NIST’s Gaithersburg, Md., campus. Source: NIST
WASHINGTON: The National Institute of Standards and Technology’s recently published definition of “critical software” has been hailed as a major step in cybersecurity. But some experts worry the accompanying security requirements could backfire and drive companies away from doing business with the government, at a time when the Pentagon is increasingly reliant on commercial vendors.
The definition, required by a cyber executive order earlier this year, was rolled out June 25. The order requires all government entities to apply a set of stringent security requirements to any software deemed “critical,” which could prove timely and costly for some. The order also instructs the government to amend Federal Acquisition Regulations (FAR) language used in contracts, impacting multibillion-dollar, government-wide software procurement going forward.
“Critical software”, NIST says, “is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- is designed to run with elevated privilege or manage privileges;
- has direct or privileged access to networking or computing resources;
- is designed to control access to data or operational technology;
- performs a function critical to trust; or,
- operates outside of normal trust boundaries with privileged access.”
NIST notes that this definition applies to “software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition.”
The definition is an important step in the government’s overall attempt to “jumpstart the market for secure software,” Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger said in May.
“Clearly using the power of federal government procurement sends an important message that we believe incentivizes building more secure software,” she said at the virtual event hosted by the Center for Strategic and International Studies (CSIS). “Let’s put our money where our mouth is.”
But some critics think this approach is flawed, including federal acquisition expert and former longtime Senate Armed Services Committee staffer Bill Greenwalt.
“The government never ceases to amaze me in its confidence it can drive the market,” Greenwalt told Breaking Defense. “This is another one of those policy frameworks. The drafters of this have a greater confidence in what the government can do than it actually can. The federal government doesn’t have the buying power to drive these changes.”
While acknowledging the cybersecurity challenges the government faces, Greenwalt said, “It’s quite possible that if [the government] doesn’t get this right, then none of those companies will want to do business with government. That’s extremely problematic.”
Government entities must now identify which software fits NIST’s definition and apply a set of forthcoming stringent security requirements to it. (Details are provided in Section 4, Part [e] of the EO.) Implementing the security requirements could be timely and expensive for entities currently running any software deemed to be critical by NIST’s definition.
The cyber EO also instructs the government to amend FAR contract language to “requir[e] suppliers of software available for purchase by agencies to comply with, and attest to complying with” the security measures for critical software.
That part is crucial: The government will, effectively, prevent itself from buying any critical software that cannot satisfy security standards.
“I see [this] as potentially more far-reaching than [Cybersecurity Maturity Model Certification],” Greenwalt said, especially in its potential to ultimately “shrink the market” of software vendors selling to the government. CMMC has been criticized by some for the perceived untenable costs it will impose, especially on smaller businesses, forcing them to ultimately exit the federal market.
“The effect of this is you’ll have lots of new requirements, government-unique, and companies will decide whether to get out of the market.” Greenwalt said. “The result is the government will fall behind the commercial sector even further by relying on government-unique contractors.”
Further, the cyber EO says “agencies shall, as appropriate and consistent with applicable law, remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts; Federal Supply Schedules; Federal Government-wide Acquisition Contracts; Blanket Purchase Agreements; and Multiple Award Contracts.”
“This is a huge, huge lift,” Greenwalt said of the FAR revisions. “It’s going to take a longer time than they’ve planned for. I doubt they will enact something so impactful to the private sector without opening it to comments from the public.”
In addition to the critical software definition, NIST also published a table with “a preliminary list of software categories considered to be EO-critical.”
The need to shore up the government’s software supply chain security came sharply into focus following the SolarWinds cyberespionage campaign. That campaign, which the government formally attributed to the Russian Foreign Intelligence Service (SVR) in April, affected nine federal agencies and no less than 100 companies.
Neuberger, while acknowledging the clear influence of SolarWinds on the cyber EO, pointed to a broader concern and suggested a wider societal approach to the problem of insecure software.
“Because software and hardware underpin so much of modern society,” Neuberger said in May, “We need to change our mindset around software and hardware, to demand secure products. Too often, it’s been okay to sell software and hardware products and sell security separately, or frankly, make security configuration the responsibility of the user. We as consumers have to begin — and when I say consumers, I mean individuals, companies, and governments — to start demanding that we can have more confidence in the technology our lives rely on.”
Neuberger said this was a primary goal of the cyber EO.
Enterprise-wide training: the Army’s $3.5B program for multi-service combat readiness
The competition for Warfighter Training and Readiness Solutions will bring together training networks, combat training centers and live ranges across the DoD enterprise.
Textron, Leonardo bank on M-346 global experience in looming race for Navy trainer
“The strength we think we bring is that [the Navy is] going to go from contract to actually starting to turn out students much quicker than any other competitors,” a Textron executive told Breaking Defense.
