Patch Management Process


Process Owner: Manager, IT Performance Achievement

Note: An owner must be a PCES-level manager.


The enterprise Patch Management Process establishes a unified patching approach across systems that are in the Payment Card Industry (PCI) Cardholder Data Environment (CDE).


This process is used in conjunction with all IT and Security Policies, Processes, and Standards, including those listed in the Supporting Documentation section. It applies to:


Patch Management Process

The patch management process is as follows:

  1. Assess vendor-provided patches and document the assessment. If the assessed patches:

    • Address a critical vulnerability as described in the Risk Ranking Policy: They must be implemented within 30 days of vendor release.

    • Do not address a critical vulnerability: They must be implemented in the next standard patching cycle.

    • Do not apply: Document in the Patch Assessment as an Exclusion.

  2. Obtain approval for the assessment. The process ends here for approved Exclusions.

  3. Schedule patches for testing and implementation.

  4. Test patches.

  5. Implement patches in the Production environment.

  6. Validate and test patch implementation.

Implementation Deadline

Risk Ranking
Implementation Deadline
Implementation Schedule


30 Days Compressed
Non-critical 90 Days Standard

Patch Exception

An applicable patch that cannot be implemented by the implementation deadline is an exception and requires a Security Exception Letter. The table below describes how this form is completed and approved.

When a patch exception may occur
Who completes the form and obtains approvals
During the initial assessment Functional Support
During testing or implementation Functional Support or Business Owner
At any time for business reasons Business Owner

Note: Functional Support is defined as the group responsible for identifying and assessing patches and performing Functionality Testing. Business Owner is defined as the Business Relationship Management Program Manager (BRM PM) or an equivalent stakeholder.


Access Supporting Documentation from ITWEB (internal):

Access Supporting Documentation from (external):

For access to the following documents, contact the US Postal Service. See Publication 5, Let's Do Business for further information about local US Postal Service contacts.


1.0 06.01.2014 Initial release.
1.1 07.11.2014 Added link to Patch Exception or Deferment Form. Updated "Patch Exception or Deferment" statement to align with Patch Exception or Deferment Form.



11.12.2014 Process:
Updated to align with current practice. Added a Roles section. Moved up the Patch Exception or Deferment Section to immediately follow the Roles section. Added a table to define patch exceptions, deferments, and exclusions. Add a note to define missed patches.
2.0 02.27.2015 Process:
Elevated process to a higher level to align with current practices. Removed “This process is effective as of July 1, 2014.” because the date has passed. This information will be retained in the Revision History for historic purposes.
2.0.1 02.05.2016 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 145819

Non-substantive change: Risk Ranking Policy replaced Risk Ranking Standards, and Security Exception Letter replaced Patch Exception Form; updated references and hyperlinks.
2.0.2 08.17.2016 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 202508
2.0.3 08.08.2017 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 294702