October 13, 2021
NIST is updating its characterization of critical software to reflect conversations with the National Security Council (NSC) and the Office of Management and Budget (OMB). The definition of critical software applies only to Government management of software (Sections 4i and 4j). The requirements in 4e and 4k related to acquisition apply to all software, not just to critical software. This does not alter the definition of critical software, although it changes NIST’s initial guidance about how the definition should be used. NIST has modified several FAQs accordingly.
Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, issued on May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish a definition of the term critical software.
(g) Within 45 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, the Secretary of Homeland Security acting through the Director of CISA, the Director of OMB, and the Director of National Intelligence, shall publish a definition of the term “critical software” for inclusion in the guidance issued pursuant to subsection (e) of this section. That definition shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.
The EO directs the Cybersecurity & Infrastructure Security Agency (CISA) to use this published definition of critical software to develop a list of software categories and products that are in scope for that definition and thus subject to the further requirements of the EO.
(h) Within 30 days of the publication of the definition required by subsection (g) of this section, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Secretary of Commerce acting through the Director of NIST, shall identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software issued pursuant to subsection (g) of this section.
To coordinate the definition with its eventual application, NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with CISA, the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase. Additional guidance on applying this definition for implementing the EO will be forthcoming from CISA and OMB. NIST worked closely with CISA and OMB to ensure that the definition and recommendations are consistent with their plans.
This webpage starts with background information and context for the term critical and introduces the concept of a phased approach. It defines the term critical software in the context of the EO and provides a preliminary list of software that meets the definition of EO-critical and is recommended to be included in the initial phase of implementation. The webpage concludes with frequently asked questions (FAQs). CISA will provide the final set of software categories for the initial and future implementation phases.