Summary

Pursuant to a request from the Chairman, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform, GAO responded to posthearing questions. At the subject hearing, GAO discussed effective patch management practices for mitigating the risks to critical information systems posed by exploits of vulnerabilities in widely used commercial software products. GAO specifically discussed the Department of Homeland Security's (DHS) Patch Authentication and Dissemination Capability (PADC). PADC is a service offered by DHS's Federal Computer Incident Response Center (FedCIRC) that provides federal agencies with information on trusted, authenticated patches for their specific technologies without charge.

The Director of FedCIRC reported that as of September 10,2003, 47 agencies subscribed to PADC. However, the Office of Management and Budget (OMB) has reported that while many agencies have established PADC accounts, actual usage of these accounts is extremely low. Because we have not reviewed subscribing agencies' utilization of the PADC service, we cannot determine the extent to which it is being utilized. According to officials from agencies with whom we spoke regarding their potential subscription to the PADC service, the number of accounts that FedCIRC can offer them is not adequate to serve their entire agency. Moreover, other patch management tools and services are available that offer greater capabilities and functionality. DHS is considering broadening the scope of PADC's capabilities and increasing the number of user accounts. To comply with the Federal Information Security Management Act, OMB requires that each agency develop specific system configuration requirements that meet its own needs and ensure compliance with them. OMB further states that simply establishing such configuration requirements is not enough; adequate ongoing monitoring and maintenance must also be implemented. In considering whether to require agencies to use the PADC service, OMB should weigh the costs against potential benefits, considering the possible changes in PADC scope and user base discussed above. Without a complete inventory of systems, it is very difficult to implement effective patch management agencywide. A systems inventory assists in determining the number of systems that are vulnerable and require remediation, in locating the systems and identifying their owners, and in prioritizing systems to be patched based on a risk assessment. As part of the acquisition decision process, agencies should test software to ensure that it meets their security requirements before purchasing it. OMB requires agencies to use a certification and accreditation process to ensure that a new system meets a set of specified security requirements before it is deployed.