Critical Cybersecurity Hygiene: Patching the Enterprise

Current Status

This project is currently in the build phase. We have selected several technology collaborators who have signed a Cooperative Research and Development Agreement (CRADA, see an example) with NIST.

Download the Critical Cybersecurity Hygiene: Patching the Enterprise  Project Description for more information on the project or read the two-page fact sheet for an overview. 

Questions? Please send an email to cyberhygiene@nist.gov

 

Summary

There are a few root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple security hygiene practices can address those root causes—preventing many incidents from occurring and lowering the potential impact of incidents that still occur. In other words, security hygiene practices make it harder for attackers to succeed and reduce the damage they can cause.

Unfortunately, security hygiene is easier said than done. IT professionals have known for decades that patching software—operating systems and applications—eliminates vulnerabilities. Despite widespread recognition that patching is effective, it's also  resource-intensive. And the act of patching itself can reduce system and service availability. However, delaying patching deployments gives attackers a larger window of opportunity.

The Critical Cybersecurity Hygiene: Patching the Enterprise Project will examine how commercial and open source tools can aid with the most challenging aspects of patching general IT systems. We are using commercial and open source tools to aid with the most challenging aspects, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. We will include actionable, prescriptive guidance on establishing policies and processes for the entire patching lifecycle to include defining roles and responsibilities for all affected personnel and establishing a playbook containing mitigation actions for destructive malware outbreaks.

This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.

If you have any questions or suggestions, please email the project team at cyberhygiene@nist.gov.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Cisco
ForeScout logo
Foxguard Solutions
Microsoft logo
Saltstack logo