NCCoE Releases Draft Publications on Enterprise Patch Management

 The National Cybersecurity Center of Excellence (NCCoE) has
released two new draft publications: Special Publication (SP) 1800-31,
Improving Enterprise Patching for General IT Systems: Utilizing
Existing Tools and Performing Processes in Better Ways
and SP 800-40 Revision 4, 
Guide to Enterprise Patch Management Planning: Preventive Maintenance
for Technology

Patching is a critical component of preventive maintenance for
computing technologies—a cost of doing business, and a necessary part of what
organizations need to do in order to achieve their missions. However, keeping
software up-to-date with patches remains a problem for most organizations.

Draft SP 800-40 Revision 4 makes recommendations for creating an
enterprise strategy to simplify and operationalize patching while also
improving reduction of risk. Draft SP 800-40 Revision 4 will replace SP 800-40
Revision 3, Guide to
Enterprise Patch Management Technologies
, which was released in

Draft SP 1800-31 describes an example solution that demonstrates
how tools can be used to implement the inventory and patching capabilities
organizations need for routine and emergency patching situations, as well as
implementing workarounds and other alternatives to patching.

We Want to Hear from You!

Review the draft publications and submit comments online on or
before January 10, 2022. You can also contact us at We value and welcome
your input and look forward to your comments.