Just in Time – NIST Releases Definition of “Critical Software” According to Biden Executive Order on Cybersecurity | Sheppard Mullin Richter & Hampton LLP
As requested in the Cybersecurity Executive Order (“EO”) of May 12, 2021 issued by the Biden administration (discussed here), NIST met its deadline to publish a definition of “critical software” within 45 days of the date of the prescription. Determining what constitutes “critical software” is a key step in the process defined in the Ordinance for Securing the Software Supply Chain, which will culminate next year with the new Federal Procurement Regulations for contractors who supply software.
NIST’s definition of “critical software” as set out in a white paper released on June 25, 2021 is as follows:
Critical EO software is defined as any software that has, or has direct software dependencies on, one or more components with at least one of these attributes:
- is designed to work with elevated privileges or to manage privileges;
- has direct or privileged access to network or computer resources;
- is designed to control access to data or operational technology;
- performs an essential function to be trusted; or,
- operates outside normal confidence limits with privileged access.
The white paper further states that “[t]The definition applies to software in all its forms (e.g., stand-alone software, software embedded in specific devices or hardware components, cloud-based software) purchased for or deployed in production systems and used for operational purposes. “Further,”[o]other use cases, such as software only used for research or testing that is not deployed in production systems, are outside of this definition.
NIST provides more information on key terms in the definition. For example:
- “Direct software dependencies” means, for a given component or product, “other software components (eg libraries, packages, modules) which are directly integrated and necessary for the operation of the software instance in question. This is not a system definition of dependencies and does not include interfaces and services of what are otherwise independent products.
- “Trust critical” means “categories of software used for security functions such as network control, endpoint security, and network protection.”
The white paper also includes a table explaining each category of software it considers “OE critical”, along with a list of frequently asked questions (FAQs) and answers. The categories of software listed in the NIST table include:
- Identity, Credentials and Access Management (ICAM)
- Operating systems, hypervisors, container environments
- Web browsers
- Endpoint security
- Network control
- Network protection
- Network monitoring and configuration
- Operational monitoring and analysis
- Remote scanning
- Remote access and configuration management
- Remote backup / restore and storage
Contractors who supply software throughout the government supply chain, especially those who provide what can be considered “OE-critical” software, should closely monitor the agency’s activity. under the Software EO, which will include the publication of minimum elements for a software nomenclature. (SBOM) and advice on security measures for critical software (both mid-July). Additionally, contractors should anticipate new requirements next year that must be implemented (and likely passed on to vendors and subcontractors) in order to continue supplying certain software to the federal government.