NIST defines 'critical software' under the cyber EO

The Biden administration's cybersecurity executive order, issued in May, touched off a major effort to exert more control over the content of code that finds its way into government systems and public infrastructure.

One of the first deliverables in the order was published on Friday – a definition from the National Institute of Standards and Technology covering "critical software" which is foundational to the effort to police software supply chains.

The new definition of critical software covers a lot of behind the scenes compute tools – endpoint protection, data backup, identity and credentialing management, operating systems and container environments, which perform functions dealing with user trust and operational monitoring and are designed to be managed by users with an elevated privilege level.

The definition applies to "software of all forms," including cloud-based software, but NIST is recommending that initially the agencies charged with implementing the executive order focus on "standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised."

NIST said a phased approach for the new guidelines will allow time for coordination among impacted programs, specifically citing the Federal Risk and Authorization Management Program (FedRAMP), a government-wide standardized security process for firms deploying cloud-based software.

Tatyana Bolton, policy director for the cybersecurity and emerging threats team at the nonpartisan public policy research organization, R Street Institute, suggested the primary focus on traditional systems could be "a time-limited or scope-driven choice by NIST, rather than a discounting of the unique characteristics and requirements of cloud infrastructure security."

The definition was initially unveiled on Thursday during an Information Security and Privacy Advisory Board meeting, a day before it was set to publish on schedule as per the executive order. The executive order required the Secretary of Commerce to publish a definition for critical software within 45 days, working through the director of NIST and in consultation with the directors of the National Security Agency, the Cybersecurity and Infrastructure Security Agency and other federal departments.

The critical software definition sets the stage for NIST to issue guidance on best practices for vendors to maintain the security and integrity of their software code. At the end of the process, vendors will be required to self-attest to playing by new supply chain security rules and provide some documentation to prove their compliance. Vendors will also be asked to participate in vulnerability disclosure programs.

Under the executive order, the Department of Homeland Security has a year to recommend new contract language to update the Federal Acquisition Regulation (FAR) to cover these new supply chain security practices.

Firms that cannot attest to being compliant under the amended FAR will have their software removed from all contracts, according to the executive order.

The government has targeted commercial software for removal in the past – most notably under a DHS binding operational directive to get rid of Kasperky's antivirus software in 2017.

Alan Chvotkin, partner at Nicholas Liu LLP and former executive vice president and counsel of the Professional Services Council (PSC), suggested firms that fail to comply with the new guidelines will meet a similar fate.

"I would expect such remedial action here as well," Chvotkin said, "particularly for 'critical software' applications that are identified as being in use - or to be purchased in the future - by federal agencies."

Chvotkin predicted it will take "well over a year" from the issuing of the new definition until the FAR rule can be published and effective. Chvotkin also expects the order will have a "ripple effect" across other government programs and policies, including FedRAMP and the Cybersecurity Maturity Model Certification (CMMC).

He added: "Companies should track these developments carefully and not wait for a final FAR rule before making an assessment of the impact on their software products - and software development - and their ability to comply with anticipated requirements."

According to NIST, the CISA will publish an official list of software categories included under the new definition at a later date.