Eyes now turn to the Office of Management and Budget to issue requirements for federal agencies and contractors based on NIST’s work.
The National Institute of Standards and Technology met crucial obligations laid out for it in a May 12 executive order with the publication of documents recommending minimum standards for the verification and use of software in the federal government.
The order was created in response to hackers infiltrating government contractor SolarWinds to distribute malware to thousands of victims, including federal agencies, through what seemed to be a legitimate software update from the IT management firm. The attackers also exploited weak passwords and authentication controls to move further within victim systems.
NIST was tasked with identifying security measures for the use of critical software and recommending minimum standards for software vendors to test their products before offering them to the government by July 11 and issued a bulletin linking to the documents on July 9. NIST was also responsible for defining ‘critical software.’
The ball now moves to the court of the Office of Management and Budget. Within 30 days of NIST’s guidelines being published, OMB must require federal agencies to implement the security measures NIST outlined for using of critical software, including through their procurements, according to the order.
While much of the order is focused on procurement and ultimately paves the way for changes to federal acquisition regulations, the NIST documents do not address that issue.
“Even though EO-critical software may be developed using recommended secure development practices, it still needs to be secured in operational environments,” NIST wrote. “The scope of this guidance on security measures is federal agency use of EO-critical software. Development and acquisition of EO-critical software are out of scope.”
Some who commented on NIST’s proposed definition of critical software, including the FDA, have noted the integral role of cloud service providers.
NIST’s document on security measures refers to previous work the agency has done on supply-chain security and emphasizes the importance of continuing to implement a complete security program.
“These ‘Security Measures for EO-Critical Software Use’ are not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs,” NIST said. “Agencies should continue their efforts to secure systems and networks that EO-critical software runs on and to manage cyber supply chain risk.”
In a section responding to frequently asked questions, NIST also noted: “[The Cybersecurity and Infrastructure Security Agency], [The General Service Administration’s Federal Risk and Authorization Management Program], and OMB are currently developing a federal cloud-security strategy and cloud-security technical reference architecture documentation” in support of the order.
“The security measures for using EO-critical software could be applied to cloud-based environments by cloud service providers,” NIST said.
FedRAMP on Wednesday separately released an update of guidance on what it considers an authorization boundary—a document that aims to lay out cloud providers’ responsibilities in relation to those of agencies. Public comments on that document are due Sep. 13.
NIST’s document of security measures references core NIST publications agencies are already required to follow as well as those from other government agencies in listing practices in line with the concept of zero trust. Those should sound familiar to cybersecurity practitioners. They include, for example, implementing multi factor authentication, using encryption to protect data at rest and in transit, creating back ups to avoid mission disruption, establishing logs to record incidents, and using appropriate patch management practices.