An August 10 memo from Shalanda Young, acting director of the Office of Management and Budget (OMB), is providing instructions to Federal agencies about how to comply with security guidance of “critical software” as directed by President Biden’s executive order (EO) on cybersecurity issued in May.
The cyber EO recognizes the importance of software security to the Federal government, particularly the protection of “critical software.” The EO directs OMB to require agencies to comply with the security measures for critical software set forward by the National Institute of Standards and Technology (NIST). On July 8, NIST issued outlines of core security measures crucial for protecting critical software that Federal agencies must implement.
“This memo provides instructions for the implementation of those measures required to secure the use of software and directs agencies to implement those measures in phases,” Young wrote.
During the initial implementation phase, “agencies should focus on standalone, on-premises software that performs security-critical functions or poses similar significant potential for harm if compromised,” the OMB memo states. This includes operating systems, web browsers, network control, and operational monitoring and analysis.
Subsequent implementation phases will address additional categories of software, such as software that controls access to data and cloud-based and hybrid software.
Additionally, Young instructs agencies in the memo that they have 60 days to report on their critical software inventories, and a one-year timeline for implementing security measures as called for by NIST to safeguard essential software.
“The United States faces increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and, ultimately, the American people’s security and privacy,” wrote Young. “The Federal government must improve its efforts to detect, identify, deter, protect against, and respond to these campaigns and their perpetrators.”