NIST Issues Document Defining ‘Critical Software’ Under Cybersecurity Executive Order

The cybersecurity executive order President Joe Biden signed in May includes an effort that seeks to exert more control over the content of codes entering government systems and public infrastructure.

The National Institute of Standards and Technology completed the first deliverable in the EO on June 25, when it released a document defining “critical software,” a move that is fundamental to the initiative to manage software supply chains, FCW reported.

Critical software is any software that has “direct software dependencies upon one or more components with at least” one of five attributes, including having the ability to run with “elevated privilege or manage privileges”; having “direct or privileged access to networking or computing resources”; and having the ability to “operate outside of normal trust boundaries with privileged access.”

The definition applies to all forms of software, including standalone software, those based on the cloud and those integral to particular devices or hardware components deployed in production systems and used for operational purposes.

Meanwhile, the NIST said that its definition does not apply to other use cases, including software solutions used for research or testing alone that are not deployed in a production system.

The NIST, however, recommends that the initial implementation of the EO focus on standalone, on-premises software designed for security-critical applications or those that could result in significant harm in the event of a compromise.

In the document, the agency provided a preliminary list of software categories considered to be critical to the cybersecurity EO, including endpoint security, network control, network protection and remote scanning.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now