Critical Cybersecurity Hygiene: Patching the Enterprise

Download the Preliminary Draft

The comment period has closed for the preliminary draft version of 1800-31A, Improving Enterprise Patching for General IT Systems.  

Download the PDF »

Current Status

The public comment period has closed for SP 1800-31A: Executive Summary (PDF) of preliminary draft practice guide, Improving Enterprise Patching for General IT Systems. Thank you to everyone who shared their feedback with us. We are currently reviewing the comments received as work continues on the implementation of the demonstration and development of other sections of the publication.

Download the final Critical Cybersecurity Hygiene: Patching the Enterprise  project description for more information or read the two-page fact sheet for an overview. 

If you have questions or would like to join our Community of Interest to receive updates about this project, please send an email to



There are a few root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple security hygiene practices can address those root causes—preventing many incidents from occurring and lowering the potential impact of incidents that still occur. In other words, security hygiene practices make it harder for attackers to succeed and reduce the damage they can cause.

Unfortunately, security hygiene is easier said than done. IT professionals have known for decades that patching software—operating systems and applications—eliminates vulnerabilities. Despite widespread recognition that patching is effective, it's also  resource-intensive. And the act of patching itself can reduce system and service availability. However, delaying patching deployments gives attackers a larger window of opportunity.

The Critical Cybersecurity Hygiene: Patching the Enterprise Project will examine how commercial and open source tools can aid with the most challenging aspects of patching general IT systems. We are using commercial and open source tools to aid with the most challenging aspects, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. We will include actionable, prescriptive guidance on establishing policies and processes for the entire patching lifecycle to include defining roles and responsibilities for all affected personnel and establishing a playbook containing mitigation actions for destructive malware outbreaks.

This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.

If you have any questions or suggestions, please email the project team at

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

ForeScout logo
IBM logo
Microsoft logo
Saltstack logo