NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways

Published

Author(s)

Murugiah Souppaya, Alper Kerman, Karen Scarfone, Kevin Stine, Brian E. Johnson, Chris Peloquin, Vanessa Ruffin, Tyler Diamond, Mark Simos, Sean Sweeney

Abstract

Despite widespread recognition that patching is effective and attackers regularly exploit unpatched software, many organizations do not adequately patch. There are myriad reasons why, not the least of which are that it's resource-intensive and that the act of patching can reduce system and service availability. Also, many organizations struggle to prioritize patches, test patches before deployment, and adhere to policies for how quickly patches are applied in different situations. To address these challenges, the NCCoE is collaborating with cybersecurity technology providers to develop an example solution that addresses these challenges. This NIST Cybersecurity Practice Guide explains how tools can be used to implement the patching and inventory capabilities organizations need to handle both routine and emergency patching situations, as well as implement workarounds, isolation methods, or other alternatives to patching. It also explains recommended security practices for patch management systems themselves.
Citation
Special Publication (NIST SP) - 1800-31
Report Number
1800-31
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.SP.1800-31
Local Download

Keywords

cyber hygiene, enterprise patch management, firmware, patch, patch management, software, update, upgrade, vulnerability management
Trustworthy platforms, Information technology and Cybersecurity and privacy

Citation

Souppaya, M. , Kerman, A. , Scarfone, K. , Stine, K. , Johnson, B. , Peloquin, C. , Ruffin, V. , Diamond, T. , Simos, M. and Sweeney, S. (2022), Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.1800-31, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934187 (Accessed October 24, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created April 6, 2022, Updated November 29, 2022
Was this page helpful?