Critical Software Definition - Background & Approach

Background

Recent incidents have demonstrated the need for the Federal Government to improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber actions and actors. In particular, threat actors are exploiting the pervasive use of software and the complexity of the underlying code and software development and distribution practices. One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government. The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software. In particular, the EO seeks to limit acquisition to software that has met security measures such as use of a secure development process and integrity checks that are defined in Section 4(e) of the EO.

Given the broad scope of the EO and its potential impact on both government operations and the software marketplace, NIST set the following goals for the definition of critical software:

• Clarity – The implementation of the program will drive activity across the entire Federal Government, with impacts on the software industry. Having a clear definition that can be used by the software industry and the Government is vital to the successful implementation of the EO.
• Viability – For the EO to be viable, its implementation must take into consideration how the software industry functions, including product development, procurement, and deployment. The software marketplace is dynamic and evolves continuously. How software is developed, brought into an organization, and used by an organization is changing rapidly. Software is purchased as a product, as part of a product, and as a service. Software is often modular, consisting of many components.

There are many existing definitions and uses of the term critical. Most are based on how technology supports various tasks or processes, such as safety critical or critical infrastructure. The use of the term in the EO is slightly different because it is based not on the context of use, but on the properties of a given piece of software that make it likely to be critical in most use cases. That is, it focuses on critical functions that address underlying infrastructure for cyber operations and security. This is similar to the concept of Federal Civilian Enterprise Essential IT under the High Value Assets program.

In order to separate the common usage of critical with the definition under the EO, we will use the term EO-critical when it is unclear which usage is being discussed.

Approach

Given the size, scope, and complexity of the software marketplace and the infrastructure needed within the government to implement the EO, NIST has consulted with key agencies regarding the concept of a phased approach for securing the supply chain of EO-critical software. This will allow both the Federal Government and the software industry to implement the EO in an incremental manner, thus providing the opportunity for feedback and improvements to its processes with each additional phase.

Previous Sections:

• Introduction

Next Sections:

• Definition & Explanatory Material
• FAQs