FedCIRC fields free patch service

Managers can get patches they really need, GSA's Sallie McDonald says.

Henrik G. DeGyor

Adrift in a sea of software patches? Not sure which ones you need? A new General Services Administration service is supposed to help systems chiefs with just such problems.

GSA has awarded a five-year, $10.8 million task order to Veridian Corp. to validate and disseminate software patches for federal IT administrators.

The task order to the Arlington, Va., company came through the governmentwide Safeguard program. The patch service, which will use technology from SecureInfo Corp. of San Antonio, will be available by free subscription in mid-February from GSA's Federal Computer Incident Response Center.

'Making these services available at no cost is strategic,' FTS commissioner Sandra Bates said. 'Agencies can cut down the overhead to manage individual systems, freeing up resources for other areas.'

IT managers can receive notice of software patches to plug only their specific vulnerabilities, and they can download the patches from a dedicated FedCIRC server.

'It's no secret that most security incidents could be avoided if managers apply patches for known vulnerabilities,' said Sallie McDonald, assistant commissioner in the Office of Information Assurance and Critical Infrastructure at GSA's Federal Technology Service. 'This will make it easier for security managers to concentrate on patches they really need.'

Fixed not infected

Veridian will integrate the technology, market the service and evaluate vendors' patches 'to make sure they are effective and secure,' said Jim Jaeger, vice president of Veridian's Cyber Assurance Group in San Antonio.

An effective patch fixes what it is supposed to fix, he said, and a secure one doesn't introduce new bugs.

'Finding patches that have bugs is the exception, but the effects on the network can be serious,' Jaeger said. Only about 10 percent or 15 percent of patches are ineffective, he added.

Jaeger said his laboratory could validate a patch and have it ready for distribution a few hours after its release. 'We will be validating patches on the same hardware and software configurations the agencies are using,' he said.

SecureInfo will handle the distribution with its InSite Enterprise Vulnerability Management tool. Users must have the InSiteEVM client to profile their agencies' systems. InSiteEVM can import information from network scanners but cannot automatically create profiles.

Administrators are alerted only to problems affecting their systems, SecureInfo chief operating officer John M. Linton said. They also get e-mail or pager alerts about applicable patches after validation.

Jaeger said IT administrators typically receive notice of up to 40 patches a week, only a handful of which apply to their own systems, 'so this really cuts workload,' he said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected