Recent incidents have demonstrated the need to better protect the EO-critical software that federal agencies use on-premises, in the cloud, and elsewhere to achieve their missions. Even though EO-critical software may be developed using recommended secure development practices, it still needs to be secured in operational environments. There is increasing recognition that all organizations should assume that a breach is going to occur or has already occurred, so access to EO-critical software must be limited at all times to only what is needed. Moreover, there must be constant monitoring for anomalous or malicious activity. Preventing breaches is still a “must,” but it is also important to have robust incident detection, response, and recovery capabilities. Such capabilities can help identify breaches, determine their scope of impact, discover root causes, and restore normal operations quickly, thus minimizing disruption to agency missions.
The scope of this guidance on security measures is federal agency use of EO-critical software. Development and acquisition of EO-critical software are out of scope. The security measures are intended to protect the use of deployed EO-critical software in agencies’ operational environments.
NIST defined the following objectives for the security measures:
NIST has identified security measures that are fundamental for meeting these objectives. These “Security Measures for EO-Critical Software Use” are not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs. Agencies should continue their efforts to secure systems and networks that EO-critical software runs on and to manage cyber supply chain risk (see FAQ #4), as well as implement zero trust practices (see FAQ #5), which depend on the fundamental security measures. The intent of specifying these security measures is to assist agencies by defining a set of common security objectives for prioritizing the security measures that should be in place to protect EO-critical software use.