NIST Software Security Guidance

NIST spells out security measures for “critical software” used by federal agencies and minimum standards for testing its source code. The best practices could be a model for the private sector as well. Aftermath SolarWinds this has been released.

NIST worked with the CISA, NSA, and gathered input via workshop, which included 1,000 participants from industry, academia and government.

Security Measures for Critical Software

“Recent incidents have demonstrated the need to better protect the … critical software that federal agencies use on-premises, in the cloud, and elsewhere to achieve their mission,” NIST says.

“There must be constant monitoring for anomalous or malicious activity. Preventing breaches is still a ‘must,’ but it is also important to have robust incident detection, response, and recovery capabilities to minimize disruption to agency missions.”

The NIST guidance for Critical Software:

• Protect critical software and its platforms from unauthorized access and usage;
• Use multifactor authentication that is verifier impersonation-resistant for all users and administrators;
• Uniquely identify and authenticate each service attempting to access software platforms and follow privileged access management principles for network-based administration;
• Employ boundary protection techniques to minimize direct access to the software, its platforms and associated data;
• Protect the confidentiality, integrity and availability of data used by the software;
• Establish and maintain a data inventory;
• Use fine-grained access control for data and resources to enforce the principle of least privilege;
• Protect data at rest by encrypting sensitive data, consistent with NIST’s cryptographic standards, and data in transit by using mutual authentication whenever feasible and by encrypting sensitive data communications;
• Back up data, exercise backup restoration and be prepared to recover data;
• Establish and maintain a software inventory and use patch management practices and configuration management practices;
• Quickly detect, respond to and recover from threats and incidents;
• Configure logging to record necessary information about security events;
• Continuously monitor security and employ endpoint and network security protection;
• Train all security operations personnel and incident response team members on how to handle incidents.

Standards for Software Testing

The software must be designed, built, delivered and maintained in accordance with best practices. Frequent and thorough testing by developers as early as possible in the software development life cycle is one critical practice.

Forcing Action

The administration is attempting to force the individual agencies, which have historically had a wide latitude to handle their own security and IT infrastructure, to adopt foundational best practices.

Adhering to these best practices is going to result in a new and unbudgeted procurement for the agencies. This is often where government security initiatives fail, either the procurement process takes too long or the funds simply aren’t available.