20 years
15 employees
60 clients
200k Tickets Closed
83% resolved remotely
97% Resolved within SLA Goal

NIST Delivers Key Publications to Improve Software Supply Chain Security

In line with the Presidential Executive Order on enhancing the Nation’s Cybersecurity (14028), NIST has already fulfilled two of its assignments to enhance the security of the software supply chain. The Executive Order (EO) issued on May 12, 2021, charged NIST and other agencies with improving cybersecurity through various initiatives relevant to software supply chain security and integrity.

After extensive consultation with the Office of Management and Budget (OMB) and Cybersecurity & Infrastructure Security Agency (CISA), NIST has published guidance outlining the various security measures for critical software use. Additionally, NIST published guidelines highlighting the minimum standards for testing vendors’ software source codes. Of course, the recommendations are made in consultation with the National Security Agency (NSA) as dictated in the EO. The two deliverables were both due by July 11, 2021, and NIST made their recommendations based on elaborate public participation through a call for papers and a workshop.

NIST’s Responsibilities under the Executive Order

Section 4 of the 14028 EO directs NIST to seek input from government agencies, academia, private sector, and other entities and identify prevailing or develop fresh standards, best practices, tools, and other guidelines to strengthen software supply chain security. The guidelines should include:

•    Criteria for the evaluation of software security
•    Criteria for developing security practices for software developers and suppliers
•    Innovative methods or tools to demonstrate conformance with security practices.

To develop the guidelines, NIST consulted with the National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA), the Director of National Intelligence (DNI), and the Office of Management and Budget (OMB).

By November 8, 2021, NIST is required to publish preliminary guidelines based on existing documents and stakeholder input for enhancing software supply chain security. And by February 6, 2022, NIST should issue guidance to identify best practices that strengthen software supply chain security in consultation with heads of various agencies. The guidance must encompass supply chain security standards, procedures, and criteria. Additionally, NIST will publish further guidelines by May 8, 2022, including procedures for reviewing and updating guidelines periodically.

The EO has tasked NIST with additional responsibilities, including labeling programs related to software and the Internet of Things (IoT) to inform consumers about the security level of their products. The initial deadline for those efforts is February 6, 2022, and NIST expects to announce its approach to carrying out the assignments in late July 2021. Similar to its other assignments in the executive order, NIST will solicit ideas and information from various stakeholders to carry out these tasks.

NIST SET Goals for the Definition of Critical Software

Recent security incidents have prompted the Federal Government to heighten its efforts to identify, detect, deter, protect against, and respond to malicious cyber actors and actions. Typically, threat actors are exploiting vulnerabilities in software development and distribution practices, the complexity of underlying code, and the pervasive use of software solutions. One of the primary goals of the Executive Order is to develop a security baseline for essential software products used by the Federal Government.

Considering the broad scope of the EO and its possible impact on the software marketplace and government operations, NIST has set the following goals in defining critical software:

1: Viability 

The implementation of the EO must take into account how the software industry functions, including software procurement, development, and deployment. Overall, the software marketplace is very dynamic and evolves continuously. Software products can be purchased as a product, as a service, or as part of a product. Besides, software is often modular, comprising of many components.

There are several existing uses and definitions of the term “critical.” In most cases, the definition is based on how technology supports different tasks or processes, like critical infrastructure or safety-critical networks. However, under the EO, the definition is slightly different since it’s based on the properties of the software that make it considerably critical in most use cases and not on the context of use. In other words, it focuses on critical functions addressing the underlying infrastructure for cybersecurity and operations.

2: Clarity 

The implementation of the EO will drive activity across the Federal and make a huge impact on the software industry. So, it’s vital to have a clear definition to be used by the government and software industry to implement the executive order successfully. In order to separate the common usage of the term “critical” with the precise definition under the EO, entities will use the term “EO-critical” when it’s unclear which application is being discussed.

During the initial phase of the EO implementation, NIST recommends focusing on on-premise, standalone software solutions with security-critical functions or that pose similar significant potential for extensive harm when compromised. In the subsequent phases, the focus can be shifted to other categories of software, such as:

•    Cloud-based and hybrid software
•    Software that controls access to data
•    Software components in boot-level firmware
•    Software development tools such as development tools, code repository systems, integration software, testing software, deployment software, and packaging software
•    Software components in operational technology (OT)

NIST has also provided a comprehensive preliminary list of software categories that are considered to be EO-critical. The table highlights the application of the EO-critical software definition to the scope of the initial implementation phase. However, CISA will provide the authoritative list of EO-critical software categories at a later date.

Final Thoughts

The Presidential Executive Order on enhancing cybersecurity has charged NIST with several responsibilities with varying timelines. Over the next couple of months, NIST and other agencies are expected to publish more guidelines as outlined in the EO. Always keep your tabs on the Palindrome Consulting website to keep updated as things unroll over the coming weeks. Whether you run an accounting practice, law firm, or other professional service company, we offer dependable IT consulting services to fuel your business growth.

Since 1999, Palindrome’s mission has been to help small- and medium-sized businesses get a true return on their IT investments. We’ve remained dedicated to offering state-of-the-art IT services, support, and products that allow our customers in Miami, Fort Lauderdale, and across South Florida to leapfrog their competitors and achieve greater success. Contact us today to schedule your consultation!

Schedule your No-Obligation IT Assessment with Palindrome Consulting

Schedule Now

Palindrome Consulting
4.9
Based on 12 reviews
powered by Google
Elizabeth Mitrani
Elizabeth Mitrani
17:23 06 Aug 19
Palindrome Consulting was key in establishing my business and helps me keep it running. They are the consummate... professionals, incredibly knowledgeable and are always available to help. They have gone above and beyond to ensure that I was up and running quickly and that any issues that may arise on my end or dealt with immediately. I highly recommend Palindrome Consulting.read more
Moshe Rubinstein
Moshe Rubinstein
14:57 28 Jun 19
They are there every step of the way. Responsive and timely. The full service mentality mixed with the problem solving... abilities, is what makes them an easy choice.read more
Benjamin Wainberg
Benjamin Wainberg
14:09 28 Jun 19
Palindrome Consulting is customer centric. For Palindrome Data Safety is paramount; they keep their and our systems... updated with the newest technologies and are not shy at changing to better alternatives. Their platforms are always running and in the odd case there is an event, their technical team has an awesome response time.read more
Copier Man
Copier Man
13:56 28 Jun 19
We have been using Palindrome since 2005. They make my company feel like we are #1 all the time. Expert staff are... always available to help all my users all around the country.read more
Nelson T
Nelson T
20:32 25 Jun 19
Palindrome Consulting has proven itself time and time again to be the epitome of professionalism and technical... expertise. They take the time to listen to your needs and then apply their wealth of technical knowledge to create truly innovative and robust solutions. They truly deliver piece of mind.read more
Next Reviews