The Office of Management and Budget (OMB) has issued a memorandum that provides agencies 60 days to identify critical software platforms that are in use or in the process of procurement and one year to implement security measures designated by the National Institute of Standards and Technology for the use of all critical software.
Shalanda Young, acting director of OMB, wrote in the Tuesday memo that agencies should focus on software applications that provide several services including identity, credential and access management, web browsers, endpoint security, network protection and remote scanning.
OMB will also give agencies 12 months to integrate security measures for additional categories of software identified for each subsequent phase.
The agency said subsequent implementation phases will address additional software categories, including applications that control access to data, cloud-based and hybrid software and software components in operational technology.
The memo directs NIST to publish updates to the definition of critical software and related security guidance as necessary. The Cybersecurity and Infrastructure Security Agency should also release a list of critical software categories for inclusion in each phase of the implementation of NIST’s guidance for security measures as necessary.
OMB issued the memo in compliance with the cybersecurity executive order issued in May.
ExecutiveBiz, sister site of GovConDaily and part of the Executive Mosaic digital media umbrella, will host a virtual event about securing the supply chain on Oct. 26. Visit ExecutiveBiz.com to sign up for the “Supply Chain Cybersecurity: Revelations and Innovations” event.