What is Enterprise Patch Management (a.k.a. the application of software security updates according to NIST SP 800-40r4)?

The National Institute of Standards and Technology (NIST) just released Report 800-40r4: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. This document was previously updated in of July 2013, so this current April 2022 version represents the state-of-the-art recommendations from NIST. Below you will see sections pulled directly from the summary of that document, with the more salient points highlighted in red and followed by some commentary.

Executive Summary
Software used for computing technologies must be maintained because there are many in the world who continuously search for and exploit flaws in software. Software maintenance includes patching, which is the act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems or adds new capabilities. Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. In past perimeter-based security architectures, most software was operated on internal networks protected by several layers of network security controls. While patching was generally considered important for reducing the likelihood of compromise and was a common compliance requirement, patching was not always considered a priority. In today’s environments, patching has become more important, often rising to the level of mission criticality. As part of a zero-trust approach to security, it is now recognized that the perimeter largely does not exist anymore, and most technologies are directly exposed to the internet, putting systems at significantly greater risk of compromise. This dynamic applies across all computing technologies, whether they are information technology (IT), operational technology (OT), Internet of Things (IoT), mobile, cloud, virtual machine, container, or other types of assets.

Patching for security updates is more important than ever. Security must be practiced in layers, as there is no one technique or product that serves as the silver bullet for IT security management. People are always looking for that security silver bullet, the one product or practice they can follow to secure their systems and end all the other laborious activities they must do, so they can rest easy. Any notion of being able to do that in today’s computing environment is a fool’s notion.

Zero trust architectures emphasize business asset-specific security over just protecting a network with assets on it, so patching is vital for reducing risk to those individual assets and determining the assets’ trust status. There is often a divide between business/mission owners and security/technology management. Business/mission owners may believe that patching negatively affects productivity, since it requires scheduled downtime for maintenance and introduces the risk of additional downtime if something goes wrong and disrupts operations. Leadership and business/mission owners should reconsider the priority of enterprise patch management in light of today’s risks. Patching should be considered a standard cost of doing business and should be rigorously followed and tracked. Just as preventive maintenance on corporate fleet vehicles can help avoid costly breakdowns, patching should be viewed as a normal and necessary part of reliably achieving the organization’s missions.

The analogy to maintaining corporate fleet vehicles is a good one. Applying software patches, a.k.a. security updates, is a vital process in managing IT security, given the frequent exploitation of software flaws by ransomware hackers and other criminals. The friction to patching in organizations from the perspective of a company that provides this service to other companies, is not so much the downtime or the cost (although that is part of it). The key set of frictions is the operational maturity within IT security management. This is the knowledge of how to best do patching, having the right technical staff on hand (after hours), and the discipline to patch on a regular schedule when other corporate initiatives are demanding IT staff resources.

If an organization needs a particular technology to support its mission, it also needs to maintain that technology throughout its life cycle – and that includes patching. Leadership at all levels of the organization, business/mission owners, and security/technology management teams should jointly create an enterprise patch management strategy that simplifies and operationalizes patching while also improving its reduction of risk. This will strengthen organizational resiliency to active threats and minimize business and mission impacts. This publication provides recommendations for enterprise patch management planning.

Yes, management at all levels—from the executive boardroom to the head of IT/security—need to be aligned on managing IT security within the company on a timely basis. If they are not working in unison, applying software security updates and managing vulnerabilities, it will eventually lead to a cybersecurity incident. Managing security is a difficult, time consuming and expensive process. It is also not perfect and mistakes will be made, but constantly striving for improved operational maturity is a must.

Read the full report and recommendations HERE.