Cisco : Critical Software Security and the Cyber Executive Order

September 14, 2021 at 08:12 am EDT

For the average American, the term critical infrastructure probably conjures up images of hospitals, power plants, and highways. But how about critical software? The range of responses will be off the charts. We could probably say the same about the software that powers your agency too. What's critical and what isn't?

Disruption would be debilitating

Critical infrastructure sectors are so important that disruption would have a 'debilitating effect' on our country, so national policy prioritizes them. The Critical Infrastructure Security Agency (CISA) defines both the term and its 16 specific sectors. Each one has a unique, sector-specific plan to mitigate risks. That's the goal, anyway.

Contrast that with critical software, a term that lacks a clear definition. Your agency typically decides for itself what software is mission critical, and how best to protect it. For instance, you're following the NIST Risk Management Framework within your agency to determine its importance in the security categorization step.

Yet recent software supply chain attacks showed us that we need clarity and consistent security measures. It begins with the definition.

Defining EO-critical software

The President's Executive Order on Improving the Nation's Cybersecurity (EO 14028) addresses this in Section 4, 'Enhancing Software Supply Chain Security.' There it directed NIST to define critical software and provide security guidelines, which they've done in two separate whitepapers (Definition of Critical Software and Security Measures for 'EO-Critical Software').

First, let's talk about the term itself. It's not 'critical software,' it's 'EO-critical software' in NIST's Executive Order response publications. They acknowledged that 'critical' is too loosely defined in general, so they wanted to be crystal clear about critical software in the context of the Executive Order.

Paraphrasing their definition, EO-critical software is any software that:

Is designed to run with elevated privilege or manage privileges
Has direct or privileged access to networking or computing resources
Is designed to control access to data or operational technology
Performs a function critical to trust
Operates outside of normal trust boundaries with privileged access.

NIST acknowledges that this is a broad definition, so it covers a lot of software types. That's why they've recommended a phased approach starting with on-premises software. Later phases will address other types like cloud-based software, OT software components, and boot-level firmware.

Their paper also covers preliminary EO-critical software categories like operating systems, hypervisors, container environments, web browsers, endpoint security, identity management, network protection and control, configuration management, and more.

Security measures for EO-critical software usage

With the definition complete, the second NIST whitepaper covers the Security Measures (SM) for EO-critical software. An important word here is usage: It's about how agencies use EO-critical software, not about how vendors develop it or how agencies acquire it. After all, it's already running in production, so these Security Measures are intended to boost the software's security.

With that in mind, NIST defined five objectives for EO-critical software that I'll paraphrase:

Protecting from unauthorized access and usage
Protecting data
Identifying and maintaining
Detecting, responding, and recovering from threats
Strengthening humans' actions around it.

Under each objective, there are up to five Security Measures (SM) prescribing specific controls. And NIST mapped all SMs to existing references like the Cybersecurity Framework and NIST SP 800-53 so they aren't entirely new.

For example, multi-factor authentication (SM 1.1) supports the first objective around unauthorized access protection, and maps to controls AC-2, IA-2, IA-4, and IA-5 in NIST SP 800-53.

Cisco can help

At Cisco, we've been protecting government systems and data for decades, and we're no stranger to cyber best practices. The table below shows how Cisco Secure solutions can help you secure EO-critical software. It's not meant to be exhaustive; rather, a starting point to illustrate the many ways that we can help.

What questions do you have? Please comment below or, better yet, talk with us. We're always here to help.

Additional Resources

Attachments

Original document
Permalink

Disclaimer

Cisco Systems Inc. published this content on 14 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 September 2021 12:11:06 UTC.

	1st Jan change	Capi.
CISCO SYSTEMS, INC.	-5.40%	194B
ARISTA NETWORKS, INC.	+10.09%	82.15B
FOXCONN INDUSTRIAL INTERNET CO., LTD.	+48.81%	59.85B
MOTOROLA SOLUTIONS, INC.	+8.76%	56.66B
GARMIN LTD.	+9.75%	27.27B
NOKIA OYJ	+3.49%	18.66B
ZHONGJI INNOLIGHT CO., LTD.	+54.65%	18.07B
ZTE CORPORATION	+9.48%	16.81B
ERICSSON	-13.01%	16.63B
JUNIPER NETWORKS, INC.	+23.74%	11.82B

1st Jan change

Capi.

CISCO SYSTEMS, INC.

-5.40%

194B

ARISTA NETWORKS, INC.

+10.09%

82.15B

FOXCONN INDUSTRIAL INTERNET CO., LTD.

+48.81%

59.85B

MOTOROLA SOLUTIONS, INC.

+8.76%

56.66B

GARMIN LTD.

+9.75%

27.27B

NOKIA OYJ

+3.49%

18.66B

ZHONGJI INNOLIGHT CO., LTD.

+54.65%

18.07B

ZTE CORPORATION

+9.48%

16.81B

ERICSSON

-13.01%

16.63B

JUNIPER NETWORKS, INC.

+23.74%

11.82B

Market Closed - Nasdaq Other stock markets 04:00:00 2024-04-17 pm EDT			5-day change	1st Jan Change
47.79 ^USD	-0.27%		-2.89%	-5.40%

Apr. 17	Transcript : Cisco Systems, Inc. - Special Call
Apr. 16	North American Morning Briefing : Powell Comments, -2-	DJ

Transcript : Cisco Systems, Inc. - Special Call	Apr. 17
North American Morning Briefing : Powell Comments, -2-	Apr. 16	DJ
Cisco: stock outperforms, BofA upgrades to buy	Apr. 15	CF
Cisco Systems' Growth Acceleration to be Driven by 3 Catalysts, BofA Says	Apr. 15	MT
BofA Securities Upgrades Cisco Systems to Buy From Neutral, Raises Price Target to $60 from $55	Apr. 15	MT
Factbox-US, Canadian companies kick off 2024 with layoffs	Apr. 15	RE
Cisco Systems, Inc. completed the acquisition of Isovalent, Inc.	Apr. 11	CI
Wall Street: green wins just before the close	Apr. 10	CF
Wall Street: precautionary selling pending inflation	Apr. 09	CF
Cisco: tops the Dow on positive comments from Deutsche Bank	Apr. 09	CF
Conflicting signals on rate cuts	Apr. 09
ANALYST RECOMMENDATIONS : Amex, Cisco, Nasdaq, Wells Fargo, Marathon Petroleum...	Apr. 09
India's Embassy REIT to raise $300 million to fund acquisition, lower debt	Apr. 06	RE
Cisco to Lead Consortium to Help Retrain Workers Affected by AI	Apr. 04	MT
US, Canadian companies kick off 2024 with layoffs	Apr. 03	RE
Verint Systems Expands Partnership with Webex by Cisco	Apr. 03	MT
Smarttech247 Group PLC Signs Strategic Partnership Agreement with Cisco	Apr. 03	CI
Wall Street: 'WTI' barrel worries	Apr. 03	CF
Wall Street: 'WTI' breaking $85.5 a barrel causes concern	Apr. 02	CF
Private equity firm CD&R to buy IT company Presidio from BC Partners	Apr. 02	RE
US, Canadian companies kick off 2024 with layoffs	Apr. 02	RE
Ophir Herbst signed an agreement to acquire additional 9.8% stake in Jungo Connectivity Ltd for ILS 2.6 million.	Mar. 30	CI
BlackRock's Murry Gerber Seeks to Remain as Independent Board Director for Another Year	Mar. 28	DJ
Transcript : Cisco Systems, Inc. - Special Call	Mar. 28
EMBARGO-Software startup Observe raises $115 mln from Sutter Hill Ventures, Snowflake	Mar. 27	RE

Cisco Systems, Inc.

Equities

CSCO

US17275R1023

Communications & Networking

Cisco : Critical Software Security and the Cyber Executive Order

Latest news about Cisco Systems, Inc.

Chart Cisco Systems, Inc.

Company Profile

Income Statement Evolution

Analysis / Opinion

Ratings for Cisco Systems, Inc.

Analysts' Consensus

EPS Revisions

Quarterly earnings - Rate of surprise

Sector Other Communications & Networking