Summary: The Cybersecurity and Infrastructure Security Agency (CISA) is working towards providing federal agencies with a list of critical software products by September 30th, as part of efforts to strengthen U.S. cyber defenses.
Threat Actor: N/A
Victim: Federal agencies
Key Point :
- CISA aims to deliver a list of example software products, known as “EO-critical software,” that meet specific criteria defined by the National Institute of Standards and Technology.
- This software catalog will help federal agencies identify potential cyber vulnerabilities in the products they rely on and promote a “secure by design” approach in software procurement processes.
- Federal cybersecurity has become a top priority after recent high-profile cyberattacks, and the Biden administration is taking steps to enhance national security through improved cyber defenses.
- Federal agencies have often been targeted by hackers due to their data-rich environments and inadequate on-site cyber protections.
The Cybersecurity and Infrastructure Security Agency is targeting a Sept. 30 deadline to give federal agencies a list of example software products deemed critical for the federal government’s cyber posture.
The target date comes from the agency’s responses to a Thursday Government Accountability Office oversight report that examines implementation of a major 2021 cybersecurity executive order focused on shoring up U.S. cyberdefenses.
The software types, known formally as “EO-critical software” because of their ties to the order’s directives, meet 11 criteria defined by the National Institute of Standards and Technology and have the ability to manage privileges on a system, perform actions related to network protections and control operational technology, among other things.
The list will contain example products and will be transmitted by CISA’s Cybersecurity Division, according to a missive tacked onto the GAO analysis. Its delivery to federal agencies is listed as a top recommendation in the GAO report, which says the U.S. has a handful of objectives to still complete in meeting the executive order’s broad directives, but notes that most of the goals have been met.
The software catalog would likely help agencies gain a better sense of potential cyber vulnerabilities in the products they rely on the most. CISA has frequently pushed a “secure by design” approach in software procurement processes, where manufacturers and vendors would ensure that their products are sold with built-in features aimed at making them cyber-secure once they come off the shelf.
The Office of Management and Budget found in a review last year that most agencies did not have policies in place to address a swath of federally mandated cybersecurity requirements for procured internet of things devices.
Federal cybersecurity became a top priority for the Biden administration after a pair of headline-making cyberattacks at the start of the decade, but recent cases in which Chinese and Russian hackers exfiltrated troves of agency communications have made this issue even more pertinent for national security officials and lawmakers. A recently introduced Senate bill would require new interoperability and cybersecurity standards for online collaboration tools acquired by the federal government.
Federal agencies have repeatedly been a target to hackers because they serve as data-rich environments that don’t always have necessary on-site cyber protections in place to detect malicious actors or keep them out of sensitive systems.
The Federal Communications Commission in early March, for instance, confirmed it was the target of a phishing scheme in which hackers built a cloned version of an agency verification site to siphon staff login credentials. The State Department also recently warned current and former employees to be cautious of a fraudulent scheme targeting workers’ payroll accounts.
“An interesting youtube video that may be related to the article above”