US Agencies Ordered to Pinpoint Critical Software

  • The White House has ordered federal agencies to identify all the critical software in their systems and secure it.

    The order was issued to the heads of executive departments and agencies on August 10 in a memo from the Office of Management and Budget’s acting director, Shalanda Young. Recipients were given 60 calendar days from the date of the memo’s publication to pinpoint the critical software.

    According to the memo, much of the software that the federal government relies on to perform its critical functions is “commercially developed through an often-opaque process that may lack sufficient controls to prevent the creation and exploitation of significant application security vulnerabilities.”

    Young writes that this situation has resulted in “a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely in the manner intended.”

    In the memo, Young references guidance released by the National Institute of Standards and Technology (NIST) on what constitutes critical software.

    An executive order on Improving the Nation’s Cybersecurity, issued by President Joe Biden on May 12, 2021, directed NIST to publish a definition of the term critical software.

    The resulting definition of critical software published by NIST in June described it as “any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

    • is designed to run with elevated privilege or manage privileges;

    • has direct or privileged access to networking or computing resources;

    • is designed to control access to data or operational technology;

    • performs a function critical to trust; or,

    • operates outside of normal trust boundaries with privileged access.”

    After identifying their critical software, agencies have one year to implement critical software guidance security measures decided upon by NIST.

    “The United States faces increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and, ultimately, the American people’s security and privacy,” the memo states.

    “The federal government must improve its efforts to detect, identify, deter, protect against, and respond to these campaigns and their perpetrators.”