NIST Publishes Critical Software Definition for U.S. Agencies

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security.

One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers.

The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from the public and private sector and multiple government agencies when defining what critical software actually is.

“One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government,” explained NIST. “The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”

NIST’s critical software definition is software or software dependencies that contain one or more of the following attributes:

  • Software designed to run with elevated privileges or used to manage privileges.
  • Software with direct or privileged access to networking or computer resources.
  • Software designed to control access to data or operational technology.
  • Software that performs a function critical to trust.
  • Software that operates outside of normal trust boundaries with privileged access.

The above definition applies to all software, whether it is integral to devices or hardware components, stand-alone software, or cloud-based software used for or deployed in production systems or used for operational purposes. That definition covers a broad range of software, including operating systems, hypervisors, security tools, access management applications, web browsers, network monitoring tools, and other software created by private companies and sold to federal agencies, or software developed internally by federal agencies for use within federal networks, including government off-the-shelf software.

NIST has recommended federal agencies should initially focus on implementing the requirements of the Executive Order on standalone, on-premises software that has critical security functions or has significant potential to cause harm if compromised. Next, federal agencies should move onto other categories of software, such as cloud-based software, software that controls access to data, and software components in operational technology and boot-level firmware.

NIST has published a list of EO-critical software, although CISA will publish a more comprehensive finalized list in the coming weeks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.