The Office of Management and Budget has given federal agencies 60 days to identify all their critical software in use or being acquired and a year to secure it, according to a memo issued Tuesday.
OMB directed agencies to focus on securing standalone, on-premise software performing “security-critical” functions or posing “significant potential for harm” if compromised, during the initial implementation phase of critical software guidance released by the National Institute of Standards and Technology on July 8.
The latest mandate comes after President Biden on May 12 issued an executive order titled Improving the Nation’s Cybersecurity, which required NIST to define critical software to help agencies prevent its unauthorized access, secure data and quickly respond to threats.
“The United States faces increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people’s security and privacy,” said the memo. “The federal government must improve its efforts to detect, identify, deter, protect against, and respond to these campaigns and their perpetrators.”
Phase 1 of implementing NIST’s guidance includes software handling: identity, credential and access management; operating systems, hypervisors and container environments; web browsers; endpoint security; network control; network protection; network monitoring and configuration; operational monitoring and analysis; remote scanning; remote access and configuration management; and backup/recovery and remote storage.
NIST will update its guidance as needed to launch subsequent phases covering additional software categories selected by the Cybersecurity and Infrastructure Security Agency, which agencies will have one year from release to address.
Subsequent phases will cover: software that controls access to data; cloud-based and hybrid software; software development tools like code repository systems, testing software, integration software, packaging software, and deployment software; software components in boot-level firmware; and software components in operational technology (OT).
NIST defined critical software as that which, or is dependent upon software that:
- is designed to run with elevated privileges or manage privileges,
- has direct or privileged access to networking and computing resources,
- is designed to control access to data or operational technology,
- performs a function critical to trust, or
- operates outside of normal trust boundaries with privileged access.
Some cybersecurity experts found NIST’s definition narrow at the time and feel Phase 1’s focus on security products — rather than industrial control, financial, health and election systems — goes against the spirit of the cybersecurity executive order.
“I’d say software is critical if compromised it would cause significant loss of human life or irreparable infrastructure damage or extensive financial harm,” Jeff Williams, chief Technology Officer at Contrast Security, told FedScoop. “Maybe undermining democracy if it’s an election system, but the definition as it’s written right now doesn’t touch any of those systems.”
It is possible NIST was just trying to get a definition out the door or faced pressure from system integrators reluctant to add additional security controls to the software they sell the government, Williams added.
Of the systems Williams wants addressed, only OT was mentioned in OMB’s memo as software to be targeted in a later phase — though it does leave room for agency discretion.
“Agencies should keep in mind that the measures identified in the guidance from NIST are not comprehensive,” reads the memo. “Their adoption may not eliminate the need to implement additional security measures to satisfy requirements and objectives that lie outside the scope of the NIST guidance.”