White House orders compliance with 'critical software' protection measures

The Office of Management and Budget directed agencies to comply with software supply chain security measures as set out in the May cybersecurity executive order.

security in agile process

A new White House memo instructs agencies on how to comply with guidance on the security of "critical software" as directed in the May executive order on cybersecurity.

An Aug. 10 memo from Shalanda Young, acting director of the Office of Management and Budget, builds off the definition of critical software issued by the National Institute of Standards and Technology in June. That definition focuses on software that has high-level authority to issue and manage computing and network privileges or otherwise operates at a high level of privilege.

The definition applies to standalone software, software embedded in devices and software in the cloud, but in the first round of implementation of the guidance, the focus should be on on-premise or standalone software, the new memo states.

The memo also starts a 60-day clock for agencies to report on their critical software inventories and a one-year timeline for implementing security measures as called for by NIST to safeguard critical software.

The May executive order also set out a number of other deliverables that are due on or about Aug. 10. That includes the issuance by OMB of a federal cloud security strategy that serves as a guide to the risks of cloud adoption and the deployment of zero trust architectures. Similarly, the Cybersecurity and Infrastructure Security Agency was tasked with issuing a cloud security technical reference architecture to support secure cloud migration.

Additionally, the Department of Homeland Security was asked to weigh in on whether its cyber operators can hunt for threats on civilian federal networks without prior approval from individual agencies.