Critical Cybersecurity Hygiene: Patching the Enterprise

There are a few root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple security hygiene practices can address those root causes—preventing many incidents from occurring and lowering the potential impact of incidents that still occur.

Supports organizations in measuring and assessing the effectiveness and timeliness of their patching efforts

The Critical Cybersecurity Hygiene: Patching the Enterprise project examines how commercial and open source tools can aid with the most challenging aspects of patching general IT systems. We use commercial and open source tools to aid with the most challenging aspects, including system characterization and prioritization, patch testing, and patch implementation tracking and verification.   To address these challenges, the NCCoE is collaborating with cybersecurity technology providers to develop an example solution. It will demonstrate how tools can be used to: implement the patching and inventory capabilities organizations need to handle both routine and emergency patching situations, as well as implement workarounds, isolation methods, or other alternatives to patching. The solution will also demonstrate recommended security practices for patch management systems themselves. 
Status: Soliciting Comments

The public comment period for this draft Practice Guide is now open until January 10, 2022.

NIST SP 1800-31A: Executive SummaryDocument Version NIST SP 1800-31A: Executive Summary
NIST SP 1800-31B: Security Risks and CapabilitiesDocument Version NIST SP 1800-31B: Security Risks and Capabilities

Project Abstract

Cyber hygiene describes recommended mitigations for the small number of root causes responsible for many cybersecurity incidents. Implementing a few simple practices can address these common root causes.   

Patching is a particularly important component of cyber hygiene, but existing tools and processes are frequently insufficient to rapidly mitigate this risk in many environments and situations.   

The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and patch implementation tracking and verification.   

These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle, in the form of a freely available NIST Cybersecurity Practice Guide.  

Patching is a particularly important component of cyber hygiene, but existing tools and processes are frequently insufficient to rapidly mitigate this risk in many environments and situations.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home