What is the definition of critical software?

The National Institute of Standards and Technology has published its definition of what critical software means for the US Federal Government.

The National Institute of Standards and Technology (NIST) has published its definition of what 'critical software' means for the US Federal Government, as the standards agency begins fulfilling some of the requirements laid out in President Joe Biden's executive order on cybersecurity.

As part of Biden's executive order published on May 12, federal agencies are now required to re-examine their approach to cybersecurity, which includes developing new ways to evaluate the software that departments buy and deploy as well as embracing modern approaches to security such as embracing zero trust and using multifactor authentication and encryption.

As one of the first deliverables to fulfil the executive order, NIST was required to develop a definition of critical software within 45 days of the order being issued. From this point on, the US Cybersecurity and Infrastructure Agency will use the definition to publish a list of software products that fall under the new definition, which will then allow CISA to create new security rules for how government agencies buy and deploy software within federal networks.

By focusing first on what critical software means for federal government agencies, the executive order is looking to curtail the type of supply chain threats that organiSations face, such as the attack that targeted SolarWinds and users of the company's Orion network monitoring tool.

NIST's definition is as follows:

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges;
  • has direct or privileged access to networking or computing resources;
  • is designed to control access to data or operational technology;
  • performs a function critical to trust; or,
  • operates outside of normal trust boundaries with privileged access.

The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition. 

NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other categories of software such as:

  • software that controls access to data;
  • cloud-based and hybrid software;
  • software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software;
  • software components in boot-level firmware; or
  • software components in operational technology (OT).

According to NIST, the CISA will publish an official list of software categories included under the new definition at a later date.

Share

Featured Articles

Trustwave Reveals the Financial Sector's Cyber Threats

Although it's not new to think that financial services organisations are prime targets for cybercriminals, the threat landscape they find themselves in is

TCS and Google Cloud Join for Solution to Secure the Cloud

TCS partners with Google Cloud to launch a range of AI-powered cybersecurity solutions to help businesses secure their clouds against advanced threats

Cybersecurity Conglomerate Reveals Threats Facing Consumers

Cybersecurity Conglomerate Gen quarterly report reveals shocking statistics like the fact that consumers are now increasingly at risk from Ransomware

Decoding the US' Most Misunderstood Data Security Terms

Cyber Security

Orange Cyberdefense's Wicus Ross Talks Cyber Extortion Trend

Hacking & Malware

Palo Alto Networks Buy IBM's QRadar Assets in Win for SIEM

Network Security