PADC shortcomings hinder free patch service

Limits on capabilities and available licenses have kept federal agencies from using the free Patch Authentication and Dissemination Capability offered by the Federal Computer Incident Response Center, according to the General Accounting Office.

'PADC is but one of a variety of available services and automated tools, and does not include important features that are available in other services and products,' said Robert F. Dacey, GAO's director of information security.

Dacey's comments came in response to inquiries from the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Subcommittee members last month raised questions about why government computers remain vulnerable to worms and viruses.

PADC tests and validates vendors' security patches, notifies government subscribers of the patches and provides a secure link for downloading them. Although 47 agencies have subscribed to the service, the Office of Management and Budget has said actual use is low.

'FedCIRC officials have acknowledged limitations to the PADC service,' Dacey said in a written reply to the subcommittee. Because of budget constraints, only 2,000 accounts are available governmentwide, and FedCIRC cannot offer many agencies enough subscriptions to serve their full needs.

In addition, PADC makes only relevant patches securely available. Commercial patch management tools and services can deploy patches across networks and verify that they have been successfully installed.

'Because of PADC's limitations, an official from one agency told us that his agency has decided not to subscribe to the free service and instead use other methods and tools to perform patch management,' Dacey wrote.

FedCIRC's parent, the Homeland Security Department, is considering expanding PADC's capabilities and the number of subscriptions available. Until that happens, use of PADC probably should not be required, Dacey said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected