal systems are too heterogeneous. Each agency will have to do some testing for itself.
Nonetheless, a central source could do reliable baseline testing of patches for common federal platforms and configurations. If it were available to all administrators, it could cut deployment time and probably would be welcomed with open arms.