At the direction of President Biden, the National Institute of Standards and Technology recently issued an updated definition of what constitutes “critical” software components that are commonly found within supply chains. But according to one cybersecurity expert, the language reveals a curious omission.
In proposing which aspects of cybersecurity technology should be included in the initial implementation phase of the Administration’s executive order to review and secure the nation’s critical supply chains, NIST excludes embedded software and firmware components, notes Eric Greenwald, general counsel with Finite State, a provider of connected device security systems.
Acknowledging that such components are often “critical” to securing I.T. systems, NIST nevertheless suggests that they’re too complex in nature to be included in the early implementation phase of the Administration’s efforts.
NIST says it coordinated its definition with input from numerous other agencies, including the Cybersecurity & Infrastructure Security Agency (CISA), Office of Management and Budget, Office of the Director of National Intelligence, and National Security Agency. CISA, part of the Department of Homeland Security, will draw on NIST’s finding to devise its own list of software categories that fall under the scope of the first phase of the review.
NIST’s claim that embedded software and firmware — the basic, low-level controls for device hardware — are too complex to be taken up immediately is contained in an answer to “frequently asked questions.” But Greenwald says he’s puzzled by the brief statement.
“I don’t know what they mean by that,” he says, arguing that the NIST definition could have the effect of excluding truly critical elements such as firewalls “simply because they’re on devices rather than cloud-based.”
Greenwald realizes that NIST might prefer not to initially include software that’s embedded on a chipset in a device. “But when you’re talking about an operating system, or application layer software, it doesn’t make sense to me that you would exclude that as a category. It’s hard to understand how they could be drawing a meaningful distinction between device software as opposed to firmware.”
“Complexity” is no justification for the distinction, he says. “I would argue that the more complex it is, the more important to have elevated security standards applied to it.”
A possible motivation for NIST to draw the line at embedded software and firmware is a desire “not to bite off more than they can chew” in the initial implementation phase of the executive order, Greenwald acknowledges. By overreaching in its definition of what constitutes critical software, the agency would risk dissuading private tech companies from participating in federal government procurement. Still, he says, that’s not a legitimate reason to exclude that class of software from early action.
The distinction might seem academic to some, but it goes to the heart of which technology providers can be trusted to supply key security systems to both government and the private sector. The Department of Defense recently tightened its own standards for procurement, with issuance of its Cybersecurity Maturity Model Certification. CMMC dictates that eligible contractors obtain third-party certifications in order to sell their software to DOD.
Greenwald sees the possibility of instituting a regime that instantly sweeps up hundreds of thousands of contractors in a rigorous compliance initiative. “There are questions about who exactly is supposed to be subject to these,” he says. “Lack of clarity is the devil.”
But lack of clarity is also Greenwald’s concern when it comes to NIST’s apparent dismissal of embedded software and firm as critical elements requiring immediate attention by Biden’s newly appointed task force on supply chain disruptions. He has hopes that the agency will soon clarify its intent, or that CISA will choose to include the disputed category in its definitive list of applicable software.
Still, if both agencies continue to pass over those components for phase one of the executive order, “I feel quite confident that they will be included in phase two,” Greenwald says. Omitting them altogether would seriously jeopardize efforts to secure systems against any manner of cyber threat.