In May 2021, US President Joe Biden issued an ‘Executive Order on Improving the Nation’s Cybersecurity’. We’ve provided a full breakdown of the Cybersecurity Executive Order and its impact here.
As part of Biden’s executive order, federal agencies are required to revisit their cybersecurity strategy. This includes developing new ways to evaluate the software that departments buy and deploy. It also calls for them to embrace modern cybersecurity protocols such as encryption, multi-factor authentication and “zero trust”.
Under one of the first key deliverables issued within the Executive Order, President Biden requested that NIST (National Institute of Standards and Technology) provide a definition of critical software within 45 days of the order being issued. Going forward, this definition would be used by the US Cybersecurity and Infrastructure Agency to publish a list of software products that fall under the ‘EO-Critical Software’ definition. This in turn would allow CISA to create new security rules for how government agencies buy and deploy software within federal networks.
NIST Definition of EO-Critical Software
NIST fulfilled this requirement in a memo issued in June 2021. The full memo released by NIST can be found here. NIST’s definition was as follows:
“EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- is designed to run with elevated privilege or manage privileges;
- has direct or privileged access to networking or computing resources;
- is designed to control access to data or operational technology;
- performs a function critical to trust; or,
- operates outside of normal trust boundaries with privileged access.”
The memo went on to state that;
“The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition.
NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.”
NIST also provided a preliminary list of software categories considered to be EO-critical. The categories included:
- “Identity, credential, and access management (ICAM)
- Operating systems, hypervisors, container environments
- Web browsers
- Endpoint security
- Network control
- Network protection
- Network monitoring and configuration
- Operational monitoring and analysis
- Remote scanning
- Remote access and configuration management
- Backup/recovery and remote storage”
The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain. This will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.
Once NIST published the definition of critical software, CISA and the Department of Homeland Security were given 30 days to publish a list of software products that meet this definition and are used within federal government networks. Following that, NIST, CISA and OMB will publish guidelines for securing these critical software products, according to the executive order.
Contractors that provide software throughout the government supply chain (particularly those that provide what may be considered “EO-critical” software) should be monitoring agency activity closely. This is especially as it relates to targets and objectives set out in the Cybersecurity Executive Order. Added to this, contractors should anticipate that further requirements will be set out next year as part of the EO. These requirements will have to be adhered to in order to continue to supply certain software to the federal government.