NIST Publishes 'Critical Software' Security GuidancePlus, White House Says MFA, Encryption to Be Widely Deployed in Federal Networks
New guidance from the National Institute of Standards and Technology spells out security measures for "critical software" used by federal agencies and minimum standards for testing its source code. The best practices could be a model for the private sector as well.
NIST's release of best practices carries out a mandate in President Joe Biden's May executive order on cybersecurity, which, in part, called for agencies to address supply chain threats, such as that posed by the SolarWinds incident, by more carefully scrutinizing "critical software" as later defined by NIST.
In developing the new guidelines, NIST worked with the Cybersecurity and Infrastructure Security Agency, Office of Management and Budget, and the National Security Agency, and gathered input via workshop, which included 1,000 participants from industry, academia and government.
Barbara Guttman, leader of NIST's software quality group, says the new guidance is crucial as the country takes steps to address its cyber resiliency.
OMB will enforce agencies' compliance with the guidance.
MFA, Encryption Deployment
A senior Biden administration official said this week that multifactor authentication and encryption technologies "could be deployed fully within six months," across the government's civilian networks, as called for in the executive order, according to the White House.
The official added: "We’re leveraging federal procurement to improve the security of software not only used by the federal government but used by companies, state and local governments, and individuals."
On Monday, the administration sharply condemned China's government for its role in ongoing cyberattacks, including attacks on vulnerable Microsoft Exchange servers.
Security Measures for Critical Software
"Recent incidents have demonstrated the need to better protect the … critical software that federal agencies use on-premises, in the cloud, and elsewhere to achieve their mission," NIST says.
"There must be constant monitoring for anomalous or malicious activity. Preventing breaches is still a 'must,' but it is also important to have robust incident detection, response, and recovery capabilities to minimize disruption to agency missions."
The NIST guidance says that agencies should, for example:
- Protect critical software and its platforms from unauthorized access and usage;
- Use multifactor authentication that is verifier impersonation-resistant for all users and administrators;
- Uniquely identify and authenticate each service attempting to access software platforms and follow privileged access management principles for network-based administration;
- Employ boundary protection techniques to minimize direct access to the software, its platforms and associated data;
- Protect the confidentiality, integrity and availability of data used by the software;
- Establish and maintain a data inventory;
- Use fine-grained access control for data and resources to enforce the principle of least privilege;
- Protect data at rest by encrypting sensitive data, consistent with NIST’s cryptographic standards, and data in transit by using mutual authentication whenever feasible and by encrypting sensitive data communications;
- Back up data, exercise backup restoration and be prepared to recover data;
- Establish and maintain a software inventory and use patch management practices and configuration management practices;
- Quickly detect, respond to and recover from threats and incidents;
- Configure logging to record necessary information about security events;
- Continuously monitor security and employ endpoint and network security protection;
- Train all security operations personnel and incident response team members on how to handle incidents.
Standards for Software Testing
In addition to its security measures, NIST published minimum standards for the testing of critical software by developers.
"The software must be designed, built, delivered and maintained in accordance with best practices," the agency writes. "Frequent and thorough testing by developers as early as possible in the software development life cycle is one critical practice."
"The administration is attempting to force the individual agencies, which have historically had a wide latitude to handle their own security and IT infrastructure, to adopt foundational best practices," says Luke Tenery, partner at the advisory firm StoneTurn, which works with government agencies on regulatory and compliance issues.
"The largest issue NIST and the administration will face going forward is implementation," Tenery adds. "Adhering to these best practices is going to result in a new and unbudgeted procurement for the agencies. This is often where government security initiatives fail, either the procurement process takes too long or the funds simply aren’t available."