Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish guidance on security measures for EO-critical software use, based on the definition of “EO-critical software” NIST developed for the EO.
(i) Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, shall publish guidance outlining security measures for critical software as defined in subsection (g) of this section, including applying practices of least privilege, network segmentation, and proper configuration.
The EO directs the Office of Management and Budget (OMB) to require agencies to comply with the security measures guidance.
(j) Within 30 days of the issuance of the guidance described in subsection (i) of this section, the Director of OMB acting through the Administrator of the Office of Electronic Government within OMB shall take appropriate steps to require that agencies comply with such guidance.
To help identify and prioritize possible security measures for inclusion, NIST solicited position papers from the community, hosted a virtual workshop to gather input, consulted with the Cybersecurity & Infrastructure Security Agency (CISA) and OMB, and reviewed existing federal guidance on individual security measures that might apply to EO-critical software use.
This webpage starts with information about the purpose and scope of the guidance, including the meaning of “EO-critical software use.” Next, it defines the fundamental security measures for EO-critical software use. It concludes with Frequently Asked Questions (FAQ) that provide additional information on the guidance and its relationship to other tasks in the EO and to other federal cybersecurity initiatives. The last item in the FAQ is a summary of the security measures.