
NIST’s EO-mandated software security guidelines could be a game-changer
While experts applaud the new security guidance, it’s unclear whether software vendors will completely embrace and implement the needed security practices.
Following a string of high-profile supply chain hacks, President Biden’s wide-ranging executive order on cybersecurity (EO) issued on May 12 directed the National Institute of Standards and Technology (NIST) to produce guidance on a series of software security matters. First, the EO asked NIST to produce a definition of critical software, which it released at the end of June. Second, the EO directed NIST to publish guidance on security measures for EO-critical software use, which NIST released last Friday.
To tackle the complex issue of keeping software secure, NIST solicited papers from interested parties and held a two-day workshop to gain insight from industry and other experts. NIST defined five objectives for the operational-only (not covering development and acquisition matters) security measures:
- Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage. Measures here include use of multi-factor authentication, following privileged access management principles, and employing boundary protection techniques.
- Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. Measures here include maintaining a data inventory, protecting data at rest and in transit, and back up data with a tested recovery plan.
- Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation. Measures here include maintaining a software inventory, have a patch management plan, and use configuration management practices.
- Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms. Measures here include recording necessary logging information, continuous security monitoring, and using endpoint and network security protection.
- Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms. Measures here include training all users and administrators of EO-critical software and conducting frequent awareness activities.
This article appeared in CSO Online. To read the rest of the article please visit here.
Photo by Fotis Fotopoulos on Unsplash
5 COMMENTS
Delta Air lines Colorado Springs. Arizona booking customer service customer service phone number https://delta-airlines-2022.blogspot.com
control of pest Pennsylvania service http://nusta.edu.ua/en/?s=control+of+pest+%E2%98%8E+1%28844%299484793+Pennsylvania+service+phone+number
control of pest Fort Worth service https://sdachurch.com/?s=control+of+pest+%E2%98%8E+1%28844%299484793+Fort Worth+service+phone+number
control of pest New Hampshire service https://111.wales.nhs.uk/localservices/viewlocalservice.aspx?s=control+of+pest+%E2%98%8E+1%28844%299484793+New Hampshire+service+phone+number
I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.