GSA to keep vigilant with patch-notification service

WASHINGTON, D.C. - The U.S. General Services Administration last week began offering federal civilian agencies a way to keep track of new software patches so that they can apply them before hackers exploit known vulnerabilities.

The free service is being offered to agencies that register through the GSA's Federal Computer Incident Response Center (FedCIRC), the division that notifies the GSA and other civilian agencies of important security incidents. The service is based on a customized version of SecureInfo's patch-management product, InSite Enterprise Vulnerability Management, which will be hosted at Veridian Information Solutions, the prime contractor awarded the five-year, $10.8 million contract by the GSA.

"It's no secret that most security incidents could be avoided if managers applies patches for known vulnerabilities," says Sallie McDonald, assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection within the GSA's Federal Technology Service.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

WASHINGTON, D.C. - The U.S. General Services Administration last week began offering federal civilian agencies a way to keep track of new software patches so that they can apply them before hackers exploit known vulnerabilities.

The free service is being offered to agencies that register through the GSA's Federal Computer Incident Response Center (FedCIRC), the division that notifies the GSA and other civilian agencies of important security incidents. The service is based on a customized version of SecureInfo's patch-management product, InSite Enterprise Vulnerability Management, which will be hosted at Veridian Information Solutions, the prime contractor awarded the five-year, $10.8 million contract by the GSA.

"It's no secret that most security incidents could be avoided if managers applies patches for known vulnerabilities," says Sallie McDonald, assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection within the GSA's Federal Technology Service.

Keeping track of all the vendor announcements related to security holes and patches for them is a daunting task, particularly for an organization the size of the federal government. The GSA says it hopes the task will get somewhat easier through the online FedCIRC service because the security administrators will receive information related only to the specific applications they want, rather than be overloaded with data they don't need.

The GSA will use the patch-notification service to make sure that software patches are applied methodically across agency computers. The service will be voluntary for other agencies. (One large agency, the Veterans Administration, began requiring its sites to use a software patching service of its own.)

Federal agencies expect to see a tightening of security requirements under the Homeland Security Act, which Congress passed and President Bush signed into law last week. It officially created the Department of Homeland Security, expected to combine parts of 55 agencies with security outfits, including the GSA's FedCIRC.

Click to see:

The Homeland Security Act also came to include legislation known as the Federal Information Security Management Act (FISMA), which Rep. Tom Davis (R-Va.) and Rep. Steve Horn (R-Calif.) introduced earlier this year. FISMA will be the new law to replace the Government Information Security Reform Act, which stipulated agencies had to periodically report security practices to the Office of Management and Budget (OMB). FISMA says agencies must comply with any new IT security guidelines the OMB sets forth in tandem with the National Institute of Standards and Technology.

Read more about security in Network World's Security section.