Recent incidents have demonstrated the need for the Federal Government to improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber actions and actors. In particular, threat actors are exploiting the pervasive use of software and the complexity of the underlying code and software development and distribution practices. One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government. The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software. In particular, the EO seeks to limit acquisition to software that has met security measures such as use of a secure development process and integrity checks that are defined in Section 4(e) of the EO.
Given the broad scope of the EO and its potential impact on both government operations and the software marketplace, NIST set the following goals for the definition of critical software:
There are many existing definitions and uses of the term critical. Most are based on how technology supports various tasks or processes, such as safety critical or critical infrastructure. The use of the term in the EO is slightly different because it is based not on the context of use, but on the properties of a given piece of software that make it likely to be critical in most use cases. That is, it focuses on critical functions that address underlying infrastructure for cyber operations and security. This is similar to the concept of Federal Civilian Enterprise Essential IT under the High Value Assets program.
In order to separate the common usage of critical with the definition under the EO, we will use the term EO-critical when it is unclear which usage is being discussed.
Given the size, scope, and complexity of the software marketplace and the infrastructure needed within the government to implement the EO, NIST has consulted with key agencies regarding the concept of a phased approach for securing the supply chain of EO-critical software. This will allow both the Federal Government and the software industry to implement the EO in an incremental manner, thus providing the opportunity for feedback and improvements to its processes with each additional phase.