[ISN] DOD to automate deployment of security patches

Fri Nov 18 02:16:28 EST 2005

http://www.gcn.com/vol1_no1/daily-updates/37584-1.html

By Dawn S. Onley 
GCN Staff
11/17/05 

The Defense Department recently made it mandatory for computer users 
to deploy automated security tools across the department to better 
protect networks from viruses. 

The Communication Tasking Order, a policy directive released Nov. 3 by 
the commander of the Strategic Command, orders Defense agencies to 
"immediately initiate" the machine-to-machine patches to automatically 
repair vulnerabilities as soon as software patches become available. 

The order sets a phased timeline for compliance and allows for 
operational necessities, according to Timothy Madden, spokesman for 
the Joint Task Force for Global Network Operations. JTF-GNO is charged 
with operating and defending the Global Information Grid - the Defense 
Department's classified and unclassified network. 

The new directive requires that all patches be installed immediately 
using commercial and government tools currently available, with an eye 
toward standardization in the future. 

"There are various tools available now, both in the commercial sector 
and in the government, that are capable of providing such 
remediation," Madden said. "The JTF-GNO is directing the use of such 
tools across the GIG, and that such tools must be standardized by a 
certain time." 

Air Force Lt. Gen. Charles Croom, director of the Defense Information 
Systems Agency, said automated patch rollout would boost the network 
security posture across DOD. Croom called the current process 
manual-intensive. 

"When there's a vulnerability identified in a particular piece of 
software, they [software companies] push those patches to us and we 
push those patches to the services and require implementation," Croom 
said. "Obviously, the trick is how fast can you get them and how fast 
can you implement them? And so, I think you see us focusing on the 
techniques, tactics and procedures to do that better."

Croom, who also serves as commander of JTF-GNO, said the new policy 
would make the implementation of patches an instant process. 

"We don't do the patches instantly. But we get viruses instantly, so 
even days are too long to implement patches, and for us it takes days 
and weeks," Croom said. "The vision for the future is you get the 
person out of the loop and you get machine-to-machine ability so you 
have the patches automatically distributed and loaded on whatever 
piece of equipment needs to be patched." 