The National Institute of Standards and Technology (NIST) has released an updated definition for “critical software” in response to a directive to do so in the Biden administration’s executive order (EO) on cybersecurity.
In the EO on Improving the Nation’s Cybersecurity, released May 12, the Biden administration stresses the importance of improving software supply chain security. Among many other measures aimed at improving cybersecurity, the White House order will create “baseline security standards” for the development of software sold to the government. The order also will require developers “to maintain greater visibility into their software” and to make security data publicly available.
“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” the White House said. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road.”
In the EO, NIST was charged with publishing an updated definition of “critical software.” The definition is needed because the Cybersecurity and Infrastructure Security Agency (CISA) was directed to develop a list of software categories and products in use or in the acquisition process that meet NIST’s definition.
According to NIST, “critical software” is defined as “any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- Is designed to run with elevated privilege or manage privileges;
- Has direct or privileged access to networking or computing resources;
- Is designed to control access to data or operational technology;
- Performs a function critical to trust; or,
- Operates outside of normal trust boundaries with privileged access.”
To coordinate the new definition with CISA’s eventual application, NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with CISA, the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase.
As part of the initial EO implementation phase, NIST recommends a focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other categories of software such as:
- Software that controls access to data;
- Cloud-based and hybrid software;
- Software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software;
- Software components in boot-level firmware; or
- Software components in operational technology.
NIST also noted that additional guidance on applying this definition for implementing the EO will be forthcoming from CISA and OMB. NIST said it worked closely with CISA and OMB to ensure that the definition and recommendations are consistent with their plans.