The National Cybersecurity Center of Excellence (NCCoE) is seeking public comments on two draft publications about enterprise patch management. 

The first draft document titled Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology calls for the development of an enterprise strategy to simplify patching and improve risk reduction, the National Institute of Standards and Technology said Wednesday.

The second draft publication presents an example demonstrating how organizations can use tools to implement patching capabilities needed for emergency and routine patching conditions.

The draft document titled Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways also suggests workarounds and other alternatives to patching.

Comments on the draft publications are due Jan. 10th.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly advise both government and commercial organizations to observe cybersecurity practices as the holiday season approaches. CISA said Monday that cyber actors tend to exploit the vulnerabilities of critical networks during weekends and holidays.

The agencies advise organizations to observe a set of risk reduction practices and identify human resources available for cybersecurity work during these times.

Risk reduction practices include using multi-factor authentication, requiring strong passwords, monitoring risky devices, raising employee awareness and reviewing incident response plans.

“We urge network defenders to prepare and remain alert over the upcoming holiday weekend and report any suspicious activity to www.ic3.gov,” said Bryan Vorndran, cyber assistant director at the FBI.

Ransomware incidents are cyber attacks when a malicious actor blocks a user’s system access until the victim pays a demanded sum of money.

A substitute amendment proposed by Senate Armed Services Committee Chairman Jack Reed, D-R.I., to the House-passed National Defense Authorization Act (NDAA) did not include a language calling for updates to the Federal Information Security Modernization Act (FISMA), including changes to how federal agencies report on cyber incidents, Nextgov reported.

Sens. Gary Peters, D-Mich., and Sen. Rob Portman, R-Ohio, proposed the FISMA update provision. Reed on Friday introduced the substitute amendment to the NDAA a day after the upper chamber started initial deliberations on the defense policy bill.

Reed’s proposal, however, included a language proposed by Peters that would direct the secretary of the Department of Defense (DOD) to work with the national cyber director and head of the Cybersecurity and Infrastructure Security Agency (CISA) in designing a pilot project to advance DOD’s collaboration with the private sector.

Peters and Portman serve as chair and ranking members of the Senate Homeland Security and Governmental Affairs Committee, respectively. The Senate is expected to resume deliberations on the NDAA on Nov. 29th.

Mieke Eoyang, deputy assistant secretary of defense for cyber policy, said the 2022 National Defense Strategy may have an increased focus on cybersecurity, Nextgov reported Monday.

She highlighted the Department of Defense’s three primary cyberspace missions at the CyberNext DC event, which took place virtually on Nov. 18th.

DOD commits to defending its networks, extending network capabilities to warfighters and protecting the U.S. altogether, the defense executive noted.

Eoyang said the increased cyber focus addresses DOD’s security role in the 2022 elections and efforts in response to the rise of ransomware.

The National Defense Strategy, which DOD updates every four years, tackles what the department considers emerging threats.