Image: dencg/Shutterstock.com
OMB has set deadlines for agencies to comply with an executive order from President Biden telling agencies to identify their “critical” software and to adopt certain security measures for it, following a definition by the National Institute of Standards and Technology of what is considered critical under that order.
“There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely in the manner intended. The federal government must identify and implement practices that enhance the security of the software supply chain and protect the use of software in agencies’ operational environments,” says memo M-21-30.
It says that during the initial implementation phase, agencies should focus on standalone, on-premise software that performs security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases are to address additional categories of software, as determined by the Cybersecurity and Infrastructure Security Agency.
Specifically, within 60 days agencies must identify all agency critical software, in use or in the process of acquisition; and within one year they must implement the security measures designated by NIST for all categories of critical software included in the initial phase and must incorporate security measures for additional software categories identified for each subsequent phase.
NIST will publish updates to the definition of critical software and associated security measures guidance as necessary.
The memo adds: “Agencies should keep in mind that the measures identified in the guidance from NIST are not comprehensive; their adoption may not eliminate the need to implement additional security measures to satisfy requirements and objectives that lie outside the scope of the NIST guidance.”
Biden to Feds: Get Vaccinated or Wear Mask and Face Constant Screening
Can President Biden Lawfully Order Members of the Military to Take a COVID-19 Vaccine?