The Cybersecurity and Infrastructure Security Agency has a September 30 deadline to provide federal agencies with a list of examples of software products deemed critical to the federal government's cyber posture.
The target date is based on the agency's response to Thursday's Office of the Comptroller of the Government Oversight Report examining the implementation of a major 2021 cybersecurity executive order focused on strengthening U.S. cyber defenses.
This software type, formally known as “EO critical software” due to its association with the directive, meets 11 criteria defined by the National Institute of Standards and Technology, and has the ability to manage privileges on systems. and has the ability to perform network-related actions. In particular, protection and control operational technologies.
The list includes sample products and will be submitted by CISA's cybersecurity division, according to a document added to GAO's analysis. Its provision to federal agencies was listed as a top recommendation in the GAO report, and while the United States still has several goals to accomplish to meet the executive order's broad directives, He points out that most of them have been achieved.
This software catalog can help government agencies better understand potential cyber vulnerabilities in the products they rely on most. CISA has frequently promoted a “safety by design” approach in its software procurement process. This approach ensures that manufacturers and vendors sell products with built-in functionality aimed at ensuring cybersecurity after they are launched.
The Office of Management and Budget found in a study last year that most agencies have not developed policies to address the federally mandated set of cybersecurity requirements for procured Internet of Things devices.
Federal cybersecurity became a top priority for the Biden administration after two headline-grabbing cyberattacks in the early 2010s, when Chinese and Russian hackers stole a trove of agency communications. Recent events have made this issue even more important to national security officials. And the legislators. A bill recently introduced in the Senate would require new interoperability and cybersecurity standards for online collaboration tools acquired by the federal government.
Federal agencies operate as data-rich environments and do not always have the necessary on-site cyber protections in place to detect malicious actors or prevent them from accessing sensitive systems. It has been repeatedly targeted by hackers.
For example, the Federal Communications Commission admitted in early March that it had been targeted in a phishing scam in which hackers built cloned versions of government agency authentication sites to steal employee login credentials. The State Department recently warned current and former employees to be wary of fraudulent schemes targeting workers' payroll accounts.
