NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.
Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways
Published
Author(s)
Murugiah Souppaya, Alper Kerman, Karen Scarfone, Kevin Stine, Brian E. Johnson, Chris Peloquin, Vanessa Ruffin, Tyler Diamond, Mark Simos, Sean Sweeney
Abstract
Despite widespread recognition that patching is effective and attackers regularly exploit unpatched software, many organizations do not adequately patch. There are myriad reasons why, not the least of which are that it's resource-intensive and that the act of patching can reduce system and service availability. Also, many organizations struggle to prioritize patches, test patches before deployment, and adhere to policies for how quickly patches are applied in different situations. To address these challenges, the NCCoE is collaborating with cybersecurity technology providers to develop an example solution that addresses these challenges. This NIST Cybersecurity Practice Guide explains how tools can be used to implement the patching and inventory capabilities organizations need to handle both routine and emergency patching situations, as well as implement workarounds, isolation methods, or other alternatives to patching. It also explains recommended security practices for patch management systems themselves.
Souppaya, M.
, Kerman, A.
, Scarfone, K.
, Stine, K.
, Johnson, B.
, Peloquin, C.
, Ruffin, V.
, Diamond, T.
, Simos, M.
and Sweeney, S.
(2022),
Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.1800-31, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934187
(Accessed October 1, 2025)