PADC shortcomings hinder free patch service
- By William Jackson
- Oct 24, 2003
Limits on capabilities and available licenses have kept federal agencies from using the free Patch Authentication and Dissemination Capability offered by the Federal Computer Incident Response Center, according to the General Accounting Office.
'PADC is but one of a variety of available services and automated tools, and does not include important features that are available in other services and products,' said Robert F. Dacey, GAO's director of information security.
Dacey's comments came in response to inquiries from the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
Subcommittee members last month raised questions about why government computers remain vulnerable to worms and viruses.
PADC tests and validates vendors' security patches, notifies government subscribers of the patches and provides a secure link for downloading them. Although 47 agencies have subscribed to the service, the Office of Management and Budget has said actual use is low.
'FedCIRC officials have acknowledged limitations to the PADC service,' Dacey said in a written reply to the subcommittee. Because of budget constraints, only 2,000 accounts are available governmentwide, and FedCIRC cannot offer many agencies enough subscriptions to serve their full needs.
In addition, PADC makes only relevant patches securely available. Commercial patch management tools and services can deploy patches across networks and verify that they have been successfully installed.
'Because of PADC's limitations, an official from one agency told us that his agency has decided not to subscribe to the free service and instead use other methods and tools to perform patch management,' Dacey wrote.
FedCIRC's parent, the Homeland Security Department, is considering expanding PADC's capabilities and the number of subscriptions available. Until that happens, use of PADC probably should not be required, Dacey said.
William Jackson is a Maryland-based freelance writer.