Security Measures for “EO-Critical Software” Use Under Executive Order (EO) 14028 - FAQs

The following FAQs provide additional information on the guidance.

1. Are all of the security measures appropriate for all EO-critical software?

A security measure might not be relevant for a particular situation based on the nature of the software deployment or other factors. If a particular security measure cannot be implemented, other security measures could be identified and implemented to mitigate the risk and achieve the outcome that the missing security measure was intended to address. Agencies are still expected to apply risk management activities as part of their overall cybersecurity programs.

2. Will this guidance be updated as more types of EO-critical software are identified?

Potentially. However, all of the security measures for EO-critical software are anticipated to apply to all types of EO-critical software in all deployments.

3. How can we implement the security measures for using cloud-based EO-critical software?

CISA, GSA’s FedRAMP program, and OMB are currently developing a federal cloud-security strategy and cloud-security technical reference architecture documentation in support of Section 3 of the EO. The security measures for using EO-critical software could be applied to cloud-based environments by cloud service providers.

4. Does NIST have additional resources on cyber supply chain risk management (C-SCRM)?

Yes, see NIST’s C-SCRM project website for links to all the resources. An example is the Federal C-SCRM Forum, which NIST hosts; the Forum fosters collaboration and the exchange of C-SCRM information among federal agencies to improve the security of federal supply chains. Examples of NIST C-SCRM guidance include SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations and SP 800-161 Rev. 1 (Draft), Cyber Supply Chain Risk Management Practices for Systems and Organizations.

5. What is the relationship between this guidance and zero trust architecture?

Section 3 of the EO directs each federal agency to plan to implement zero trust architecture. All of the security measures for EO-critical software defined in this guidance are also components of a zero trust architecture, although by no means are they complete. Agencies developing plans for migrating to zero trust architecture can incorporate the security measures for EO-critical software use into those plans. For more information on zero trust architecture, see the following Federal Government resources:

• DISA and NSA, Department of Defense (DOD) Zero Trust Reference Architecture Version 1.0
• NIST, SP 800-207, Zero Trust Architecture
• NSA, Embracing a Zero Trust Security Model

6. Objective 2 says to “protect the confidentiality, integrity, and availability of data,” but what about cases where not all three of those are needed, like protecting the confidentiality of publicly available information?

Agencies should continue to take risk-based approaches for protecting data, and thus should only apply the types of protection that will reduce risk for a particular scenario. For example, protecting the confidentiality of publicly available information typically will not reduce risk, and thus would not be necessary.

7. SM 1.1 includes the term “verifier impersonation-resistant.” What does that mean?

Verifier impersonation-resistant authentication protocols and credentials ensure that when a user or administrator attempts to connect to EO-critical software or an EO-critical software platform over a network, both parties (the person and the platform) are legitimate. Verifier impersonation resistance helps prevent people from having their credentials stolen by phishing attacks, and also helps prevent attackers from using stolen authentication information to impersonate a user or administrator. There are several ways to achieve verifier impersonation resistance; an example of a verifier impersonation-resistant protocol is client-authenticated Transport Layer Security (TLS). See Section 5.2.5 of NIST SP 800-63B for more information.

8. Where can I learn more about EO-critical software?

Additional information is available at this webpage. It includes a set of FAQs that provide more details and context about EO-critical software.

9. Is there a summary of the security measures?

Yes, the list below includes the first sentence of each security measure. The summary is intended to improve understanding of the security measures and is not a substitute for the formal definition of the security measures for EO-critical software use in the previous table, which contains additional details for some security measures and provides informative references for all security measures.