Top Threats

NIST - Final Publications on Enterprise Patch Management Released

  • 1.  NIST - Final Publications on Enterprise Patch Management Released

    Posted Apr 06, 2022 08:58:00 AM
    Hi All,

    The National Cybersecurity Center of Excellence (NCCoE) has released two new final publications: Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, and SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways. Both documents reflect the importance of timely patching to organizations maintaining a robust cybersecurity posture.

    Patching is a critical component of preventive maintenance for computing technologies-a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions. It helps prevent compromises, data breaches, operational disruptions, and other adverse events. However, there is often a divide between an organization's business/mission owners and security/technology management about the value and timeliness of patching.

    SP 800-40 Revision 4 recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and operationalizes patching while also improving its reduction of risk. SP 800-40 Revision 4 replaces SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, which was released in 2013.

    SP 1800-31 builds upon the work in SP 800-40 Revisions 3 and 4 to provide more detailed guidance. It describes an example solution that demonstrates how tools can be used to implement the patching capabilities described in SP 800-40 Revision 4. It shows how organizations can use commercial tools for routine and emergency patching situations, as well as implement temporary alternatives to patching.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------