CISA to issue list of software products critical to agency security by end of September

Jinda Noipho/Getty Images

The software offerings are crucial for federal cybersecurity because of certain privileges and controls they enable, as defined by NIST.

The Cybersecurity and Infrastructure Security Agency is targeting a Sept. 30 deadline to give federal agencies a list of example software products deemed critical for the federal government’s cyber posture.

The target date comes from the agency’s responses to a Thursday Government Accountability Office oversight report that examines implementation of a major 2021 cybersecurity executive order focused on shoring up U.S. cyberdefenses. 

The software types, known formally as “EO-critical software” because of their ties to the order’s directives, meet 11 criteria defined by the National Institute of Standards and Technology and have the ability to manage privileges on a system, perform actions related to network protections and control operational technology, among other things.

The list will contain example products and will be transmitted by CISA’s Cybersecurity Division, according to a missive tacked onto the GAO analysis. Its delivery to federal agencies is listed as a top recommendation in the GAO report, which says the U.S. has a handful of objectives to still complete in meeting the executive order’s broad directives, but notes that most of the goals have been met.

The software catalog would likely help agencies gain a better sense of potential cyber vulnerabilities in the products they rely on the most. CISA has frequently pushed a “secure by design” approach in software procurement processes, where manufacturers and vendors would ensure that their products are sold with built-in features aimed at making them cyber-secure once they come off the shelf.

The Office of Management and Budget found in a review last year that most agencies did not have policies in place to address a swath of federally mandated cybersecurity requirements for procured internet of things devices.

Federal cybersecurity became a top priority for the Biden administration after a pair of headline-making cyberattacks at the start of the decade, but recent cases in which Chinese and Russian hackers exfiltrated troves of agency communications have made this issue even more pertinent for national security officials and lawmakers. A recently introduced Senate bill would require new interoperability and cybersecurity standards for online collaboration tools acquired by the federal government.

Federal agencies have repeatedly been a target to hackers because they serve as data-rich environments that don’t always have necessary on-site cyber protections in place to detect malicious actors or keep them out of sensitive systems. 

The Federal Communications Commission in early March, for instance, confirmed it was the target of a phishing scheme in which hackers built a cloned version of an agency verification site to siphon staff login credentials. The State Department also recently warned current and former employees to be cautious of a fraudulent scheme targeting workers’ payroll accounts.