October 27, 2021

Volume XI, Number 300


October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order

As called for in the May 12, 2021 Cybersecurity Executive Order (“EO”) released by the Biden Administration (discussed here), NIST met its deadline to release a definition of “critical software” within 45 days of the date of the Order.  The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain, which will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.

NIST’s definition of “critical software” as set forth in a white paper released on June 25, 2021 is as follows:

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges;

  • has direct or privileged access to networking or computing resources;

  • is designed to control access to data or operational technology;

  • performs a function critical to trust; or,

  • operates outside of normal trust boundaries with privileged access.

The white paper further specifies that “[t]he definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes.” Further, “[o]ther use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition.”

NIST provides further information on key terms within the definition. For example:

  • “Direct software dependencies” means, for a given component or product, “other software components (e.g., libraries, packages, modules) that are directly integrated into, and necessary for operation of, the software instance in question. This is not a systems definition of dependencies and does not include the interfaces and services of what are otherwise independent products.”

  • “Critical to trust” means “categories of software used for security functions such as network control, endpoint security, and network protection.”

The white paper also includes a chart explaining each category of software it considers “EO-critical” as well as a list of Frequently Asked Questions (FAQs) and responses. The categories of software listed in NIST’s chart include:

  • Identity, credential, and access management (ICAM)

  • Operating systems, hypervisors, container environments

  • Web browsers

  • Endpoint security

  • Network control

  • Network protection

  • Network monitoring and configuration

  • Operational monitoring and analysis

  • Remote scanning

  • Remote access and configuration management

  • Backup/recovery and remote storage

Contractors that provide software throughout the government supply chain, particularly those that provide what may be considered “EO-critical” software, should be closely following agency activity under the EO relating to software, which will include publishing minimum elements for a Software Bill of Materials (SBOM) and guidance for security measures for critical software (both in mid-July). Further, contractors should anticipate new requirements next year that must be implemented (and likely flowed down to suppliers and subcontractors) in order to continue to supply certain software to the federal government.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 180

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Nikole Snyder Associate DC Government Contracts, Investigations and International Trade

Nikole Snyder is an associate in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Nikole represents government contractors in various government contracts litigation and counseling matters, including in the following areas:

  • Civil False Claims Act litigation defense;

  • Cybersecurity counseling;

  • Internal investigations;

  • Small business issues under the Small Business Administration regulations, including...