Critical Cybersecurity Hygiene: Patching the Enterprise

There are a few root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple security hygiene practices can address those root causes—preventing many incidents from occurring and lowering the potential impact of incidents that still occur.

Supports organizations in measuring and assessing the effectiveness and timeliness of their patching efforts

The Critical Cybersecurity Hygiene: Patching the Enterprise project examines how commercial and open source tools can aid with the most challenging aspects of patching general IT systems, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. The solution also demonstrates recommended security practices for patch management systems themselves.
Status: Finalized Practice Guide
NIST SP 1800-31: Complete Guide (PDF)Web Version NIST SP 1800-31: Complete Guide (PDF)
NIST SP 1800-31 Complete Guide (HTML)Web Version NIST SP 1800-31 Complete Guide (HTML)
NIST SP 1800-31A: Executive SummaryDocument Version NIST SP 1800-31A: Executive Summary
NIST SP 1800-31B: Security Risks and CapabilitiesDocument Version NIST SP 1800-31B: Security Risks and Capabilities

NIST SP 1800-31 describes an example solution that demonstrates how tools can be used to implement the patching capabilities described in NIST SP 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology.

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

Project Abstract

Despite widespread recognition that patching is effective, and attackers regularly exploit unpatched software, many organizations do not adequately patch. There are myriad reasons why, not the least of which are that it can be resource-intensive and that the act of patching can reduce system and service availability. Also, many organizations struggle to prioritize patches, test patches before deployment, and adhere to policies for how quickly patches are applied in different situations. To address these challenges, the NCCoE collaborated with cybersecurity technology providers to develop an example solution that addresses these challenges. This NIST Cybersecurity Practice Guide explains how tools can be used to implement the patching and inventory capabilities organizations need to handle both routine and emergency patching situations, as well as implement temporary mitigations, isolation methods, or other alternatives to patching. It also explains recommended security practices for patch management systems themselves.

Despite widespread recognition that patching is effective, and attackers regularly exploit unpatched software, many organizations do not adequately patch.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name