author photo
By SecureWorld News Team
Tue | Jun 29, 2021 | 7:45 AM PDT

There are a lot of mysteries in life.

And one of them, until now, was an unanswered question that could help security teams prioritize their resources.

The question was this: how do you define critical software, and what kinds of operations does critical software power and control? 

Now, the National Institute of Standards and Technology (NIST) has come up with the answer to this question.

NIST definition: what is defined as critical software?

The President's cybersecurity focused Executive Order (EO) required NIST to work with CISA to define "critical software" so that government agencies can set appropriate priorities on what to protect. 

This definition may also help if you are in the private sector.

First of all, NIST says it went into this process of defining critical software with two specific goals in mind:

1. Clarity – "The implementation of the program will drive activity across the entire Federal Government, with impacts on the software industry. Having a clear definition that can be used by the software industry and the Government is vital to the successful implementation of the EO."

2. Viability – "For the EO to be viable, its implementation must take into consideration how the software industry functions, including product development, procurement, and deployment.

The software marketplace is dynamic and evolves continuously. How software is developed, brought into an organization, and used by an organization is changing rapidly. Software is purchased as a product, as part of a product, and as a service. Software is often modular, consisting of many components."

NIST general definition of critical software

NIST refers to critical software as EO-critical, where EO stands for Executive Order.

The big picture looks like this:

"EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

• is designed to run with elevated privilege or manage privileges;
• has direct or privileged access to networking or computing resources;
• is designed to control access to data or operational technology;
• performs a function critical to trust; or,
• operates outside of normal trust boundaries with privileged access."

That is the big picture; now let's take a look at some specifics.

NIST defines 11 categories of critical software

NIST has now identified and defined the following 11 categories of critical software:

1. Identity, credential, and access management (ICAM)
2. Operating systems, hypervisors, container environments
3. Web browsers
4. Endpoint security
5. Network control
6. Network protection
7. Network monitoring and configuration
8. Operational monitoring and analysis
9. Remote scanning
10. Remote access and configuration management
11. Backup/recovery and remote storage

Lastly, NIST makes a very important footnote about critical software, saying it does not matter whether this software is in the cloud, on-premise, or in a hybrid environment. 

See more details in the new NIST white paper on critical software defined.

And let us know what you think in the comments. Do you agree with this definition of critical software? Is the definition too broad, too narrow, or about right?

[Note: Comments are moderated and will take a few minutes to appear.]

Tags: Regulations, NIST,
Comments