Critical Cybersecurity Hygiene: Patching the Enterprise

Download the Preliminary Draft

The NCCoE has released the preliminary draft version of 1800-31A, Improving Enterprise Patching for General IT Systems . Use the button below to view this publication.

Download the PDF »

Current Status

The National Cybersecurity Center of Excellence is following an experimental agile process to make each volume of preliminary draft practice guide, Improving Enterprise Patching for General IT Systems, for public comment as work continues on the implementation of the demonstration and development of other sections of the publication.

The following volume is available now for comment through Friday, October 9, 2020.

  • SP 1800-31A: Executive Summary (PDF)


Download the final Critical Cybersecurity Hygiene: Patching the Enterprise  project description for more information on the project or read the two-page fact sheet for an overview. 

Questions? Please send an email to



There are a few root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple security hygiene practices can address those root causes—preventing many incidents from occurring and lowering the potential impact of incidents that still occur. In other words, security hygiene practices make it harder for attackers to succeed and reduce the damage they can cause.

Unfortunately, security hygiene is easier said than done. IT professionals have known for decades that patching software—operating systems and applications—eliminates vulnerabilities. Despite widespread recognition that patching is effective, it's also  resource-intensive. And the act of patching itself can reduce system and service availability. However, delaying patching deployments gives attackers a larger window of opportunity.

The Critical Cybersecurity Hygiene: Patching the Enterprise Project will examine how commercial and open source tools can aid with the most challenging aspects of patching general IT systems. We are using commercial and open source tools to aid with the most challenging aspects, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. We will include actionable, prescriptive guidance on establishing policies and processes for the entire patching lifecycle to include defining roles and responsibilities for all affected personnel and establishing a playbook containing mitigation actions for destructive malware outbreaks.

This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.

If you have any questions or suggestions, please email the project team at

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

ForeScout logo
Microsoft logo
Saltstack logo