blue background

Update Government Software

Keep systems protected by updating software and patching known vulnerabilities. 

Protect Essential Services by Updating Software 


Outdated software and operating systems are prime entry points for cyber attackers—and state, local, tribal and territorial (SLTT) networks are often targets. From tax systems to public safety platforms, your government relies on software to deliver essential services.  

For SLTTs that oversee critical infrastructure—like water utilities, emergency response teams and public health platforms—the cybersecurity stakes are high, and outdated software is a gateway for threat actors. Consider the Volt Typhoon group, who has been exploiting vulnerabilities in public-facing devices including routers, VPNs and firewalls to gain access to operational systems. A single missed update can give attackers a way into the infrastructure your community depends on.  

Updating software regularly and patching known vulnerabilities are two of the simplest, most effective ways to protect your community and your data. 

Research shows just how dangerous unpatched vulnerabilities can be. According to Verizon’s 2025 Data Breach Investigations Report, the exploitation of vulnerabilities was the initial access vector in 20% of the breaches they investigated—up 34% from the previous year. Verizon’s analysis showed that only about 54% of these vulnerabilities were fully remediated throughout the year, and it took a median of 32 days to accomplish.  

What could your organization lose if threat actors lurked in your systems for more than a month? Let’s not find out—follow our guidelines below for keeping your systems up to date. 


Four Steps to Keep Software Updated and Secure 


The best defense against online attackers is to keep software up to date and replace any software or hardware that is no longer supported with patches and upgrades.  

  1. Patch promptly and turn on automatic updates. 

    Prioritize critical vulnerabilities especially for public-facing or legacy systems. Use CISA’s Known Exploited Vulnerabilities (KEV) Catalog to identify urgent updates. 

    Turn on automatic updates for operating systems, browsers, endpoint protection and productivity tools—especially on desktops, laptops and mobile devices used by public employees. Automation reduces the burden on IT staff and helps maintain security consistency across departments and agencies. 
     

  1. Replace legacy systems and devices. 

    Many agencies rely on older software for budgetary or operational reasons. But unsupported software can’t receive security updates—making it vulnerable. Isolate such legacy systems and monitor them closely for unusual activity. Develop a transition plan for migrating to supported platforms. (See Choosing Secure and Verifiable Technologies for guidance on selecting technology that is secure by design.) 

    In addition,  keep an up-to-date inventory of software and operating systems across departments and third-party vendor platforms. (You can’t patch what you don’t know you have.) 

    CISA’s no-cost Cyber Hygiene Services can help you identify outdated or unpatched systems. 
     

  1. Train employees to take updates seriously. 

    Updates are everyone’s responsibility. Remind staff, especially remote workers, to enable automatic updates on all devices and software. Remind staff to reboot their devices regularly and pay attention to update notifications—your IT team may push updates that download at night, but only if the user’s device is on and connected to the internet. Additionally, the updates may only get installed when the computer is rebooted. Employees may need reminders to regularly reboot their machines, not just log off. 

    Require staff to check with IT before installing new apps on company devices. Also, confirm that your vendors regularly update their systems, since their vulnerabilities can lead to breaches of your systems. 
     

  1. Coordinate across departments. 

    In SLTT environments, IT is often decentralized. Ensure updates and patch management are coordinated across various offices like public safety, courts, transportation and administrative offices. 

    Designate a cybersecurity point of contact in each department or jurisdiction to enforce consistent update practices and report patching status. 

    Confirm that your organization's entire network is protected by antivirus/antimalware software and prioritize updates for these tools. 
     

printer icon with cybersecurity essentials fact sheet

Printable Tips

Get the Four Cybersecurity Essentials for SLTTs in one handy, printable summary. 

GET IT NOW

No-Cost Cyber Threat Services from CISA—Share with Your IT Team

women working at desk on a headset

Cyber Hygiene Services

Reduce your risk significantly with CISA’s no-cost vulnerability and web application scanning. 

coworkers looking at a laptop

Cybersecurity Alerts & Advisories

Get links to all CISA’s published alerts and advisories, with the ability to filter by Audience, Sector, Topic and more. 

man at desk working

Known Exploited Vulnerabilities (KEV) Catalog

Visit for the authoritative list of vulnerabilities that have been exploited in the wild. Prioritize these patches. 

resource document icon for State, Local, Tribal and Territorial government resources

State, Local, Tribal & Territorial Resources

No-cost information, resources and tools from CISA to help you defend against cyber threats. 

Protect Government Services with Phishing Training

Require Strong Passwords in Government

Require MFA in Government

Secure U.S. State, Local, Tribal & Territorial Government

State, Local, Tribal & Territorial Government Resources

Cybersecurity Awareness Month