Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Critical Software - Definition & Explanatory Material

This section provides the definition of EO-critical software. Following that is a table with a preliminary list of software categories recommended for the initial phase along with some explanatory material. At a later date, CISA will provide the authoritative list of software categories that are within the scope of the definition and to be included in the initial phase of implementation. A pointer to that information will be provided here when available.

Finally, there is a set of FAQs at the bottom of the page that provides answers to questions that may arise about the interpretation of the definition, the phased approach, and other related topics.

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges;
  • has direct or privileged access to networking or computing resources;
  • is designed to control access to data or operational technology;
  • performs a function critical to trust; or,
  • operates outside of normal trust boundaries with privileged access.

The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition. (See FAQ #10 and FAQ #11.)

NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other categories of software such as:

  • software that controls access to data;
  • cloud-based and hybrid software;
  • software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software;
  • software components in boot-level firmware; or
  • software components in operational technology (OT).

The table below provides a preliminary list of software categories considered to be EO-critical. This table is provided to illustrate the application of the definition of EO-critical software to the scope of the recommended initial implementation phase described above. As noted previously, CISA will provide the authoritative list of software categories at a later date.


Category of Software


Types of Products

Rationale for Inclusion

Identity, credential, and access management (ICAM)

Software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices

  • Identity management systems
  • Identity provider and federation services
  • Certificate issuers
  • Access brokers
  • Privileged access management software
  • Public key infrastructure
  • Foundational for ensuring that only authorized users, systems, and devices can obtain access to sensitive information and functions

Operating systems, hypervisors, container environments



Software that establishes or manages access and control of hardware resources (bare metal or virtualized/ containerized) and provides common services such as access control, memory management, and runtime execution environments to software applications and/or interactive users

  • Operating systems for servers, desktops, and mobile devices
  • Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments
  • Highly privileged software with direct access and control of underlying hardware resources and that provides the most basic and critical trust and security functions

Web browsers

Software that processes content delivered by web servers over a network, and is often used as the user interface to device and service configuration functions

  • Standalone and embedded browsers
  • Performs multiple access management functions
  • Supports browser plug-ins and extensions such as password managers for storing credentials for web server resources
  • Provides execution environments for code downloaded from remote sources
  • Provides access management for stored content, such as an access token which is provided to web servers upon request

Endpoint security

Software installed on an endpoint, usually with elevated privileges which enable or contribute to the secure operation of the endpoint or enable the detailed collection of information about the endpoint

  • Full disk encryption
  • Password managers
  • Software that searches for, removes, or quarantines malicious software
  • Software that reports the security state of the endpoint (vulnerabilities and configurations)
  • Software that collects detailed information about the state of the firmware, operating system, applications, user and service accounts, and runtime environment
  • Has privileged access to data, security information, and services to enable deep inspection of both user and system data
  • Provides functions critical to trust

Network control

Software that implements protocols, algorithms, and functions to configure, control, monitor, and secure the flow of data across a network

  • Routing protocols
  • DNS resolvers and servers
  • Software-defined network control protocols
  • Virtual private network (VPN) software
  • Host configuration protocols
  • Privileged access to critical network control functions
  • Often subverted by malware as the first step in more sophisticated attacks to exfiltrate data

Network protection

Products that prevent malicious network traffic from entering or leaving a network segment or system boundary

  • Firewalls, intrusion detection/ avoidance systems
  • Network-based policy enforcement points
  • Application firewalls and inspection systems
  • Provides a function critical to trust, often with elevated privileges

Network monitoring and configuration

Network-based monitoring and management software with the ability to change the state of—or with installed agents or special privileges on—a wide range of systems

  • Network management systems
  • Network configuration management tools
  • Network traffic monitoring systems
  • Capable of monitoring and/or configuring enterprise IT systems using elevated privileges and/or remote installed agents

Operational monitoring and analysis


Software deployed to report operational status and security information about remote systems and the software used to process, analyze, and respond to that information

  • Security information and event management (SIEM) systems
  • Software agents widely deployed with elevated privilege on remote systems
  • Analysis systems critical to incident detection and response and to forensic root cause analysis of security events
  • Often targeted by malware trying to deactivate or evade it

Remote scanning

Software that determines the state of endpoints on a network by performing network scanning of exposed services

  • Vulnerability detection and management software
  • Typically has privileged access to network services and collects sensitive information about the vulnerabilities of other systems

Remote access and configuration management

Software for remote system administration and configuration of endpoints or remote control of other systems

  • Policy management
  • Update/patch management
  • Application configuration management systems
  • Remote access/ sharing software
  • Asset discovery and inventory systems
  • Mobile device management systems
  • Operates with significant access and elevated privileges, usually with little visibility or control for the endpoint user

Backup/recovery and remote storage

Software deployed to create copies and transfer data stored on endpoints or other networked devices

  • Backup service systems
  • Recovery managers
  • Network-attached storage (NAS) and storage area network (SAN) software
  • Privileged access to user and system data
  • Essential for performing response and recovery functions after a cyber incident (e.g., ransomware)

Previous Sections:

Next Sections:

Created June 24, 2021, Updated July 9, 2021