Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-40 Rev. 4 (Initial Public Draft)

Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology

Date Published: November 17, 2021
Comments Due: January 10, 2022 (public comment period is CLOSED)
Email Questions to: [email protected]

Author(s)

Murugiah Souppaya (NIST), Karen Scarfone (Scarfone Cybersecurity)

Announcement

The National Cybersecurity Center of Excellence (NCCoE) has released two draft publications on enterprise patch management for public comment. Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions. However, keeping software up-to-date with patches remains a problem for most organizations.

Draft NIST Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, discusses common factors affecting enterprise patch management and recommends creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk. Draft SP 800-40 Revision 4 will replace SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies.

Draft NIST Special Publication (SP) 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, builds upon the work in SP 800-40 Revisions 3 and 4. SP 1800-31 describes an example solution that demonstrates how tools can be used to implement the inventory and patching capabilities organizations need for routine and emergency patching situations, as well as implementing workarounds and other alternatives to patching. 

NOTE: A call for patent claims is included on page iii of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

enterprise patch management; patch; risk management; update; upgrade; vulnerability management
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-40r4-draft
Download URL

Supplemental Material:
None available

Related NIST Publications:
SP 1800-31 (Draft)

Document History:
11/17/21: SP 800-40 Rev. 4 (Draft)
04/06/22: SP 800-40 Rev. 4 (Final)

Topics

Security and Privacy

patch management, vulnerability management

Technologies

software & firmware

Applications

enterprise

Laws and Regulations

Executive Order 14028