Skip to main content
banner image
venafi logo

Supply Chain Security: What is Critical Software? [NIST]

Supply Chain Security: What is Critical Software? [NIST]

August 26, 2021 | Guest Blogger: Ambler Jackson

The National Institute of Standards and Technology (NIST) as well as Gartner have identified machine identity management to be a crucial and foundational infrastructure required to secure and support the digital transformation initiatives of modern businesses. As we see a sustained increase in supply chain attacks, machine identity management will continue to gain authority in the security strategies of many organizations.

From SolarWinds to Biden’s Executive Order

In December 2020, FireEye announced the discovery of a global supply chain attack campaign that affected public and private organizations. The attackers leveraged a commercial software application made by SolarWinds to steal data. Due to the seriousness of the SolarWinds attack, and other similar events, in April 2021, the National Institute of Standards and Technology (NIST) published the report “Defending Against Supply Chain Attacks to provide recommendations for identifying, assessing and mitigating software supply chain risks.

The following month, President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity highlighted the need for the government to improve its efforts to identify, deter, detect, respond and protect against any malicious cyber campaigns that threaten the public and private sectors. The EO notes the important role that the private sector plays in partnering with the government to foster a more secure cyberspace. It focused on the private sector’s obligation to ensure that its products are built securely. The EO set forth standards and requirements in various areas, including the software supply chain.

Section 4, Enhancing Software Supply Chain Security, is an area that the software development industry will want to pay close attention to. It states that the government must act to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software. This action will impact government operations and the software industry. It will result in changes to processes for developing software that meets certain requirements and the government’s acquisition of such software.

SolarWinds: Anatomy of a Supersonic Supply Chain Attack. Download the report.
Enhancing software supply chain security

The EO states that the Secretary of Commerce, acting through the Director of NIST, will issue guidance identifying practices that enhance the security of the software supply chain. The guidance will include standards, procedures, or criteria regarding actions, such as:

Secure software development environments by using administratively separate build environments. Providing artifacts that demonstrate conformance to processes like auditing trust relationships and establishing multi-factor authentication. Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code. The EO also states that the Secretary of Commerce will publish a definition of the term critical software for inclusion in the future guidance. The published definition will reflect the following:

  • The level of privilege or access required to function
  • Integration and dependencies with other software
  • Direct access to networking and computing resources
  • Performance of a function critical to trust and the potential for harm if compromised
Definition of critical software under the EO 

On June 25, 2021, NIST published a definition for critical software, which is referred to as “EO-critical” to differentiate from other potential definitions and meanings of critical software. EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

  • It is designed to run with elevated privilege or manage privileges
  • It has direct or privileged access to networking or computing resources
  • It is designed to control access to data or operational technology
  • It performs a function critical to trust
  • It operates outside of normal trust boundaries with privileged access
Identity and access management is critical software

NIST provided a preliminary list of software categories characterized as EO-critical. At the top of the list is Identity, Credential and Access Management (ICAM).  It is described as “software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices.”

It’s no wonder that ICAM is at the top of the list of EO-critical software. This type of software plays a critical role in information technology (IT) modernization and digital transformation efforts now that more machines are performing tasks that were traditionally performed by people, and the associated need to manage machine identities. A few months ago, Gartner identified machine identity management as critical as well as a “high-priority” for all enterprises.

Gartner notes that “Machine identity management aims to establish and manage trust in the identity of a machine (mobile devices and IoT devices and workloads such as applications and containers) interacting with other entities, such as devices, applications, cloud services or gateways.” NIST adds that ICAM platforms are “foundational for ensuring that only authorized users, systems, and devices can obtain access to sensitive information and functions.” According to the Gartner Hype Cycle, an “enterprise-wide machine identity management strategy is needed to support digital transformation in modern IT environments.” 

The authoritative list of critical software is scheduled to be released by the Cybersecurity & Infrastructure Security Agency (CISA) on a later date. 


The recent EO demonstrates that partnering with the private sector to protect IT systems against malicious cyber actors is a top priority for the Biden administration. This includes bold changes and improvements to secure software development and a phased approach to securing the supply chain of EO-critical software such as ICAM. 

As machine identities play an increasingly critical role in the daily operations of public and private sector organizations, ICAM products must align with the requirements of the EO, the NIST definition of critical software, as well as future implementation guidance.

Venafi can help you safeguard the code signing machine identities used in your critical software supply chain with the Venafi CodeSign Protect solution. To learn more about how Venafi can help you protect your machine identities, contact our experts.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Ambler Jackson
Guest Blogger: Ambler Jackson
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more