Critical Software Definition

Critical Software: Enhancing the Security of the Software Supply Chain

One of NIST’s assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) is to publish a definition of “critical software.”

The executive order (EO) directs the Cybersecurity & Infrastructure Security Agency (CISA) to develop a list of software categories and products in use or in the acquisition process which meet this definition of critical software.

To coordinate the definition with its eventual application, NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with CISA, the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase. Additional guidance on applying this definition for implementing the EO will be forthcoming from CISA and OMB. NIST worked closely with CISA and OMB to ensure that the definition and recommendations are consistent with their plans. 

• Introduction
• Background & Approach
• Definition & Explanatory Material
• FAQs

Questions about the definition or documents should be directed to: swsupplychain-eo [at] nist.gov (swsupplychain-eo[at]nist[dot]gov)