United States General Accounting Office Washington, DC 20548 October 17, 2003 The Honorable Adam H. Putnam Chairman, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census Committee on Government Reform House of Representatives Subject: Posthearing Questions from the September 10, 2003, Hearing on Worm and Virus Defense: How Can We Protect Our Nation’s Computers From These Serious Threats? As requested in your letter of September 15, 2003, this letter provides our responses to your questions for the record. At the subject hearing, we discussed effective patch management practices for mitigating the risks to critical information systems posed by exploits of 1 vulnerabilities in widely used commercial software products. We specifically discussed the Department of Homeland Security’s (DHS) Patch Authentication and Dissemination Capability (PADC). PADC is a service offered by DHS’s Federal Computer Incident Response Center (FedCIRC) that provides federal agencies with information on trusted, authenticated patches for their specific technologies without charge. Your questions, along with our responses, follow. 1. According to your testimony, FedCIRC offers a free service for agencies that offers validated, tested patches, but agencies are not utilizing this service. Why do you think utilization is so low? Should OMB require that all agencies use PADC? The Director of FedCIRC reported that as of September 10, 2003, 47 agencies subscribed to PADC. However, the Office of Management and Budget (OMB) has reported that while many agencies have established PADC accounts, actual usage of these accounts is extremely low. Because we have not reviewed subscribing agencies’ utilization of the PADC service, we cannot determine the extent to which it is being utilized. Nevertheless, FedCIRC officials have acknowledged limitations to the PADC service, specifically regarding the number of subscriber accounts and the level of services currently provided. Due to monetary constraints, only about 2,000 accounts are available throughout the federal government. According to officials from agencies with whom we spoke regarding their potential subscription to the PADC service, the number of accounts that FedCIRC can offer them is not adequate to serve their entire agency. Moreover, other patch management tools and services are available that offer greater capabilities and functionality, including tools that are designed to be stand-alone patch management systems, that can deploy patches across agency networks, and that can verify that patches have been successfully installed. 1 U.S. General Accounting Office, Information Security: Effective Patch Management is Critical to Mitigating Software Vulnerabilities, GAO-03-1138T (Washington, D.C.: September 10, 2003). Page 1 GAO-04-173R Posthearing Questions on Patch Management Because of PADC’s limitations, an official from one of the agencies with whom we discussed PADC told us that his agency has decided not to subscribe to the free service and, instead, use other methods and tools to perform patch management. As mentioned in our testimony, DHS is considering broadening the scope of PADC’s capabilities and increasing the number of user accounts. To comply with the Federal Information Security Management Act (FISMA), OMB requires that each agency develop specific system configuration requirements that meet its own needs and ensure compliance with them. This provision encompasses traditional system configuration management, employing clearly defined system security settings, and maintaining up-to-date patches. OMB further states that simply establishing such configuration requirements is not enough; adequate ongoing monitoring and maintenance must also be implemented. As discussed above, PADC is but one of a variety of available services and automated tools, and does not include important features that are available in other services and products. Agencies should examine these tools and services and implement the most cost-effective solution available for their computing environment. In considering whether to require agencies to use the PADC service, OMB should weigh the costs against potential benefits, considering the possible changes in PADC scope and user base discussed above. 2. We know from the hearing on the 2002 GISRA report that most agencies do not have a complete inventory of their systems. In the absence of a complete inventory, is it possible to have effective patch management? Without a complete inventory of systems, it is very difficult to implement effective patch management agencywide. In our testimony we specifically identified the practice of creating and maintaining a current inventory of all hardware equipment, software packages, services, and other technologies installed and used by an organization as an essential element of patch management. A systems inventory assists in determining the number of systems that are vulnerable and require remediation, in locating the systems and identifying their owners, and in prioritizing systems to be patched based on a risk assessment. The National Institute of Standards and Technology’s (NIST) Special Publication 800-40, Procedures for Handling Security Patches, also identifies a systems inventory requirement as a key priority for effective patch management. According to NIST, it is important for the inventory to include hardware, operating systems, and major applications. Systems administrators may be able to keep patches up to date on their individual systems without an agencywide inventory, but this option may be riskier, less consistent, and more expensive. 3. Several panelists suggested that the federal government should have security acceptance testing for software prior to purchasing. What are your thoughts on this idea? As part of the acquisition decision process, agencies should test software to ensure that it meets their security requirements before purchasing it. OMB requires agencies to use a certification and accreditation process to ensure that a new system meets a set of specified security requirements before it is deployed. Moreover, NIST’s Special Publication 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, includes guidance advising agencies of the benefits of testing Page 2 GAO-04-173R Posthearing Questions on Patch Management commercial products against customer-, government-, or vendor-developed specifications. Typically these specifications include security requirements. We are sending copies of this letter to DHS and other interested parties. Should you have any questions on matters discussed in this letter, please contact me at (202) 512-3317. I can also be reached by e-mail at email@example.com. Sincerely yours, Robert F. Dacey Director, Information Security Issues (310515) Page 3 GAO-04-173R Posthearing Questions on Patch Management
Posthearing Questions from the September 10, 2003, Hearing on Worm and Virus Defense: How Can We Protect Our Nation's Computers From These Serious Threats?
Published by the Government Accountability Office on 2003-10-17.
Below is a raw (and likely hideous) rendition of the original report. (PDF)