Section 4 of the Executive Order (EO) assigns numerous tasks to NIST and other agencies. One task (4g) is to define the term critical software with a June 26, 2021 deadline. A subsequent task (4i) is for “the Secretary of Commerce through NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, to publish guidance outlining security measures for critical software, including applying practices of least privilege, network segmentation, and proper configuration.” Once completed, task (4j) calls for “….OMB taking appropriate steps to require that agencies comply with the guidance.”
NIST’s deliverable from task 4i will address security measures needed for protecting critical software deployments and the systems and services hosting and executing that software. The security measures will focus on mitigating threats that the EO is intended to address.
NIST plans to leverage the wealth of existing resources on individual security measures for systems that host or execute critical software. This will bring together existing guidance on practices that are vital for securing the use of critical software. Examples of resources that NIST may leverage for this task include:
Additional references and resources will be added to this list. This topic will be discussed at the EO workshop. Workshop discussions will inform NIST’s work. This page will be updated with the draft materials once they are published for comment.
Questions about this task should be directed to: swsupplychain-eo [at] nist.gov (swsupplychain-eo[at]nist[dot]gov).