Re: Patch management solution-cybersecurity compliance

adeebtaqui · ‎11-19-2025

Advise for NCA requirements - cybersecurity compliance for catalyst snd nexus software patch management

I would like your advice on how to respond to the end-user team at PetroRabigh regarding their Cybersecurity NCA compliance requirement for our ongoing network upgrade project.

The customer is asking how they can comply with the NCA comments related to update and security-patch verification for the newly deployed Catalyst switches/routers (managed through Catalyst Center) and Nexus 9K switches (managed through the Nexus Dashboard in App Mode). They also have an existing Splunk system that was deployed under an earlier project.

They want to know whether Cisco provides any virtual solution that allows them to verify software updates and patches in a non-production environment, or whether this can be achieved using Catalyst Center SWIM or the Nexus Virtual Dashboard.

Customer’s message:

“We need your support to provide us with a virtual solution for the following NCA requirement:

Manage update and security patch packages to address vulnerabilities, ensuring that the safety and effectiveness of these updates and patches are verified in a non-production environment before deployment.

NCA comment: ‘No evidence was provided to prove that the entity verified the safety and effectiveness of the updates and security patches applied in a non-production environment.’

NCA Recommendation: Define the requirements of this control and document them in the policy document, approved by the authorized person in the entity. Verify the safety and effectiveness of updates and security patches in a non-production environment.”

Kindly advise how we should address this and what Cisco-based options we can propose.

Best Regards,

tinil · ‎11-19-2025

Hello @adeebtaqui

You can use the cisco software checker - https://sec.cloudapps.cisco.com/security/center/softwarechecker.

It'll help you verify whether a given Cisco software image is free of high-risk vulnerabilities (as documented by Cisco PSIRT / Security Advisories). This helps satisfy the “safety” part of the requirement.

Thanks and regards

Leo Laohoo · ‎11-19-2025

Read the security bulletin carefully. Just because the firmware version is listed as affected it does not always mean that it 100% applies to everyone. What is causing the feature to be considered "vulnerable". Is there a workaround? These are some of the question(s) any reputable network/system admin should be asking on Day 1 instead of going around patching blindly and in panic.

"Upgrade to XYZ version" is not necessarily the answer because it will only introduce more security vulnerabilities and bugs -- It is the devil you know than the devil you don't.

pieterh · ‎11-20-2025

If you (and the NSA) are in doubt of the Cisco Security commitment, then you need to seek a tool outside Cisco!

but Cisco does update Catalyst center with information about what software in its devices is vulnerable to what CVE's
and advices for either software upgrade or just configuration adjustment to mitigate this vulnerability
this information in Calalyst Center (in my believe) is updated in parralel to the software checker that @tinil mentions.
but this process does not include probing. it is just a report.

I have had good experience with "Nessus" software (wich also checks other network attached devices)
Nessus actively "probes" the devices to detect software version, open ports and other vulnerabilities (and therefore may cause alarms in your monitoring system!) and so can detect if configuration changes (like disabling telnet) have had a positive effect.