Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Measures for EO-Critical Software Use

The table below defines the security measures for EO-critical software use. The security measures are grouped by objective. The columns in the table are:

  • Security Measure (SM): A high-level security outcome statement that is intended to apply to all software designated as EO-critical software or to all platforms, users, administrators, data, or networks (as specified) that are part of running EO-critical software.
  • Federal Government Informative References: Federal Government-issued publications and projects that, in whole or in part, discuss the security measure. The first two references for each security measure are the NIST Cybersecurity Framework and NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. These two references list their mappings to the security measure (as Cybersecurity Framework Subcategories and SP 800-53 security controls, respectively). These mappings are general and informational; any particular situation might have somewhat different mappings.

All references after the first two are selected examples that discuss or illustrate the security measure and are intended as possible sources of information. Some references only apply to particular use cases, environments, situations, etc. Omission from this list does not imply that other sources of information should not be used.

The references listed in the table will be updated periodically as new publications are identified or released, and as existing publications are updated.

The acronyms used in the table are:

 

Security Measure (SM)

Federal Government Informative References

Objective 1: Protect EO-critical software and EO-critical software platforms from unauthorized access and usage.

SM 1.1: Use multi-factor authentication that is verifier impersonation-resistant for all users and administrators of EO-critical software and EO-critical software platforms. (See FAQ #7.)

SM 1.2: Uniquely identify and authenticate each service attempting to access EO-critical software or EO-critical software platforms.

SM 1.3: Follow privileged access management principles for network-based administration of EO-critical software and EO-critical software platforms. Examples of possible implementations include using hardened platforms dedicated to administration and verified before each use, requiring unique identification of each administrator, and proxying and logging all administrative sessions to EO-critical software platforms.

SM 1.4: Employ boundary protection techniques as appropriate to minimize direct access to EO-critical software, EO-critical software platforms, and associated data. Examples of such techniques include network segmentation, isolation, software-defined perimeters, and proxies.

Objective 2: Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. (See FAQ #6.)

SM 2.1: Establish and maintain a data inventory for EO-critical software and EO-critical software platforms.

SM 2.2: Use fine-grained access control for data and resources used by EO-critical software and EO-critical software platforms to enforce the principle of least privilege to the extent possible.

SM 2.3: Protect data at rest by encrypting the sensitive data used by EO-critical software and EO-critical software platforms consistent with NIST’s cryptographic standards.

SM 2.4: Protect data in transit by using mutual authentication whenever feasible and by encrypting sensitive data communications for EO-critical software and EO-critical software platforms consistent with NIST’s cryptographic standards.

SM 2.5: Back up data, exercise backup restoration, and be prepared to recover data used by EO-critical software and EO-critical software platforms at any time from backups.

Objective 3: Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.

SM 3.1: Establish and maintain a software inventory for all platforms running EO-critical software and all software (both EO-critical and non-EO-critical) deployed to each platform.

SM 3.2: Use patch management practices to maintain EO-critical software platforms and all software deployed to those platforms. Practices include:

  • rapidly identify, document, and mitigate known vulnerabilities (e.g., patching, updating, upgrading software to supported version) to continuously reduce the exposure time
  • monitor the platforms and software to ensure the mitigations are not removed outside of change control processes

SM 3.3: Use configuration management practices to maintain EO-critical software platforms and all software deployed to those platforms. Practices include:

  • identify the proper hardened security configuration for each EO-critical software platform and all software deployed to that platform (hardened security configurations enforce the principles of least privilege, separation of duties, and least functionality)
  • implement the configurations for the platforms and software
  • control and monitor the platforms and software to ensure the configuration is not changed outside of change control processes

Objective 4: Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.

SM 4.1: Configure logging to record the necessary information about security events involving EO-critical software platforms and all software running on those platforms.

SM 4.2: Continuously monitor the security of EO-critical software platforms and all software running on those platforms.

SM 4.3: Employ endpoint security protection on EO-critical software platforms to protect the platforms and all software running on them. Capabilities include:

  • protecting the software, data, and platform by identifying, reviewing, and minimizing the attack surface and exposure to known threats
  • permitting only verified software to execute (e.g., file integrity verification, signed executables, allowlisting)
  • proactively detecting threats and stopping them when possible
  • responding to and recovering from incidents
  • providing the necessary information for security operations, threat hunting, incident response, and other security needs

SM 4.4: Employ network security protection to monitor the network traffic to and from EO-critical software platforms to protect the platforms and their software using networks. Capabilities include:

  • proactively detecting threats at all layers of the stack, including the application layer, and stopping them when possible
  • providing the necessary information for security operations, threat hunting, incident response, and other security needs

 

SM 4.5: Train all security operations personnel and incident response team members, based on their roles and responsibilities, on how to handle incidents involving EO-critical software or EO-critical software platforms.

Objective 5: Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.

SM 5.1: Train all users of EO-critical software, based on their roles and responsibilities, on how to securely use the software and the EO-critical software platforms.

SM 5.2: Train all administrators of EO-critical software and EO-critical software platforms, based on their roles and responsibilities, on how to securely administer the software and/or platforms.

SM 5.3: Conduct frequent awareness activities to reinforce the training for all users and administrators of EO-critical software and platforms, and to measure the training’s effectiveness for continuous improvement purposes.

 

Previous Sections:

Next Sections:

Created July 8, 2021, Updated July 9, 2021