White House orders compliance with 'critical software' protection measures

security in agile process 

A new White House memo instructs agencies on how to comply with guidance on the security of "critical software" as directed in the May executive order on cybersecurity.

An Aug. 10 memo from Shalanda Young, acting director of the Office of Management and Budget, builds off the definition of critical software issued by the National Institute of Standards and Technology in June. That definition focuses on software that has high-level authority to issue and manage computing and network privileges or otherwise operates at a high level of privilege.

The definition applies to standalone software, software embedded in devices and software in the cloud, but in the first round of implementation of the guidance, the focus should be on on-premise or standalone software, the new memo states.

The memo also starts a 60-day clock for agencies to report on their critical software inventories and a one-year timeline for implementing security measures as called for by NIST to safeguard critical software.

The May executive order also set out a number of other deliverables that are due on or about Aug. 10. That includes the issuance by OMB of a federal cloud security strategy that serves as a guide to the risks of cloud adoption and the deployment of zero trust architectures. Similarly, the Cybersecurity and Infrastructure Security Agency was tasked with issuing a cloud security technical reference architecture to support secure cloud migration.

Additionally, the Department of Homeland Security was asked to weigh in on whether its cyber operators can hunt for threats on civilian federal networks without prior approval from individual agencies.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected