You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://csrc.nist.gov.

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

An official website of the United States government

Here’s how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Institute of Standards and Technology

CSRC MENU

Projects
Publications Expand or Collapse

Drafts for Public Comment

All Public Drafts

Final Pubs

FIPS (standards)

Special Publications (SPs)

IR (interagency/internal reports)

CSWP (cybersecurity white papers)

ITL Bulletins

Project Descriptions

Journal Articles

Conference Papers

Books
Topics Expand or Collapse

Security & Privacy

Applications

Technologies

Sectors

Laws & Regulations

Activities & Products
News & Updates
Events
Glossary
About CSRC Expand or Collapse
Computer Security Division
Applied Cybersecurity Division
Contact Us

Information Technology Laboratory

Computer Security Resource Center

CSRC Logo

October 1, 2025: Due to a lapse in federal funding, this website is not being updated. Learn more.

Topics Security and Privacy security programs & operations

patch management

Share to Facebook Share to X Share to LinkedIn Share ia Email

The process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware. From a security perspective, patches are most often of interest because they are mitigating software flaw vulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities for exploitation. Also, patches are usually the most effective way to mitigate software flaw vulnerabilities, and are often the only fully effective solution. (SP 800-40 Rev. 3)

Related Projects

Security Content Automation Protocol SCAP
The Security Content Automation Protocol (SCAP) is a suite of interoperable specifications...

Security Content Automation Protocol Validation Program SCAPVP
End-of-Life Announcement: NIST SCAP Validation Program The National Institute of Standards and...

Security Content Automation Protocol Version 2 (SCAP v2) SCAP v2
Security Content Automation Protocol Version 2 (SCAP v2) is a major update to the SCAP 1.x...

Software Identification (SWID) Tagging SWID
Software is vital to our economy and way of life as part of the critical infrastructure for the...

View All Projects

Related Events

Security Content Automation Protocol Version 2 Introductory Teleconference
October 4, 2018
We are pleased to announce that a teleconference introducing the SCAP Version 2 effort has been...

Second Workshop on Enhancing Resilience of the Internet and Communications Ecosystem
February 28, 2018 to March 1, 2018
This workshop will discuss substantive public comments, including open issues) on a draft report...

View All Events

Related News

NIST Released 2 Enterprise Patch Management SPs
April 6, 2022
NIST's National Cybersecurity Center of Excellence (NCCoE) has released two new final publications...

Enterprise Patch Management: Draft Publications Available for Comment
November 17, 2021
Two draft publications on enterprise patch management are available for public comment through...

Improving Enterprise Patching for General IT Sys
September 10, 2020
A preliminary draft of Volume A of SP 1800-31A, "Improving Enterprise Patching for General IT...

NIST Publishes NISTIR 8011 Vol. 4
April 28, 2020
NIST has published Volume 4 of NISTIR 8011: "Automation Support for Security Control Assessments:...

NIST Releases Draft SP 1800-23 for Comment
September 23, 2019
The NCCoE has released Draft SP 1800-23, "Energy Sector Asset Management," for public comment. The...

View All News

Related Publications

Secure Software Development, Security, and Operations (DevSecOps) Practices
SP 1800-44 (Initial Public Draft)
July 2025
Draft

Guide to Enterprise Patch Management Planning
SP 800-40 Rev. 4
April 2022
Final

Improving Enterprise Patching for General IT Systems
SP 1800-31
April 2022
Final

Guide to Enterprise Patch Management Planning
SP 800-40 Rev. 4 (Initial Public Draft)
November 17, 2021
Withdrawn

Improving Enterprise Patching for General IT Systems
SP 1800-31 (Initial Public Draft)
November 17, 2021
Withdrawn

View All Publications

patch management

Related Projects

Related Events

Related News

Related Publications

Related Presentations

Topics

Related Topics