White House Memo Orders Agencies to Identify Critical Software

Federal agencies have 60 days to identify critical software in their systems and one year to secure it, according to a memo issued Aug. 10 by the Office of Management and Budget.

The memo, authored by OMB Acting Director Shalanda Young, is resultant from President Joe Biden’s May 12 executive order on improving the nation’s cybersecurity, which laid groundwork for several directives. One of those directives instructed the National Institute of Standards and Technology to define “critical software” for agencies, and the memo builds on the definition NIST released in June. The definition applies to “software of all forms,” according to the memo, including “standalone software, software integral to specific devices or hardware components” and cloud-based software that is purchased for or deployed for operational purposes. NIST defines critical software as software that runs on or depends on software that:

• is designed to run with elevated privilege or manage privileges;
• has direct or privileged access to networking or computing resources;
• has designed to control access to data or operational technology;
• performs a function critical to trust; and
• operates outside of normal trust boundaries with privileged access.

“The United States faces increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and, ultimately, the American people’s security and privacy,” the memo reads. “The Federal Government must improve its efforts to detect, identify, deter, protect against, and respond to these campaigns and their perpetrators.”

In this initial phase of critical software guidance, agencies are directed to focus first on identify, credential and access management, operating systems, web browsers, endpoint security, network control, network protection, networking monitoring and configuration, operational monitoring and analysis, remote scanning, remote access and backup or remote storage.

The memo also provides a schedule agencies must follow implementing critical software guidance. Within 60 days from the memo’s issuance, agencies must “identify all agency critical software, in use or in the process of acquisition.” Agencies further have one year to implement security measures designated by NIST for all categories of the initial critical software guidance, and one year to incorporate subsequent security measures for each guidance update from NIST.