The rise of cybersecurity breaches in our country is impossible to ignore. Critical industries like healthcare, government, and even energy suppliers, have proven to be vulnerable to attacks by increasingly sophisticated hackers. In response, President Biden issued an executive order in May of this year to improve the nation's cybersecurity. The key themes are improving and implementing stronger cybersecurity standards, improving supply chain security, and removing barriers to sharing threat information between government and the private sector. The executive order directs the Cybersecurity & Infrastructure Security Agency (CISA) to develop a list of software categories and products in use or in the acquisition process which meet the definition of critical software.
The National Institute for Standards and Technology (NIST) recently published its definition of “critical software” as directed in President Biden’s executive order. Critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
Executive Order Phases
NIST recommends that the first implementation phase focus on on-site standalone software that has security functions and the potential to be compromised. Future phases will tackle cloud-based software, software development tools, software components in operational technology (OT), and software that controls data access.
NIST also provided a preliminary list of software categories and types of products considered to be EO-critical. Categories include endpoint security, remote scanning, and identity, credential, and access management (ICAM), among others. CISA will issue the finalized list in the near future.
Managing Risk to the Supply Chain
NIST’s work contributes to the executive order’s main goal of managing risks to the cyber supply chain within the federal government. While private companies will not be required to follow NIST’s software supply chain guidelines, it is strongly recommended. Companies that sell to the federal government will need to comply with the government’s software supply chain practices. Over time, it is likely that other companies in the private sector will adopt these guidelines and practices.
Cybersecurity is a quickly evolving topic with ever-changing guidelines and recommendations. We hope this post serves as a helpful starting point and will continue to explore new developments on this topic.
Stay tuned for an upcoming blog post featuring Michael Wanke, AVP of Software Development at Forward Advantage, and his thoughts on the impact of the new executive order and recommendations for managing risk.
Read More about cybersecurity and how you can help protect your organization in a recent post about phishing awareness.