Hello, Guest!


GSA Official Says Identifying Critical Software Essential in Securing Cyber Supply Chain

Software security

GSA Official Says Identifying Critical Software Essential in Securing Cyber Supply Chain

The commissioner of the General Services Acquisition‘s Federal Acquisition Service said the federal IT community must focus on identifying critical software components as it works to address supply chain risks.

Speaking at the ACT-IAC’s Imagine Nation ELC event, Sonny Hashmi said organizations must work to identify code that may impact national security even as the definition of critical software continues to change. He stated that although the National Institute of Standards and Technology has yet to finalize the definition of what critical software is, users must think of the solutions they deploy as if they were critical software, FedScoop reported Tuesday.

The FSA commissioner’s comments come as GSA, NIST and the Cybersecurity and Infrastructure Security Agency continue to develop cyber supply chain guidance for vendors.

CISA is working with the Office of Management and Budget to create a form that departments will use to prove that their software vendors have attested that their technologies meet NIST guidelines. The form is part of cybersecurity guidelines issued by the Biden administration in September.

Following the release of President Joe Biden’s cybersecurity executive order in May 2021, the NIST defined critical software as any solution that is designed to run with elevated privilege, has direct or privileged access to networking or computing resources, is designed to control data or operational technology access, performs a function critical to trust or operates outside of normal trust boundaries with privileged access. NIST said this initial definition would apply to all software forms that are used for operational purposes.

Some software categories that NIST listed as critical are identity, credential and access management; operating systems; container environments; network control and protection; and remote scanning.

Category: Cybersecurity