Getty Images/iStockphoto
NIST Defines “Critical Software” Per Cybersecurity Executive Order
NIST published its definition of “critical software” as directed in President Biden’s executive order aimed at improving the nation’s cybersecurity.
The National Institute of Standards and Technology (NIST) published its official definition of “critical software,” as instructed by President Biden’s executive order (EO) on improving the nation’s cybersecurity. NIST solicited feedback and position papers from the community to settle on a reasonable definition.
The executive order also directs the Cybersecurity & Infrastructure Security Agency (CISA) to use the “critical software” definition to create a list of categories of software that might fall under the first phase of the executive order’s implementation. NIST proposed a phased implementation approach to give the government and software industry time to secure the supply chain of critical software.
In a white paper released on June 25th, a day before the EO’s official deadline, NIST explains that “One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government. The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”
NIST uses the term “EO-critical” to differentiate between the common usage of the word “critical” and avoid any confusion. The official definition states:
EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- is designed to run with elevated privilege or manage privileges;
- has direct or privileged access to networking or computing resources;
- is designed to control access to data or operational technology;
- performs a function critical to trust; or,
- operates outside of normal trust boundaries with privileged access.
NIST recommends that the first EO implementation phase focus on on-site standalone software that has security functions and the potential to be compromised. Future phases will tackle cloud-based software, software development tools, software components in operational technology (OT), and software that controls data access.
The paper provides a lengthy list of EO-critical software, along with descriptions, types of products, and rationale for the inclusion of each category of software. Categories include endpoint security, remote scanning, and identity, credential, and access management (ICAM), among others. This list is just a head start, and CISA will issue the finalized list in the near future.
NIST’s work contributes to the executive order’s main goal of managing risks to the cyber supply chain within the federal government. While private companies will not be required to follow NIST’s software supply chain guidelines, it is strongly recommended. Companies that sell to the federal government will need to comply with the government’s software supply chain practices.
Biden’s executive order contained a long list of tasks for NIST with deadlines extending into 2022. By July 11th, NIST will publish guidance outlining critical software security measures, and guidance on the minimum standards for the testing of a vendor’s source code.
Outside of it is executive order duties, NIST recently released a preliminary draft of its ransomware risk management framework, which aims to help organizations respond to ransomware attacks. The draft identifies crucial steps to maintaining cybersecurity, including using antivirus software, restricting the use of personal devices at the workplace, and keeping computers up to date.