Federal directive
OMB Memo Sets 12-Month Deadline for Securing On-Premise Federal Software
The Office of Management and Budget released a memorandum on Tuesday requiring all federal agencies to protect on-premise software in line with recent guidance issued by the National Institute of Standards and Technology.
Agencies must first identify critical software, including those currently in use or in the process of acquisition, within 60 days of the memo’s publication date before proceeding with the actual implementation of security measures in the next 12 months, Federal News Network reported Tuesday.
Per the NIST guidance, the OMB directive applies to any software that runs with elevated or managed privileges, performs functions critical to trust, operates outside of normal trust boundaries, and has direct or privileged access to networking or computing resources.
However, not all critical software categories will be covered in the 12-month deadline. According to the OMB, standalone, on-premise software that performs security-critical functions or poses a significant risk if compromised will be prioritized. These include applications that provide identity, credential and access management, endpoint security, network control, remote scanning, and backup or recovery.
An updated NIST guidance will be released to identify additional software categories for subsequent stages of security implementation. The next phase, slated to run for another 12 months, may address vulnerabilities in cloud-based and hybrid software and software components in boot-level firmware and operational technology, among others.
Kent Landfield, the chief standards and technology policy strategist for McAfee Enterprise, hopes that the NIST will not wait an entire year before issuing new guidance, noting that such a gap could have a snowball effect.
“For example, six months down the road NIST issues guidance, that’s going to cause a trigger for the subsequent phase for cloud-based software or software controls access to data or those other types of areas where they’re going to have to address those as well,” Landfield told Federal News Network.
Category: Cybersecurity