New guidance from the National Institute of Standards and Technology spells out security measures for "critical software" used by federal agencies and minimum standards for testing its source code. The best practices could be a model for the private sector as well. NIST's release of best practices carries out a mandate in President Joe Biden's May executive order on cybersecurity, which, in part, called for agencies to address supply chain threats, such as that posed by the SolarWinds incident, by more scrutinizing "critical software" as later defined by NIST.
In developing the new guidelines, NIST worked with the Cybersecurity and Infrastructure Security Agency, Office of Management and Budget (OMB), and the National Security Agency, and gathered input via a workshop, which included 1,000 participants from industry, academia, and government. The leader of NIST's software quality group, says the new guidance is crucial as the country takes steps to address its cyber resiliency. OMB will enforce agencies' compliance with the guidance.
A senior Biden administration official said on 29 July 2021 that multifactor authentication and encryption technologies "could be deployed fully within six months," across the government's civilian networks, as called for in the executive order, according to the White House. The official added, "We’re leveraging federal procurement to improve the security of software not only used by the federal government but used by companies, state and local governments, and individuals."
The administration sharply condemned China's government for its role in ongoing cyberattacks, including attacks on vulnerable Microsoft Exchange servers.
"Recent incidents have demonstrated the need to better protect the … critical software that federal agencies use on-premises, in the cloud, and elsewhere to achieve their mission," NIST says. "There must be constant monitoring for anomalous or malicious activity. Preventing breaches is still a 'must,' but it is also important to have robust incident detection, response, and recovery capabilities to minimize disruption to agency missions."
The NIST guidance says that agencies should, for example:
- Protect critical software and its platforms from unauthorized access and usage;
- Use multifactor authentication that is verifier impersonation-resistant for all users and administrators;
- Uniquely identify and authenticate each service attempting to access software platforms and follow privileged access management principles for network-based administration;
- Employ boundary protection techniques to minimize direct access to the software, its platforms, and associated data;
- Protect the confidentiality, integrity, and availability of data used by the software;
- Establish and maintain a data inventory;
- Use fine-grained access control for data and resources to enforce the principle of least privilege;
- Protect data at rest by encrypting sensitive data, consistent with NIST’s cryptographic standards, and data in transit by using mutual authentication whenever feasible and by encrypting sensitive data communications;
- Back up data, exercise backup restoration, and be prepared to recover data;
- Establish and maintain a software inventory and use patch management practices and configuration management practices;
- Quickly detect, respond to and recover from threats and incidents;
- Configure logging to record necessary information about security events;
- Continuously monitor security and employ endpoint and network security protection;
- Train all security operations personnel and incident response team members on how to handle incidents.
In addition to its security measures, NIST published minimum standards for the testing of critical software by developers. "The software must be designed, built, delivered, and maintained in accordance with best practices," the agency writes. "Frequent and thorough testing by developers as early as possible in the software development life cycle is one critical practice."
"The administration is attempting to force the individual agencies, which have historically had a wide latitude to handle their own security and IT infrastructure, to adopt foundational best practices," says a partner at the advisory firm StoneTurn, which works with government agencies on regulatory and compliance issues. "The largest issue NIST and the administration will face going forward is implementation," StoneTurn says. "Adhering to these best practices is going to result in a new and unbudgeted procurement for the agencies. This is often where government security initiatives fail, either the procurement process takes too long or the funds simply aren’t available."
At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings