The government continues to beat the drum around the importance of protecting the nation's software supply chain.

In a White House memo (PDF) issued on Tuesday, the head of the Office of Management and Budget urged executive departments and agencies to ensure they have solutions in place to secure critical software, enhance the security of the software supply chain and agencies’ operational environments.

The memo, written by acting director Shalanda Young, reiterates the importance of an Executive Order issued by the Biden administration in May to secure "critical software." In the eyes of NIST (National Institute of Standards and Technology), the group tasked with crafting guidance on security measures for the government, critical software is any software that is:

• designed to run with elevated privilege or manage privileges
• has direct or privileged access to networking or computing resources;
• is designed to control access to data or operational technology;
• performs a function critical to trust; or
• operates outside of normal trust boundaries with privileged access.

Shalanda's memo sets a series of clocks for federal agencies. According to the document, in 60 days, they need to identify all of their critical software; in a year, they need to have security measures in place to satisfy NIST's guidance.

While ultimately all forms of software - software that controls access to data, cloud-based software, software development tools, boot-level firmware, operational technology - will have to follow NIST's guidance, for now, only standalone, on-premise software is required to implement it.

The first phase of NIST's guidance requires agencies to have software in place that provide the following services:

• identity, credential, and access management (ICAM);
• operating systems, hypervisors, container environments;
• web browsers;
• endpoint security;
• network control;
• network protection;
• network monitoring and configuration;
• operational monitoring and analysis;
• remote scanning;
• remote access and configuration management;
• backup/recovery and remote storage.

By ensuring critical software is secured, additional goals, like protecting the confidentiality, integrity, and availability of data used by the software, can also be met. The Office of Management and Budget also hopes the guidance will aid agencies when it comes to detecting and responding to threats and their overall knowledge around their own critical software platforms.

Speaking of May's Executive Order - Biden’s call to action to improve the nation's cybersecurity – the EO had several asks of agencies that came due this week.

Some of those requests include orders for agencies to develop a way to share cyber incident reports properly, to develop a Federal cloud-security strategy, and craft architecture around recommended approaches to cloud migration and data protection for agency data collection and reporting.