The Patch Authentication and Dissemination Capability (PADC) program at the Federal Computer Incident Response Center (FedCIRC) is designed to provide an easy-to-use, one-stop shop for federal IT security administrators looking for software patches, said Sallie McDonald, assistant commissioner with the US Office of Information Assurance and Critical Infrastructure Protection.
The free service allows systems administrators to register their IT equipment and then notifies them when relevant patches become available. PADC tests the patches and also rank them by what it considers their order of importance.
In the past, systems administrators had to search for patches on their own, sometimes picking through hundreds of patches to find what they needed.
"What we're hoping to do is make this an easier process for systems administrators," McDonald said. "They'll only get notified of the vulnerabilities they need to know about, and they'll see how significant the patch is, so they'll know if they need to apply it right away or if they can wait until next weekend."
About 13 major federal agencies had signed up for the service. The next logical step would be to establish a system that can scan agency servers for vulnerabilities, McDonald said.
The security patch "clearing house" helps agencies satisfy the rules of the Federal Information Security Management Act of 2002, passed in December, which requires federal agencies have patch management processes.
The first draft of President Bush's National Strategy to Secure Cyberspace, released in September, suggests a similar national clearing house should be set up to serve private businesses.