Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology



Murugiah Souppaya, Karen Scarfone


Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. Patching is more important than ever because of the increasing reliance on technology, but there is often a divide between business/mission owners and security/technology management about the value of patching. This publication frames patching as a critical component of preventive maintenance for computing technologies – a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions. This publication also discusses common factors that affect enterprise patch management and recommends creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk. Preventive maintenance through enterprise patch management helps prevent compromises, data breaches, operational disruptions, and other adverse events.
Special Publication (NIST SP) - 800-40r4
Report Number


enterprise patch management, patch, risk management, update, upgrade, vulnerability management.


Souppaya, M. and Scarfone, K. (2022), Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed May 24, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created April 6, 2022, Updated November 29, 2022