Critical Cybersecurity Hygiene: Patching the Enterprise

Current Status

This project is currently seeking technology vendors to participate in the development of an example solution. Please see our Federal Register notice for more information. If you as a technology vendor are interested in providing products and technical expertise as a collaborator on the reference design for this project, please send an email to requesting a Letter of Interest template.

Download the Critical Cybersecurity Hygiene: Patching the Enterprise Project Description for more information on the project.


There are a relatively small number of root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple practices can address those root causes to prevent many incidents from occurring and to lower the potential impact of incidents that still occur. In other words, security hygiene practices make it harder for attackers to succeed and reduce the damage they can cause.

Unfortunately, security hygiene is easier said than done. Even though there is widespread recognition that patching software—operating systems, applications, and the like—can be incredibly effective at mitigating security risk, patching is often resource-intensive, and the act of patching itself can reduce system and service availability. Attempts to expedite patch distribution, such as not testing patches before production deployment, can inadvertently break system functionality and disrupt operations. On the other hand, delays in patch deployment create a larger window of opportunity for attackers.

The Critical Cybersecurity Hygiene: Patching the Enterprise Project will examine how commercial and open source tools can be used to aid with the most challenging aspects of patching general IT systems, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle.

Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.

If you have any questions or suggestions, please email the project team at