The National Institute of Standards and Technology (NIST) has released guidance outlining security measures for critical software and minimum standards for vendors’ testing of their software source code as part of the agency’s assignments under the Biden administration’s executive order (EO) on cybersecurity.
The EO on Improving the Nation’s Cybersecurity, released May 12, calls for NIST to complete a series of different cyber-related assignments, including providing an updated definition for “critical software,” which it released last month.
For its latest EO assignments that were due on July 11, NIST worked closely with the Cybersecurity and Infrastructure Security Agency (CISA), Office of Management and Budget (OMB), and the National Security Agency (NSA). NIST also gathered input from the public through a workshop and call for papers.
“Recent incidents have demonstrated the need to better protect the EO-critical software that Federal agencies use on-premises, in the cloud, and elsewhere to achieve their missions. Even though EO-critical software may be developed using recommended secure development practices, it still needs to be secured in operational environments,” NIST wrote.
The guidance on security measures is intended to “protect the use of deployed EO-critical software in agencies’ operational environments,” according to NIST.
As for the minimum standards for vendors’ testing of their software source code, NIST offers high-level guidelines for software vendors or developers for verification.
“To ensure that software is sufficiently safe and secure, the software must be designed, built, delivered, and maintained in accordance with best practices,” NIST wrote. “Frequent and thorough testing by developers as early as possible in the software development life cycle (SDLC) is one critical practice. At its highest conceptual level, verification is a discipline employed to increase software security.”
Now that NIST has released the two deliverables for its EO assignments, OMB is tasked with requiring agencies to comply with the new guidance, according to the EO.