Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Software Security in Supply Chains: EO-Critical Software and Security Measures for EO-Critical Software
Following the EO’s directive, NIST’s definition for critical software reflects “the level of privilege or access required to function” and “integration and dependencies with other software.”[1]
NIST has also published guidance outlining security measures to protect the revised set of designated critical software.
EO-Critical Software Definition
NIST’s publication on the definition of critical software enhances traditional notions of context-based criticality with function-based definitions. Table 1 identifies the points at which criticality considerations in SP 800-161r1 may be informed but should not be superseded by the new EO-critical software definition.
Table F-1. Impacts of EO-critical software definition on SP 800-161r1 guidance for federal agencies
| Section Identifier | Section Title | EO-Critical Definition Impact |
|---|---|---|
| 2 | Integration of C-SCRM into Enterprise-wide Risk Management |
|
| 2.3 | Multilevel Risk Management |
|
| 3.1 | C-SCRM in Acquisition |
|
| 3.4 | C-SCRM Key Practices |
|
| Appendix A | C-SCRM Security Controls |
|
| Appendix C | Risk Exposure Framework |
|
| Appendix D | C-SCRM Templates |
|
| Appendix E | FASCSA |
|
| Appendix G | C-SCRM Activities in the Risk Management Process |
|
Security Measures (SM) for EO-Critical Software Use
NIST published “Security Measures for ‘EO-Critical Software’ Use Under EO 14028” in July 2021. Software supply chain security measures are essential for internal decision-making and supplier oversight. Federal agencies must recognize their roles as critical players in the software supply chain and should, at a minimum, internally implement the same security controls that they require of their software suppliers. All of the EO Security Measures should be considered for all software, not just for EO-Critical Software.
Table 2 outlines the mappings and coverage of the EO’s security measures across SP 800-161r1 controls, control enhancements, and supplemental guidance. Many of these are included in the C-SCRM controls baseline.
EO Security Measures and their associated SP 800-161r1 controls (with the exception of AC-6, CA-7, and SR-8) are considered “flow down.” Enterprises should require prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors where feasible.
Federal agencies that align with SP 800-161r1 controls should use Table 2 to aid in conforming with EO Security Measures and to ensure their effective application across the software supply chain and acquisition life cycle.
Table F-2. C-SCRM controls and security measures crosswalk
| Control Identifier | Control Name | C-SCRM Baseline | EO Security Measure |
|---|---|---|---|
| AC-2 | Account Management | x | 1.1, 1.2, 1.3, 2.2 |
| AC-3 | Access Enforcement | x | 2.2 |
| AC-4 | Information Flow Enforcement | 2.4 | |
| AC-5 | Separation of Duties | 3.3 | |
| AC-6 | Least Privilege2 | x2 | 2.2, 3.3 |
| AC-17 | Remote Access | x | 2.4 |
| AT-2 | Literacy Training and Awareness2 | x2 | 5.1 |
| AT-3 | Role-based Training | x | 4.5, 5.1, 5.2, 5.3 |
| AU-2 | Event Logging | x | 4.1 |
| AU-3 | Content of Audit Records | x | 4.1 |
| AU-12 | Audit Record Generation | x | 4.1 |
| AU-13 | Monitoring for Information Disclosure | 4.4 | |
| AU-14 | Session Audit | 4.4 | |
| CA-7 | Continuous Monitoring2 | x2 | 3.2, 3.3, 4.1 |
| CM-2 | Baseline Configuration | x | 3.3 |
| CM-3 | Configuration Change Control | 3.3 | |
| CM-6 | Configuration Settings | x | 3.3 |
| CM-7 | Least Functionality | x | 3.3 |
| CM-8 | System Component Inventory | x | 2.1, 3.1 |
| CP-3 | Contingency Training | x | 5.2 |
| IA-2 | Identification and Authentication (Organizational Users) | x | 1.1, 1.2 |
| IA-4 | Identifier Management | x | 1.1 |
| IA-5 | Authenticator Management | x | 1.1 |
| IA-9 | Service Identification and Authentication | 1.2 | |
| IR-2 | Incident Response Training | x | 4.5 |
| PM-5 | System Inventory | 2.1, 3.1 | |
| RA-5 | Vulnerability Monitoring and Scanning | x | 3.2, 3.3 |
| RA-9 | Criticality Analysis | 3.1 | |
| SC-7 | Boundary Protection | x | 1.4, 4.4 |
| SC-8 | Transmission Confidentiality and Integrity | 2.4 | |
| SC-28 | Protection of Information at Rest | 2.3 | |
| SI-2 | Flaw Remediation | x | 3.2 |
| SI-3 | Malicious Code Protection | x | 4.3, 4.4 |
| SI-4 | System Monitoring | x | 4.2, 4.3 |
| SI-5 | Security Alerts, Advisories, and Directives | x | 3.2, 3.3, 4.3 |
| SI-7 | Software, Firmware, and Information Integrity | 4.3 | |
| SR-8 | Notification Agreements | x | 3.2 |
The measures are intended to secure the use of deployed EO-critical software in the operational environments of federal agencies. Security measures for EO-critical software are not intended to be comprehensive, nor do they eliminate the need for other security measures.
One provision in “Security Measures for ‘EO-Critical Software’ Use Under EO 14028” falls outside of the scope of SP 800-161r1. Security Measure 2.5 outlines a requirement to “back up data, exercise backup restoration, and be prepared to recover data used by EO-critical software and EO-critical software platforms at any time from backups” [3]Though relevant to sound C-SCRM practices, controls related to Security Measure 2.5 are not included in SP 800-161r1 because they are not third-party risk-related. Rather, they focus on managing the software within a system.
Mappings to Security Measure 2.5 and partial security measure mappings outside of the scope of this document are outlined in Table 3. Federal agencies that seek to fully conform with all mapped controls across all EO security measures, regardless of whether they are C-SCRM-specific in nature, may use this table to accelerate conformance or refer directly to “Security Measures for ‘EO-Critical Software’ Use Under EO 14028.”
Table F-3. C-SCRM Control and Security Measure Crosswalk
| Control Identifier | Control (or Control Enhancement) Name | C-SCRM Baseline | EO Security Measure |
|---|---|---|---|
| AU-4 | Audit Log Storage Capacity | N/A | 4.1 |
| AU-5 | Response to Audit Logging Process Failures | N/A | 4.1 |
| AU-8 | Timestamps | N/A | 4.1 |
| AU-11 | Audit Record Retention | N/A | 4.1 |
| CA-7 | Continuous Monitoring | N/A | 3.2, 3.3, 4.1 |
| CP-9 | System Backup | N/A | 2.5 |
| CP-10 | System Recovery and Reconstitution | N/A | 2.5 |
| SC-2 | Separation of System and User Functionality | N/A | 1.3 |
| SC-7(15) | Boundary Protection | Networked Privileged Accesses | N/A | 1.3 |
--------------
[1] National Institute of Standards and Technology. (2021). Definition of Critical Software Under Executive Order (EO) 14028.
[2] While the base control is not addressed in SP 800-161r1, the topic at large is addressed through supplemental guidance provided for control enhancements to the base control.
[3] National Institute of Standards and Technology. (2021). Security Measures for “EO-Critical Software” Use Under Executive Order (EO) 14028.
Content:
- Introduction
- Guidance, Purpose, Scope, and Audience
- EO-Critical Software and Security Measures for EO-Critical Software
- Software Cybersecurity for Producers and Users
- Software Verification
- Evolving Standards, Tools, and Recommended Practices
- Additional Existing Industry Standards, Tools, and Recommended Practices
- Frequently Asked Questions (FAQs)