FDA Tells NIST Securing ‘Critical Software’ Extends Beyond Devices

The Food and Drug Administration is encouraging the National Institute of Standards and Technology to adopt a view of "critical software" that encompasses not just that in physical devices, but also third-party software the devices rely on.

“Safe and effective devices are essential to effective patient care and healthcare delivery, and thus, software is ‘critical software’ generally (i) where it meets the definition of device and (ii) where the software is necessary for the safe and effective use of a device,” the FDA wrote in comments NIST published Friday.

NIST issued a call for position papers on May 13 to help inform its work complying with Executive Order 14028, the administration’s response to a series of major cybersecurity incidents that compromised federal agencies and critical infrastructure.

Among other things, the agency is tasked with identifying criteria for determining “critical software,” which the executive order says agencies should prioritize in applying new procurement standards.  

The agency received more than 150 comments mostly from industry representatives. The Consumer Technology Association wrote that critical technology should be “narrowly defined,” for example. But the FDA and the National Science Foundation also weighed in, both drawing attention to the integrated nature of operational technology such as the industrial control systems that manage physical processes in electric utilities and the information technology that connects it.

“The complex integration of heterogeneous software within physical-world engineered systems creates challenges in securing their supply chains, including in designating which software components are critical,” the NSF wrote. “In particular, determining which software components are critical – i.e. both vulnerable to intrusion and causative of systemic failures upon attack – is especially challenging in the [cyber-physical systems] space because of their complex interdependencies with other physical/cyber components and their complex provenance.”

NSF called attention to research it’s been doing in the area, saying it should be helpful though “in its nascency.” 

The FDA similarly highlighted its work in the field, which is already being implemented. The agency is at the forefront of efforts to standardize a cybersecurity bill of materials—more comprehensive than a software bill of materials, this includes hardware and other components—for the manufacture and use of medical devices. 

Kevin Fu, the FDA’s acting director of medical device cybersecurity, paid particular attention to the use of the cloud in his comments.

“Critical functions are shifting from on premises software infrastructure to distributed and remote infrastructure, including newly essential cloud services depended upon during the diagnosis and treatment of disease,” he said.