Recommendations for a Standardized Program Management Office (PMO) Time Compliance Network Order (TCNO) Patching Process

摘要

Network security is a paramount concern for organizations utilizing computer technology, and the Air Force is no exception. Network software vulnerability patching is a critical determinant of network security. The Air Force deploys these patches as Time Compliance Network Orders (TCNOs), which together with associated processes and enforced timelines ensure network compliance. While the majority of the network assets affected by this process are Air Force owned and operated, a large number are maintained by external entities known as Program Management Offices (PMOs). Although these externally controlled systems provide a service to the Air Force and reside on its network, the TCNO processes for these assets are dictated and managed, to a large extent, by the PMOs. There is no current or planned, standardized method to release TCNOs to PMOs within the AF. While AFI mandates that PMOs are responsible for establishing procedures to evaluate applicability to their systems, there are no quality checks, standardization requirements or oversight to ensure the results of such evaluations are sound. Nonetheless, these PMO systems directly impact the security of the Air Force Network and the Department of Defense at large. By examining existing PMO patch management processes, this study should provide a better understanding of the TCNO processes used by PMOs with the intent of exploiting strengths and addressing weaknesses in an effort to move towards a standardized TCNO patching process.