The National Institute of Standards and Technology has published its definition of what “critical software” means for the U.S. federal government, as the standards agency begins fulfilling some of the requirements laid out in President Biden’s executive order on cybersecurity.
This is the first deliverable, which will then allow CISA to create security rules around how government agencies buy and deploy software on federal networks. While the goal is to stop supply chain threats, the list is broad and may include just about any software in use.
Critical software is defined as software of software dependencies that contain at least one of the following attributes:
- Software that is designed to run with elevated privilege or manage privileges;
- Software that has direct or privileged access to networking or computing resources;
- Software that is designed to control access to data or operational technology;
- Software that performs a function critical to trust;
- Or software that operates outside of normal trust boundaries with privileged access.
This definition includes operating systems, web browsers, hypervisors, endpoint security tools, identity and access management applications, network monitoring tools and other products, according to NIST. If the software is deployed ONLY in a test environment and not on production systems, it would be outside of the scope of this definition.
Is this list going to be helpful, or will it simply be too broad to manage? And what about the risks of internally developed applications?
More to come.