Thursday, November 18, 2021

NCCoE Releases Draft Publications on Enterprise Patch Management

 The National Cybersecurity Center of Excellence (NCCoE) has released two new draft publications: Special Publication (SP) 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, and SP 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology.

Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions. However, keeping software up-to-date with patches remains a problem for most organizations.

Draft SP 800-40 Revision 4 makes recommendations for creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk. Draft SP 800-40 Revision 4 will replace SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, which was released in 2013.

Draft SP 1800-31 describes an example solution that demonstrates how tools can be used to implement the inventory and patching capabilities organizations need for routine and emergency patching situations, as well as implementing workarounds and other alternatives to patching.

We Want to Hear from You!

Review the draft publications and submit comments online on or before January 10, 2022. You can also contact us at cyberhygiene@nist.gov. We value and welcome your input and look forward to your comments.