Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Critical Software Definition

Critical Software: Enhancing the Security of the Software Supply Chain

One of NIST’s assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) is to publish a definition of “critical software.”

The executive order (EO) directs the Cybersecurity & Infrastructure Security Agency (CISA) to develop a list of software categories and products in use or in the acquisition process which meet this definition of critical software.

To coordinate the definition with its eventual application, NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with CISA, the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase. Additional guidance on applying this definition for implementing the EO will be forthcoming from CISA and OMB. NIST worked closely with CISA and OMB to ensure that the definition and recommendations are consistent with their plans. 

The specific definition of critical software is included in a
NIST white paper.

EO critical software timeline

Questions about the definition or documents should be directed to: swsupplychain-eo [at] (swsupplychain-eo[at]nist[dot]gov)

Created June 24, 2021, Updated July 9, 2021