This section provides the definition of EO-critical software. Following that is a table with a preliminary list of software categories recommended for the initial phase along with some explanatory material. At a later date, CISA will provide the authoritative list of software categories that are within the scope of the definition and to be included in the initial phase of implementation. A pointer to that information will be provided here when available.
Finally, there is a set of FAQs at the bottom of the page that provides answers to questions that may arise about the interpretation of the definition, the phased approach, and other related topics.
EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition. (See FAQ #10 and FAQ #11.)
NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other categories of software such as:
The table below provides a preliminary list of software categories considered to be EO-critical. This table is provided to illustrate the application of the definition of EO-critical software to the scope of the recommended initial implementation phase described above. As noted previously, CISA will provide the authoritative list of software categories at a later date.
Description |
Types of Products |
Rationale for Inclusion |
|
Identity, credential, and access management (ICAM) |
Software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices |
|
|
Operating systems, hypervisors, container environments
|
Software that establishes or manages access and control of hardware resources (bare metal or virtualized/ containerized) and provides common services such as access control, memory management, and runtime execution environments to software applications and/or interactive users |
|
|
Web browsers |
Software that processes content delivered by web servers over a network, and is often used as the user interface to device and service configuration functions |
|
|
Endpoint security |
Software installed on an endpoint, usually with elevated privileges which enable or contribute to the secure operation of the endpoint or enable the detailed collection of information about the endpoint |
|
|
Network control |
Software that implements protocols, algorithms, and functions to configure, control, monitor, and secure the flow of data across a network |
|
|
Network protection |
Products that prevent malicious network traffic from entering or leaving a network segment or system boundary |
|
|
Network monitoring and configuration |
Network-based monitoring and management software with the ability to change the state of—or with installed agents or special privileges on—a wide range of systems |
|
|
Operational monitoring and analysis
|
Software deployed to report operational status and security information about remote systems and the software used to process, analyze, and respond to that information |
|
|
Remote scanning |
Software that determines the state of endpoints on a network by performing network scanning of exposed services |
|
|
Remote access and configuration management |
Software for remote system administration and configuration of endpoints or remote control of other systems |
|
|
Backup/recovery and remote storage |
Software deployed to create copies and transfer data stored on endpoints or other networked devices |
|
|
Previous Sections:
Next Sections: