Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Measures for “EO-Critical Software” Use Under Executive Order (EO) 14028 - Guidance Purpose & Scope

Recent incidents have demonstrated the need to better protect the EO-critical software that federal agencies use on-premises, in the cloud, and elsewhere to achieve their missions. Even though EO-critical software may be developed using recommended secure development practices, it still needs to be secured in operational environments. There is increasing recognition that all organizations should assume that a breach is going to occur or has already occurred, so access to EO-critical software must be limited at all times to only what is needed. Moreover, there must be constant monitoring for anomalous or malicious activity. Preventing breaches is still a “must,” but it is also important to have robust incident detection, response, and recovery capabilities. Such capabilities can help identify breaches, determine their scope of impact, discover root causes, and restore normal operations quickly, thus minimizing disruption to agency missions.

The scope of this guidance on security measures is federal agency use of EO-critical software. Development and acquisition of EO-critical software are out of scope. The security measures are intended to protect the use of deployed EO-critical software in agencies’ operational environments.

NIST defined the following objectives for the security measures:

  1. Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage.
  2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. (See FAQ #6.)
  3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.
  4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.

NIST has identified security measures that are fundamental for meeting these objectives. These “Security Measures for EO-Critical Software Use” are not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs. Agencies should continue their efforts to secure systems and networks that EO-critical software runs on and to manage cyber supply chain risk (see FAQ #4), as well as implement zero trust practices (see FAQ #5), which depend on the fundamental security measures. The intent of specifying these security measures is to assist agencies by defining a set of common security objectives for prioritizing the security measures that should be in place to protect EO-critical software use.

Previous Sections:

Next Sections:

Created July 8, 2021, Updated July 9, 2021