For government technology managers, keeping pace with software patches and system configuration changes to thwart hackers has become an increasingly difficult job in the past few years. The challenge is causing a radical change in the way many of them manage information technology security.

Instead of waiting until attacks occur and hoping tools such as firewalls and intrusion-detection systems catch them before they inflict serious damage, many agencies have taken the offensive by hunting vulnerabilities before they are exploited.

The catchall phrase for those efforts is vulnerability management. Agencies that are successful at it know that vulnerability management entails the right mix of security tools, policies and procedures, experts say.

Although some agencies are slow to embrace vulnerability management, a number of regulations require them to be more assertive in handling security. In particular, according to the Federal Information Security Management Act (FISMA) of 2002, agencies must develop and enforce policies and procedures to ensure that their systems comply with specific security configurations.

Those requirements are only going to get tougher. The National Institute of Standards and Technology will soon publish a draft of a new document that will mandate a set of no fewer than 17 controls that each agency will have to apply to each of their major applications and general support systems. They must also tailor those controls based on how critical different systems are to an agency's mission.

Compliance with security requirements means a lot of work to accurately assess and then effectively manage vulnerabilities. Those who do it well can reap rewards. In 2003, for example, the U.S. Agency for International Development scored a C-minus on its FISMA score card. For 2004, the first full year it had a vulnerability management program in place, it posted a score of A-plus, the highest of any government agency.

"In our case, vulnerability management was a big help in our FISMA compliance," said Bill Geimer, USAID's program manager for information security.

But what is vulnerability management?

Although several vendors offer what they call vulnerability management solutions, a vulnerability management program often includes a collection of technologies and procedures that form a management process. Program components vary according to specific agency needs. But experts say the core approach usually follows a common path and includes the following steps.