GSA Official Says Identifying Critical Software Essential in Securing Cyber Supply Chain
The commissioner of the General Services Acquisition‘s Federal Acquisition Service said the federal IT community must focus on identifying critical software components as it works to address supply chain risks.
Speaking at the ACT-IAC’s Imagine Nation ELC event, Sonny Hashmi said organizations must work to identify code that may impact national security even as the definition of critical software continues to change. He stated that although the National Institute of Standards and Technology has yet to finalize the definition of what critical software is, users must think of the solutions they deploy as if they were critical software, FedScoop reported Tuesday.
The FSA commissioner’s comments come as GSA, NIST and the Cybersecurity and Infrastructure Security Agency continue to develop cyber supply chain guidance for vendors.
CISA is working with the Office of Management and Budget to create a form that departments will use to prove that their software vendors have attested that their technologies meet NIST guidelines. The form is part of cybersecurity guidelines issued by the Biden administration in September.
Following the release of President Joe Biden’s cybersecurity executive order in May 2021, the NIST defined critical software as any solution that is designed to run with elevated privilege, has direct or privileged access to networking or computing resources, is designed to control data or operational technology access, performs a function critical to trust or operates outside of normal trust boundaries with privileged access. NIST said this initial definition would apply to all software forms that are used for operational purposes.
Some software categories that NIST listed as critical are identity, credential and access management; operating systems; container environments; network control and protection; and remote scanning.
Tags: critical software cybersecurity Cybersecurity and Infrastructure Security Agency Federal Acquisition Service FedScoop General Services Administration National Institute of Standards and Technology Sonny Hashmi supply chain security