NIST Delivers Key Publications to Improve Software Supply Chain Security
In line with the Presidential Executive Order on enhancing the Nation’s Cybersecurity (14028), NIST has already fulfilled two of its assignments to enhance the security of the software supply chain. The Executive Order (EO) issued on May 12, 2021, charged NIST and other agencies with improving cybersecurity through various initiatives relevant to software supply chain security and integrity.
After extensive consultation with the Office of Management and Budget (OMB) and Cybersecurity & Infrastructure Security Agency (CISA), NIST has published guidance outlining the various security measures for critical software use. Additionally, NIST published guidelines highlighting the minimum standards for testing vendors’ software source codes. Of course, the recommendations are made in consultation with the National Security Agency (NSA) as dictated in the EO. The two deliverables were both due by July 11, 2021, and NIST made their recommendations based on elaborate public participation through a call for papers and a workshop.
NIST’s Responsibilities under the Executive Order
Section 4 of the 14028 EO directs NIST to seek input from government agencies, academia, private sector, and other entities and identify prevailing or develop fresh standards, best practices, tools, and other guidelines to strengthen software supply chain security. The guidelines should include:
• Criteria for the evaluation of software security
• Criteria for developing security practices for software developers and suppliers
• Innovative methods or tools to demonstrate conformance with security practices.
To develop the guidelines, NIST consulted with the National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA), the Director of National Intelligence (DNI), and the Office of Management and Budget (OMB).
By November 8, 2021, NIST is required to publish preliminary guidelines based on existing documents and stakeholder input for enhancing software supply chain security. And by February 6, 2022, NIST should issue guidance to identify best practices that strengthen software supply chain security in consultation with heads of various agencies. The guidance must encompass supply chain security standards, procedures, and criteria. Additionally, NIST will publish further guidelines by May 8, 2022, including procedures for reviewing and updating guidelines periodically.
The EO has tasked NIST with additional responsibilities, including labeling programs related to software and the Internet of Things (IoT) to inform consumers about the security level of their products. The initial deadline for those efforts is February 6, 2022, and NIST expects to announce its approach to carrying out the assignments in late July 2021. Similar to its other assignments in the executive order, NIST will solicit ideas and information from various stakeholders to carry out these tasks.
NIST SET Goals for the Definition of Critical Software
Recent security incidents have prompted the Federal Government to heighten its efforts to identify, detect, deter, protect against, and respond to malicious cyber actors and actions. Typically, threat actors are exploiting vulnerabilities in software development and distribution practices, the complexity of underlying code, and the pervasive use of software solutions. One of the primary goals of the Executive Order is to develop a security baseline for essential software products used by the Federal Government.
Considering the broad scope of the EO and its possible impact on the software marketplace and government operations, NIST has set the following goals in defining critical software:
The implementation of the EO must take into account how the software industry functions, including software procurement, development, and deployment. Overall, the software marketplace is very dynamic and evolves continuously. Software products can be purchased as a product, as a service, or as part of a product. Besides, software is often modular, comprising of many components.
There are several existing uses and definitions of the term “critical.” In most cases, the definition is based on how technology supports different tasks or processes, like critical infrastructure or safety-critical networks. However, under the EO, the definition is slightly different since it’s based on the properties of the software that make it considerably critical in most use cases and not on the context of use. In other words, it focuses on critical functions addressing the underlying infrastructure for cybersecurity and operations.
The implementation of the EO will drive activity across the Federal and make a huge impact on the software industry. So, it’s vital to have a clear definition to be used by the government and software industry to implement the executive order successfully. In order to separate the common usage of the term “critical” with the precise definition under the EO, entities will use the term “EO-critical” when it’s unclear which application is being discussed.
During the initial phase of the EO implementation, NIST recommends focusing on on-premise, standalone software solutions with security-critical functions or that pose similar significant potential for extensive harm when compromised. In the subsequent phases, the focus can be shifted to other categories of software, such as:
• Cloud-based and hybrid software
• Software that controls access to data
• Software components in boot-level firmware
• Software development tools such as development tools, code repository systems, integration software, testing software, deployment software, and packaging software
• Software components in operational technology (OT)
NIST has also provided a comprehensive preliminary list of software categories that are considered to be EO-critical. The table highlights the application of the EO-critical software definition to the scope of the initial implementation phase. However, CISA will provide the authoritative list of EO-critical software categories at a later date.
The Presidential Executive Order on enhancing cybersecurity has charged NIST with several responsibilities with varying timelines. Over the next couple of months, NIST and other agencies are expected to publish more guidelines as outlined in the EO. Always keep your tabs on the Palindrome Consulting website to keep updated as things unroll over the coming weeks. Whether you run an accounting practice, law firm, or other professional service company, we offer dependable IT consulting services to fuel your business growth.
Since 1999, Palindrome’s mission has been to help small- and medium-sized businesses get a true return on their IT investments. We’ve remained dedicated to offering state-of-the-art IT services, support, and products that allow our customers in Miami, Fort Lauderdale, and across South Florida to leapfrog their competitors and achieve greater success. Contact us today to schedule your consultation!