What Does NIST’s Definition of Critical Software Mean to You?

On May 12th, President Biden signed the 2021 Cybersecurity Executive Order (EO).  Since then, I’ve thought a lot about what it really means for federally focused sellers and buyers of software and how it might practically improve the security of applications and strengthen our nation’s cyber defenses.

During this time of reflection, I’ve had many conversations with industry CISOs, government technologists and everyone in between. So far, the consensus is that “the EO is potentially an important step in the right direction, but the ultimate proof will be in the pudding.”

Well, as everyone knows, when it comes to public policy, cyber security, and industry standards, it can take quite a while (and many cooks) to complete a batch of pudding.  Notwithstanding, this past Friday witnessed an important milestone in the effort to implement core directives contained within the EO.  Specifically, the National Institute of Standards and Technology (NIST) released their much anticipated definition of “critical software.”  To me, this is an early glimpse at the complicated dish being made; and it left me realizing that we have a long way to go before anything will be finished.

How Does NIST Define Critical Software? 

According to NIST, the newly minted definition of “critical software,” is: 

Sponsorships Available

Sponsorships Available

Sponsorships Available

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

• is designed to run with elevated privilege or manage privileges;
• has direct or privileged access to networking or computing resources;
• is designed to control access to data or operational technology;
• performs a function critical to trust; or,
• operates outside of normal trust boundaries with privileged access.

The definition applies to software of all forms (e.g., standalone software, software (Read more...)