Fulfilling one of its assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Cybersecurity of the Federal Government (14028), the National Institute of Standards and Technology (NIST) today published a definition of “critical software.” 

The executive order (EO) directs the Cybersecurity & Infrastructure Security Agency (CISA) to develop a list of software categories and products in use or in the acquisition process which meet this definition of critical software.  

To coordinate the definition with its eventual application, NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with CISA, the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase.  Additional guidance on applying this definition in implementing the EO will be forthcoming from CISA and OMB.  NIST worked closely with CISA and OMB to ensure that the definition and recommendations are consistent with their plans.    

NIST also has developed a table illustrating the application of the definition of EO-critical software to the scope of the recommended initial implementation phase.  CISA will provide the authoritative list of software categories at a later date.   

The specific definition of critical software is included in a NIST white paper and on NIST’s website: https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software. The paper and website include frequently asked questions (FAQs) about the definition which provide additional context. 

Questions about the definition or documents should be directed to: swsupplychain-eo@nist.gov.