Connect with us

Hi, what are you looking for?



NIST and Microsoft Partner to Improve Enterprise Patching Strategies

The National Institute of Standards and Technology (NIST) and Microsoft this week announced a joint effort aimed at helping enterprises improve their patching strategies. 

The National Institute of Standards and Technology (NIST) and Microsoft this week announced a joint effort aimed at helping enterprises improve their patching strategies. 

Motivated by massive cyber-attacks such as WannaCry and the devastating NotPetya, the the goal of the initiative is to help organizations plan, implement, and improve their enterprise patch management strategies.

Timely patching could have mitigated the rapid spreading that occurred during both attacks, given that they were targeting already fixed vulnerabilities (the EternalBlue and EternalRomance exploits linked to the National Security Agency).

Following these attacks, Microsoft decided to look into why some of its customers did apply the security patches, which had been available for months when NotPetya hit. 

Microsoft says that it also listened directly to customer challenges regarding patches, thus discovering that some customers don’t even test a patch before deployment, but merely ask on online forums if anyone has had issues with that patch.

One of the conclusions the tech giant arrived to was that building clearer industry guidance and standards on enterprise patch management was highly important, hence the partnership with the U.S. NIST National Cybersecurity Center of Excellence (NCCoE).

“This project—kicking off soon—will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit,” Microsoft explains

Advertisement. Scroll to continue reading.

Among those that shared their experience in patch management include the Center for Internet Security (CIS), the U.S. Department of Homeland Security (DHS) Cybersecurity, and the Cybersecurity and Infrastructure Security Agency (CISA) (formerly US-CERT / DHS NCCIC). 

Both vendors that can help with patch management and organizations/individuals who can share information on successful enterprise management programs are welcomed to join the initiative. 

Microsoft also points out that applying patches is both a critical part of protecting a system and a social responsibility, given the extent to which society has become dependent on technology. 

“This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology,” Microsoft explains. 

According to NIST, the relatively small number of root causes for most data breaches, malware infections, and other security incidents can be mitigated by implementing a few relatively simple security hygiene practices. 

“Unfortunately, security hygiene is easier said than done. Even though there is widespread recognition that patching software—operating systems, applications, and the like—can be incredibly effective at mitigating security risk, patching is often resource-intensive, and the act of patching itself can reduce system and service availability,” NIST says. 

Not testing patches before deployment can break system functionality and disrupt operations, while delays in patch deployment provides attackers with a larger window of opportunity.

The newly announced Critical Cybersecurity Hygiene: Patching the Enterprise project, NIST explains, will look into how commercial and open source tools can help with the patching process. Actionable, prescriptive guidance on the patching life cycle will also be provided. 

A NIST Cybersecurity Practice Guide will be published as part of the project, to provide a description of the practical steps needed to implement a cybersecurity reference designed to address the enterprise patching challenge.

Related: Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report

Related: DHS Orders Agencies to Patch Critical Vulnerabilities Within 15 Days

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.