Veridian Aids Feds With Patch-Management Problem


The Federal Computer Incident Response Center, or FedCIRC, went live Tuesday with a new system to deliver software patches to federal CIOs.

In 2002, solution provider Veridian and security software developer SecureInfo won FedCIRC's task order, valued at $10.8 million, to develop and maintain a patch-management system.

The new Web-based application will notify civilian agencies, including the Department of Homeland Security, when new patches have been released, disseminating to those agencies' CIOs only the patches they have requested based on the applications they use.

"In government and industry, some 80 [percent] to 90 percent of the [computer network] vulnerabilities that are exploited have patches available" to prevent such attacks, said FedCIRC's Sallie McDonald, who is working closely with Veridian and SecureInfo to delineate the civilian agencies' needs.

Within the federal technology service of the General Services Administration, McDonald is assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection.

The mission of FedCIRC, a unit of the GSA, is to collect incidents of network breaches and vulnerabilities across the government in order to better assess those networks' security strengths and correct their weaknesses.

Arlington-based Veridian is the prime contractor on the project. Jim Jaeger, vice president of Veridian's Cyber Assurance Group, located in San Antonio, said that while conscientious patch management can protect networks, it often falls to the bottom of system administrators' lists of tasks.

"We load [patch management] typically on some of the most junior people in the agencies," he said. "Depending on what patch services they have today, they may have to go to a dozen different places to get all the patches they need."

Jaeger said that the patch-management application, known Patch Authentication and Dissemination Capability (PADC), is built on SecureInfo's InSiteEVM product.

Agency budgets could be affected by CIOs' compliance with the PADC system. Recent new legislation requires CIOs to report to the White House Office of Management and Budget their processes for applying and maintaining patches.