NIST Creates Critical Software Definition for U.S. Government Agencies

President Biden’s Cybersecurity Executive Order calls for all government institutions to re-assess their process to cybersecurity, establish new techniques of checking software, and employ advanced security strategies to lower risk, for instance, multi-factor authentication, encryption for data in transit and at rest, and employing a zero-trust approach to safety.

One of the initial demands of the Executive Order was to get the National Institute of Standards and Technology (NIST) to issue a definition of critical software that the Cybersecurity and Infrastructure Security Agency (CISA) is going to employ to make a listing of all software programs included in the Executive Order and for developing security regulations that federal agencies need to comply with when acquiring and implementing the software. These actions will help to protect against cyberattacks like the SolarWinds Orion supply chain attack that led to the access of the networks of various government agencies by state-sponsored Russian cyber attackers.

The Executive Order expected NIST to release its critical software definition in 45 days. NIST required suggestions from the private and public industry and many government agencies when defining what critical software truly is.

One of the objectives of the EO is to support in creating a security standard for critical software solutions utilized throughout the Federal Government. The status of software as EO-critical will subsequently push for added activities, such as how the Federal Government buys and deals with deployed critical software.”

NIST described critical software as software or software dependencies that have at least one of the following features:

  1. Software created to operate with upgraded privileges or employed to handle privileges.
  2. Software with direct or privileged access to network or computer assets.
  3. Software developed to regulate access to files or functional technology.
  4. Software that executes a function vital to trust.
  5. Software that runs outside of common trust boundaries with privileged access.

The earlier mentioned definition concern all software programs, whether it is crucial to devices or hardware parts, stand-alone application, or cloud-based software utilized for or deployed in production systems or employed for operational requirements. That definition addresses an extensive selection of software programs, like security tools, operating systems, access management applications, hypervisors, network monitoring software, web browsers, and other software program made by private providers and offered to federal agencies, or software designed internally by government agencies for use in federal networks, which include government off-the-shelf application.

NIST has proposed for federal agencies to primarily concentrate on carrying out the demands of the Executive Order on standalone, on-premises software program that has critical security capabilities or has substantial potential to produce problems when compromised. Then, federal agencies ought to go onto other categories of application, for example web-based software, software that manages data access, and software elements in boot-level and operational technology software.

NIST has publicized a record of EO-critical software program, though CISA will release a more detailed completed checklist soon.