The U.S. Office of Management and Budget has given federal agencies 60 days to identify all “critical software” in use or being acquired and a year to secure it, according to a memo issued earlier this month. This comes on the heels of rumors of another governmental network breach, as yet unverified, and after several high-profile breaches in the last 18 months. The August 10 memo from Shalanda Young, acting director of the OMB, offers instruction to agencies on how to comply with guidance on the security of such critical software as detailed in previous cybersecurity memos issued earlier this year.
The National Institute of Standards and Technology defines critical software as that which requires high-level authority to issue and manage computing and network privileges or otherwise operates at a high level of privilege, including standalone, embedded, and cloud-hosted software. However, the immediate focus is on-premises and standalone software, at least for the initial implementation of the new NIST guidance. The latest mandate comes after President Biden issued an executive order this past May, titled “Improving the Nation’s Cybersecurity,” aimed at helping agencies prevent unauthorized access to critical software, secure data, and quickly respond to threats.