GAO: Patch management needs help

The government should consider providing centralized patch management services to help agencies protect their IT systems, according to a new General Accounting Office report.

GAO found many agencies are not consistently installing patches that fix security flaws in software. A centralized service would take the place of the failed Patch Authentication and Dissemination Capability, a free service launched in February 2003 by the Federal Computer Incident Response Center and shut down a year later. Its limited abilities gave agencies little incentive to use it.

The Office of Management and Budget said it would consider this possibility, but said: "Ultimately, it remains each agency and system owner's responsibility to maintain the security of their systems."