Final Memorandum, “NASA’s Implementation of Patch Management Software Is Incomplete” (IG-06-007, March 17, 2006)

The NASA Office of Inspector General (OIG) conducted an audit to determine whether NASA had established formal requirements, guidance, and milestones for implementation of patch management software and whether NASA had fully implemented an effective patch management process and capability.

We found that while NASA had established formal requirements, guidance, and milestones, two NASA contractors had not fully implemented the patch management software as required by the NASA Chief Information Officer (CIO). We recommended that the NASA CIO, in coordination with the relevant contracting officers, take appropriate action to ensure that contractors are complying with NASA requirements to implement an effective patch management program, including the implementation of specific software for patch status reporting.

We also recommended that the NASA CIO require the Centers to maintain inventories and use those inventories to ensure up-to-date installation of patch management tools on all applicable computers.

NASA management concurred with both recommendations, stating that patch management language will be fully incorporated into relevant contracts and that the NASA CIO will mandate that all Centers develop inventories and identify which computers have and or need installation of patch management tools.

The memorandum contains NASA Information Technology/Internal Systems Data that is not routinely released under the Freedom of Information Act (FOIA). To submit a FOIA request, see the online guide.