NIST SPECIAL PUBLICATION 1800- 31 Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways Includes Executive Summary (A ); Security Risks and Capabilities (B); and How -To Guides ( C) Tyler Di amond * Alper Ker man Murugiah S ouppaya Kevin S tine Brian J ohnson Chris Pe loquin Vanessa Ruffin Mark Simo s Sean S weeney Karen S carfone *Former employee; all work for this publication was done while at employer FINAL April 2022 This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-3 1 The draft publication is av ailable free of charge from https://www.nccoe.nist.gov /publications/practice-g uide/nist-s p-1800-3 1-improving-e nterprise-p atching- general-i t-systems-d raft NIST SPECIAL PUBLICATION 1800 -31 Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways Includes Executive Summary (A); Security Risks and Capabilities (B); and How-To Guides ( C) Tyler Diamond* Alper Kerman Murugiah Souppaya Kevin Stine National Cybersecurity Center of Excellence Information Technology Laboratory Bri an Johnson Chris Peloquin Vanessa Ruffin The MITRE Corporation McLean, VA Mark Simos Sean Sweeney Microsoft Redmond, WA Karen S carfone Scarfone Cybersecurity Clifton, Virginia *Former employee; all work for this publication was done while at employer April 2022 U.S. D epartment of Commerce Gina M. Raimondo, Secretary National Institute of Standards and Technology James K. Olthoff, Performing the non-e xclusive functions and d uties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology FINALNIST SPECIAL PUBLICATION 1800- 31A Improvin g Enterpris e Patching for General IT Systems: Utilizing Existi ng Tools and Performing Processes in Better Ways Volum e A: Executive Summary Alper K erman Murugiah Souppaya Kevin Stine National C ybersecurity Center of Excellenc e Informati on Technology Laboratory Mark Simos Sean Sweeney Microsoft Redmond, Washington Karen Scarfone Scarfone Cybersecurity Clifton, Virginia FINAL April 2022 This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-3 1 The draft publication is available free of charge from https://www.nccoe.nist.gov /publications/practice-g uide/nist-s p-1800-3 1-improving-e nterprise-p atching- general-i t-systems-d raft NIST SP 1800 -31A : Improving Enterprise Patching for General IT Systems 1 Executive Summary For decades, cybersecurity attacks have highlighted the dangers of having computers with unpatched software . Even with widespread awareness of these dangers, however, keeping software up -to-date with patches remains a problem. Deciding how, when, and what to patch can be difficult for any organization. Each organization must balance security with mission impact and business objectives by using a risk -based methodology . To address these challenges, the NCCoE ha s collaborated with cybersecurity technology providers to explore approach es for improving enterprise patching practices for general information technology (IT) systems. These practices are intended to help your organization improve its security and reduce the likelihood of data breaches with sensitive personal information and other successful compromises . The practices can also play an important role as your organization embarks on a journey to zero trust. CHALLENGE There are a few root causes for many dat a breaches, malware infections, ransomware attacks, and other security incidents , and known— but unpatched —vulnerabilities in software is one of them . Implementing a few security hygiene practices , such as patching operating systems, applications, and firmware, can prevent many incidents from occurring, lower the potential impact of incidents that do o