In The News

Microsoft and NIST Team Up on Patching Guide

Microsoft lead cybersecurity architect, Mark Simon, explained that the firm had first worked closely with partners from the Center for Internet Security, Department of Homeland Security (DHS) and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), as well as visiting several customers.

Two common challenges emerging from discussions with the latter revolved around testing of patches and confusion over how quickly they should be implemented.

“This articulated need for good reference processes was further validated by observing that a common practice for ‘testing’ a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” Simon explained.

“This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE [National Cybersecurity Center of Excellence] in collaboration with other industry vendors. This project — kicking off soon — will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.”