Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Critical Software Use Guidance
Section 4 of the Executive Order (EO) assigns numerous tasks to NIST and other agencies. One task (4g) is to define the term critical software with a June 26, 2021 deadline. A subsequent task (4i) is for “the Secretary of Commerce through NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, to publish guidance outlining security measures for critical software, including applying practices of least privilege, network segmentation, and proper configuration.” Once completed, task (4j) calls for “….OMB taking appropriate steps to require that agencies comply with the guidance.”
NIST’s deliverable from task 4i will address security measures needed for protecting critical software deployments and the systems and services hosting and executing that software. The security measures will focus on mitigating threats that the EO is intended to address.
NIST plans to leverage the wealth of existing resources on individual security measures for systems that host or execute critical software. This will bring together existing guidance on practices that are vital for securing the use of critical software. Examples of resources that NIST may leverage for this task include:
- Best Practices for Privileged User PIV Authentication
- National Checklist Program (NCP) Repository and Special Publication (SP) 800-70 Revision 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
- Patching the Enterprise Project
- SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations
- SP 800-128, Guide for Security-Focused Configuration Management of Information Systems
- SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials
- SP 800-207, Zero Trust Architecture
Additional references and resources will be added to this list. This topic will be discussed at the EO workshop. Workshop discussions will inform NIST’s work. This page will be updated with the draft materials once they are published for comment.
Questions about this task should be directed to: swsupplychain-eo [at] nist.gov (swsupplychain-eo[at]nist[dot]gov).