FedCIRC prepares to launch new security patch service
- By William Jackson
- Jan 16, 2003
The Federal Computer Incident Response Center introduced systems and security administrators to its new patch distribution service today. Two administration officials recommended that agencies take advantage of the offering.
'It is critical for federal users to upload patches in a timely manner,' said Mark Forman, associate director for IT and e-government at the Office of Management and Budget. Forman said the Patch Authentication and Dissemination Capability could help agencies meet requirements of the Federal Information Security Management Act.
Presidential adviser Richard Clarke said outsourced services such as PADC were critical to bringing federal IT security up to acceptable standards. 'The places that do it best outsource,' he said.
The General Services Administration's FedCIRC is offering PADC as a free service to civilian agencies. SecureInfo Corp. of San Antonio and Veridian Corp. of Arlington, Va., developed it under a $10.8 million, five-year task order. It is expected go online next week.
Agencies with accounts will enter hardware and software profiles of their systems and be told what security vulnerabilities they face and what patches or other fixes they will need to correct them. Users also will be alerted to new vulnerabilities that could affect their systems. Patches will be validated and tested by Veridian, then digitally signed and stored on a secure server by SecureInfo.
Users will access the service through the Web at padc.fedcirc.gov and download patches from the secure server. If a maintenance contract with a vendor is required to receive the patch, PADC will provide a validated link to the vendor's Web site after testing the patch.
PADC also will generate reports and let administrators check the status of patches and vulnerabilities on each system. The goal is to simplify patch management by providing administrators only with information relevant to their IT systems and ensuring that patches are genuine and effective.
Clarke said PADC is a good first step toward improving government IT security and that he hoped to see more managed services offered.
'The federal government has to get more comfortable with outsourcing,' he said. Administrators are reluctant to turn security functions over to outsiders. 'Get over it. Every major company in the country is turning its security over in some manner to managed security services.'
William Jackson is a Maryland-based freelance writer.