NCCoE Releases Enterprise Patch Management Guidance


The National Cybersecurity Center of Excellence has released two new final publications on enterprise patch management. Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do to achieve their missions. However, there is often a divide between an organization’s business/mission owners and security/technology management about the value and timeliness of patching.

NIST Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and operationalizes patching while also improving its reduction of risk. SP 800-40 Revision 4 replaces SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, which was released in 2013.

NIST SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, builds upon the work in SP 800-40 Revisions 3 and 4 to provide more detailed guidance. It describes an example solution that demonstrates how tools can be used to implement the patching capabilities described in SP 800-40 Revision 4. It shows how organizations can use commercial tools for routine and emergency patching situations, as well as implementing temporary alternatives to patching.

Both documents reflect the importance of timely patching to organizations maintaining a robust cybersecurity posture.