The goal is to enable stronger security practices for government-purchased software mandated by President Biden's cybersecurity executive order. A significant part of the Biden administration’s wide-ranging cybersecurity executive order (EO) mandates that the National Institute of Standards and Technology (NIST) define what constitutes “critical software,” a deliverable that is central to the wider effort of securing software supply chains. Last week NIST made good on this assignment when it released a preliminary list of software categories within the scope of this definition.The EO stipulates that NIST’s definition “shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” Thus, the goal of the definition is to drive several additional activities required under the EO to shape how the federal government purchases and manages deployed critical software.One driving principle behind the critical software definition is that when combined with other aspects of the EO, software acquisition by the federal government would tilt over time toward only those products that have met reasonable security measures. The hope is that the federal government’s “power of the purse” would spill over to the private sector because most major software suppliers sell to both public and private sector customers and would find it more efficient to create a single secure product for both sectors.Attributes of critical softwareAfter consulting with other government agencies, soliciting position papers from the software community, and hosting a virtual workshop to develop the definition, NIST has determined that “EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:” Is designed to run with elevated privilege or manage privilegesHas direct or privileged access to networking or computing resourcesIs designed to control access to data or operational technologyPerforms a function critical to trustOperates outside of normal trust boundaries with privileged accessNIST said that the definition applies to all software forms, “including standalone software, software integral to specific devices or hardware components, and cloud-based software purchased for, or deployed in, production systems and used for operational purposes.” Later phases of the EO’s implementation may also include other categories of software, including:Software that controls access to dataCloud-based and hybrid softwareSoftware development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment softwareSoftware components in boot-level firmwareSoftware components in operational technology (OT)Critical software categoriesNIST has produced a table that spells out the specific categories of software used for security functions, such as those affecting network control, endpoint security, and network protection. The preliminary critical software categories in the table include: Identity, credential, and access management (ICAM)Operating systems, hypervisors, container environmentsWeb browsersEndpoint securityNetwork controlNetwork protectionNetwork monitoring and configurationOperational monitoring and analysisRemote scanningRemote access and configuration managementBackup/recovery and remote storage“This is absolutely nothing new at all,” software security veteran Chris Wysopal, co-founder and CTO of Veracode, tells CSO. “People have been talking about this kind of concept for decades.” Nevertheless, he says, “It’s great that there is sort of a line in black and white. Finally, something is going to be done about this critical software to make sure it’s not putting undue risks on national security.”The hack of SolarWinds network management software by Russian intelligence is a central impetus for developing this security baseline for critical software products, as NIST itself notes. Stating that recent incidents demonstrate the need for the federal government to improve its defense against malicious cyber actions, NIST pointed out that “threat actors are exploiting the pervasive use of software and the complexity of the underlying code and software development and distribution practices.”A solid start“We just can’t just keep letting this happen,” Wysopal says. “We can’t just wait for the next SolarWinds to happen, even if it takes six months or a year or the next one.”Wysopal thinks that NIST has done an excellent job covering the necessary bases in coming up with its preliminary parameters of critical software. “If you look at the different software they’ve come up with, it’s software that shares the same kind of privileged position in the network and identity [as SolarWinds], but it is a whole different range of software,” he says. “I think they’ve broadened it out enough.”Despite the comprehensive nature of its definition, NIST hasn’t included some software that can serve as an attack vector. “You could say, well, even the least privileged piece of software on your network could eventually end up [compromising] your crown jewels because of the whole concept of lateral movements and privilege escalation and chaining vulnerabilities together,” Wysopal says, adding that you have to start somewhere and that over time, “I fully think that they need to move to lower risk software, too.” It’s only when the government and the security industry get good at handling the highest-risk critical software that the software definitions can broaden.“This is where you start,” Wysopal says. “I hope it isn’t an endpoint. It is going to take a couple of years to get this up and running smoothly before anyone would think of any kind of expansion.” Next steps NIST said that CISA and the Office of Management and Budget (OMB) “will monitor the implementation of the program in the initial phase and decide when to include additional software categories.” In the meantime, the following near-term EO directives will flow from NIST’s preliminary definition of critical software:Around July 12, OMB and CISA will publish guidance outlining security measures for critical software.Around July 25, DHS through CISA will “identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software.”Around August 24, the director of OMB, acting through the Administrator of the Office of Electronic Government within OMB, will take appropriate steps to require that agencies comply with the guidance outlining critical software security measures.In the long run, the actions in the EO surrounding software security should make supply chain attacks “much, much, much harder because right now nothing is stopping that from happening,” Wysopal says. “The government isn’t scrutinizing any of this critical software through this lens.”Moreover, tightening critical software security through the federal acquisition process could bolster software security by reducing the need to patch software products as frequently. “Applying requirements on this type of software from the vendor to do more security testing should also mean that there are more vulnerabilities that are found in the development process and not found after the fact,” Wysopal says. “I think there will be that secondary effect that the software will actually become more secure.” Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Generative AI Machine Learning news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe