NIST guides tackles managing computer patches


The National Institute of Standards and Technology has published for public comment a revised draft of its guidance for managing computer patches.

The previous version, issued as Creating a Patch and Vulnerability Management Program (NIST Special Publication 800-40), was written when such patching was done manually.

The guide has been updated for the automated security systems now in use, such as those based on NIST’s Security Content Automation Protocol.


The guide provides recommendations that organizations should implement to improve the effectiveness and efficiencies of their enterprise management technologies. Organizations should:

  • deploy enterprise patch management tools using a phased approach,
  • reduce the risks associated with enterprise patch management tools by applying standard security techniques that should be used when deploying any enterprise-wide application, and
  • balance security needs with their usability and availability needs.

Comments on the draft should be submitted by Oct. 19, 2012, to with the subject “SP 800-40 Comments.”

Latest Podcasts