This article has been indexed from Security Boulevard
On May 12, 2021, President Biden announced an executive order to improve the nation’s cybersecurity. The order, which outlines security initiatives and timelines, calls for the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) to enhance the security of the software supply chain.
One of NIST’s first orders of business was to define critical software by June 26, 2021. According to the executive order, the definition of critical software needs to “reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” In other words, the definition must be specific enough to help the federal government with purchase decisions and deployment of critical software.
NIST met the due date, releasing its definition of critical software. “EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:”
Is designed to run with elevated privilege or manage privileges;
Has direct or privileged access to networking or computing resources;
Is designed to control access to data or operational technology;
Performs a function critical to trust; or,
Operates outside of normal trust boundaries with privileged access.
NIST states, “the definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes.”
As the executive order implementation matures, the definition may expand to include additional forms of software, such as:
Software that controls access to data
Cloud-based and hybrid software
Software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software
Software components in boot-level firmware
Software components in operational technology (OT)
NIST’s second initiative – also achieved – was to “identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software.”
The categories in the prelimin
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Executive Order Update: NIST Establishes a Definition for Critical Software and Outlines Scan Requirements for Software Source Code