Microsoft and NCCoE Collaboration on Creating Guidelines for Using a Reliable Enterprise Patch Management Strategy

The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) and Microsoft launched a new project to create guidance on the development and implementation of an effective patch management strategy.

After the (Not)Petya wiper attacks that happened in 2017, Microsoft set out on a journey to discover why companies had been unsuccessful in doing basic cybersecurity hygiene and patching their systems, even if the patches were available months before an attack and might have shielded them against the attacks.

In the last 12 months, reviews on the threat of exploitation and patch management techniques were sought from the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security, and the Center for Internet Security. Microsoft likewise talked with clients to learn more about the difficulties they encountered in implementing patches and to find out specifically why patching is frequently overdue and why in certain instances patches are not used.

These meetings uncovered numerous companies were uncertain regarding what they ought to be doing when it comes to patch testing. In certain instances, patch testing seemed to comprise only of asking questions on web forums to find out if anybody had encountered any issues with the launched patches. A lot of customers were not sure regarding how quickly patches must be implemented.

The meetings persuaded Microsoft to create a collaboration with NCCoE to create an enterprise patch management technique to assist businesses plan and apply an effective patching technique. The purpose of the project is to develop industry guidance and standards that would help businesses enhance their patch management procedures.

The project is just going to begin and will entail creating standard patch management architectures and procedures. Pertinent vendors will help by developing and validating execution guidelines in the NCCoE lab and the project will eventually create a new NIST Special Publication 1800 practice guide on patch management.

An invite has been given to vendors offering technologies that could be beneficial to patch management, for instance, scanning, reporting, risk measurement and deployment. Individuals and companies eager to share patch management best practices, and the valuable lessons they learned are likewise encouraged to get involved.

Any retailer, organization, or person that would like to take part can get in touch with the project team at cyberhygiene@nist.gov.