NIST Releases Critical Software Definition for U.S. Federal Agencies

President Biden’s Cybersecurity Executive Order demands all federal bureaus to re-examine their strategy to cybersecurity, create new options of assessing software, and carry out modern security methods to minimize risk, for example, multi-factor authentication, encryption for data at rest and in transit, and using a zero-trust approach to security.

One of the very first specifications of the Executive Order was for the National Institute of Standards and Technology (NIST) to issue a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will utilize to produce a listing of all software covered by the Executive Order and for making security guidelines that government agencies must adhere to when buying and deploying the software. These steps will help to avoid cyberattacks like the SolarWinds Orion supply chain attack that resulted in the infiltration of the systems of a number of federal agencies by state-sponsored Russian hackers.

The Executive Order mandated NIST to submit its critical software definition within 45 days. NIST asked for input from the public and private sector and several government agencies when defining what critical software really is.

One goal of the EO is to help in establishing a security baseline for critical software products utilized all through the Federal Government. The naming of software as EO-critical will thus generate more activities, such as how the Federal Government acquires and manages deployed critical software.”

NIST defined critical software as software or software dependencies containing one or more of these characteristics:

  • Software created to work with higher privileges or employed to control privileges.
  • Software that works outside of regular trust boundaries with privileged access.
  • Software that works a function crucial to trust.
  • Software with direct or privileged access to networking or computer sources.
  • Software developed to manage access to information or operational technology.

The preceding definition is applicable to all software programs, whether it is essential to devices or hardware parts, stand-alone software programs, or cloud-based software utilized for or deployed in production systems or employed for operational functions. That definition applies to a wide range of software programs, which includes operating systems, security tools, hypervisors, access management applications, network monitoring applications, web browsers, and other applications developed by private firms and marketed to government agencies, or software created internally by federal agencies for use inside federal networks, which include government off-the-shelf software program.

NIST has suggested for federal agencies to at first focus on taking care of the requirements of the Executive Order on the standalone, on-premises application that has critical security features or has considerable potential to bring about damage in case compromised. After that, federal agencies must move onto other categories of software programs, for example, web-based software, software that regulates access to data, and software elements in operational technology and boot-level firmware.

NIST has released a record of EO-critical software program, however, CISA will release a more extensive finalized listing in the coming weeks.