NIST details executive order’s ‘critical software’ categories
Connecting state and local government leaders
To help agencies comply with the Biden administration’s cybersecurity executive order, the National Institute of Standards and Technology posted a new definition of "critical software" for production systems and operational purposes.
To help agencies comply with the Biden administration’s cybersecurity executive order, the National Institute of Standards and Technology on June 25 posted a new definition of "critical software" for production systems and operational purposes.
Critical software is defined as covering endpoint protection, data backup, identity and credentialing management, operating systems and container environments, which perform functions dealing with user trust and operational monitoring and are designed to be managed by users with an elevated privilege level.
The definition applies to "software of all forms," including cloud-based software, but NIST is recommending that agencies focus on "standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised."
Tatyana Bolton, policy director for the cybersecurity and emerging threats team at the nonpartisan public policy research organization R Street Institute, suggested the primary focus on traditional systems could be "a time-limited or scope-driven choice by NIST, rather than a discounting of the unique characteristics and requirements of cloud infrastructure security."
The definition was initially unveiled on June 24 during an Information Security and Privacy Advisory Board meeting, a day before it was set to publish on schedule as per the executive order.
The critical software definition sets the stage for NIST to issue guidance on best practices for vendors to maintain the security and integrity of their software code. At the end of the process, vendors will be required to self-attest to playing by new supply chain security rules, document their compliance participate in vulnerability disclosure programs.
According to NIST, the Cybersecurity and Infrastructure Security Agency will publish an official list of software categories included under the new definition at a later date.
This article was first posted to FCW, a sibling site to GCN.