Posthearing Questions from the September 10, 2003, Hearing on Worm and Virus Defense
How Can We Protect Our Nation's Computers From These Serious Threats?
Gao ID: GAO-04-173R October 17, 2003
Pursuant to a request from the Chairman, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform, GAO responded to posthearing questions. At the subject hearing, GAO discussed effective patch management practices for mitigating the risks to critical information systems posed by exploits of vulnerabilities in widely used commercial software products. GAO specifically discussed the Department of Homeland Security's (DHS) Patch Authentication and Dissemination Capability (PADC). PADC is a service offered by DHS's Federal Computer Incident Response Center (FedCIRC) that provides federal agencies with information on trusted, authenticated patches for their specific technologies without charge.
The Director of FedCIRC reported that as of September 10,2003, 47 agencies subscribed to PADC. However, the Office of Management and Budget (OMB) has reported that while many agencies have established PADC accounts, actual usage of these accounts is extremely low. Because we have not reviewed subscribing agencies' utilization of the PADC service, we cannot determine the extent to which it is being utilized. According to officials from agencies with whom we spoke regarding their potential subscription to the PADC service, the number of accounts that FedCIRC can offer them is not adequate to serve their entire agency. Moreover, other patch management tools and services are available that offer greater capabilities and functionality. DHS is considering broadening the scope of PADC's capabilities and increasing the number of user accounts. To comply with the Federal Information Security Management Act, OMB requires that each agency develop specific system configuration requirements that meet its own needs and ensure compliance with them. OMB further states that simply establishing such configuration requirements is not enough; adequate ongoing monitoring and maintenance must also be implemented. In considering whether to require agencies to use the PADC service, OMB should weigh the costs against potential benefits, considering the possible changes in PADC scope and user base discussed above. Without a complete inventory of systems, it is very difficult to implement effective patch management agencywide. A systems inventory assists in determining the number of systems that are vulnerable and require remediation, in locating the systems and identifying their owners, and in prioritizing systems to be patched based on a risk assessment. As part of the acquisition decision process, agencies should test software to ensure that it meets their security requirements before purchasing it. OMB requires agencies to use a certification and accreditation process to ensure that a new system meets a set of specified security requirements before it is deployed.
GAO-04-173R, Posthearing Questions from the September 10, 2003, Hearing on Worm and Virus Defense: How Can We Protect Our Nation's Computers From These Serious Threats?
This is the accessible text file for GAO report number GAO-04-173R
entitled 'Posthearing Questions from the September 10, 2003, Hearing on
Worm and Virus Defense: How Can We Protect Our Nation's Computers From
These Serious Threats?' which was released on October 17, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
October 17, 2003:
The Honorable Adam H. Putnam:
Chairman, Subcommittee on Technology, Information
Policy, Intergovernmental Relations, and the Census:
Committee on Government Reform:
House of Representatives:
Subject: Posthearing Questions from the September 10, 2003, Hearing on
Worm and Virus Defense: How Can We Protect Our Nation's Computers From
These Serious Threats?
As requested in your letter of September 15, 2003, this letter provides
our responses to your questions for the record. At the subject hearing,
we discussed effective patch management practices for mitigating the
risks to critical information systems posed by exploits of
vulnerabilities in widely used commercial software products.[Footnote
1] We specifically discussed the Department of Homeland Security's
(DHS) Patch Authentication and Dissemination Capability (PADC). PADC is
a service offered by DHS's Federal Computer Incident Response Center
(FedCIRC) that provides federal agencies with information on trusted,
authenticated patches for their specific technologies without charge.
Your questions, along with our responses, follow.
1. According to your testimony, FedCIRC offers a free service for
agencies that offers validated, tested patches, but agencies are not
utilizing this service. Why do you think utilization is so low? Should
OMB require that all agencies use PADC?
The Director of FedCIRC reported that as of September 10, 2003, 47
agencies subscribed to PADC. However, the Office of Management and
Budget (OMB) has reported that while many agencies have established
PADC accounts, actual usage of these accounts is extremely low. Because
we have not reviewed subscribing agencies' utilization of the PADC
service, we cannot determine the extent to which it is being utilized.
Nevertheless, FedCIRC officials have acknowledged limitations to the
PADC service, specifically regarding the number of subscriber accounts
and the level of services currently provided. Due to monetary
constraints, only about 2,000 accounts are available throughout the
federal government. According to officials from agencies with whom we
spoke regarding their potential subscription to the PADC service, the
number of accounts that FedCIRC can offer them is not adequate to serve
their entire agency. Moreover, other patch management tools and
services are available that offer greater capabilities and
functionality, including tools that are designed to be stand-alone
patch management systems, that can deploy patches across agency
networks, and that can verify that patches have been successfully
installed. Because of PADC's limitations, an official from one of the
agencies with whom we discussed PADC told us that his agency has
decided not to subscribe to the free service and, instead, use other
methods and tools to perform patch management. As mentioned in our
testimony, DHS is considering broadening the scope of PADC's
capabilities and increasing the number of user accounts.
To comply with the Federal Information Security Management Act (FISMA),
OMB requires that each agency develop specific system configuration
requirements that meet its own needs and ensure compliance with them.
This provision encompasses traditional system configuration
management, employing clearly defined system security settings, and
maintaining up-to-date patches. OMB further states that simply
establishing such configuration requirements is not enough; adequate
ongoing monitoring and maintenance must also be implemented.
As discussed above, PADC is but one of a variety of available services
and automated tools, and does not include important features that are
available in other services and products. Agencies should examine these
tools and services and implement the most cost-effective solution
available for their computing environment. In considering whether to
require agencies to use the PADC service, OMB should weigh the costs
against potential benefits, considering the possible changes in PADC
scope and user base discussed above.
2. We know from the hearing on the 2002 GISRA report that most agencies
do not have a complete inventory of their systems. In the absence of a
complete inventory, is it possible to have effective patch management?
Without a complete inventory of systems, it is very difficult to
implement effective patch management agencywide. In our testimony we
specifically identified the practice of creating and maintaining a
current inventory of all hardware equipment, software packages,
services, and other technologies installed and used by an organization
as an essential element of patch management. A systems inventory
assists in determining the number of systems that are vulnerable and
require remediation, in locating the systems and identifying their
owners, and in prioritizing systems to be patched based on a risk
assessment. The National Institute of Standards and Technology's (NIST)
Special Publication 800-40, Procedures for Handling Security Patches,
also identifies a systems inventory requirement as a key priority for
effective patch management. According to NIST, it is important for the
inventory to include hardware, operating systems, and major
applications. Systems administrators may be able to keep patches up to
date on their individual systems without an agencywide inventory, but
this option may be riskier, less consistent, and more expensive.
3. Several panelists suggested that the federal government should have
security acceptance testing for software prior to purchasing. What are
your thoughts on this idea?
As part of the acquisition decision process, agencies should test
software to ensure that it meets their security requirements before
purchasing it. OMB requires agencies to use a certification and
accreditation process to ensure that a new system meets a set of
specified security requirements before it is deployed. Moreover, NIST's
Special Publication 800-23, Guidelines to Federal Organizations on
Security Assurance and Acquisition/Use of Tested/Evaluated Products,
includes guidance advising agencies of the benefits of testing
commercial products against customer-, government-, or vendor-
developed specifications. Typically these specifications include
security requirements.
We are sending copies of this letter to DHS and other interested
parties. Should you have any questions on matters discussed in this
letter, please contact me at (202) 512-3317. I can also be reached by
e-mail at daceyr@gao.gov.
Sincerely yours,
Robert F. Dacey:
Director, Information Security Issues:
(310515):
FOOTNOTES
[1] U.S. General Accounting Office, Information Security: Effective
Patch Management is Critical to Mitigating Software Vulnerabilities,
GAO-03-1138T (Washington, D.C.: September 10, 2003).
