NIST Information Technology Lab Creates Web Presence
(Earliest date found.)
Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order- From NIST
Executive Order Issued
The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
- Executive Order (at National Archives Federal Register)
- Executive Order (from The White House Briefing Room, Presidential Actions)
- Fact Sheet (from The White House Briefing Room, Statements and Releases)
- From the White House
Deadline for Executive Order Sec. 8(b)
Within 14 days of the date of this order, the Secretary of Homeland Security, in consultation with the Attorney General and the Administrator of the Office of Electronic Government within OMB, shall provide to the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency's systems and networks. Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations. Such recommendations shall also be considered by the FAR Council when promulgating rules pursuant to section 2 of this order.
- Deadline
- EO+14d
Enhancing Software Supply Chain Security: Workshop and Call for Position Papers on Standards and Guidelines
On June 2-3, NIST [hosted] a virtual workshop to enhance the security of the software supply chain and to fulfill the President’s Executive Order (EO) on improving the Nation’s Cybersecurity, issued on May 12, 2021.
- From NIST
- Event
NIST Now Analyzing Software Supply Chain Workshop Discussions, Position Papers
More than 1400 participants took part in the June 2-3, 2021, National Institute of Standards and Technology (NIST) workshop on enhancing the security of the software supply chain. [...]
NIST now is reviewing and analyzing the discussions at that virtual workshop, including questions and answers offered by panelists and in a lively exchange in the “chat” feature which maximized participants’ engagement.
- From NIST
Deadline for Executive Order Sec. 4(b)
Within 30 days of the date of this order, the Secretary of Commerce acting through the Director of NIST shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in subsection (e) of this section. The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.
- Deadline
- EO+30d
Deadline for Executive Order Sec. 7(c)
Within 30 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA shall provide to the Director of OMB recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution, and response regarding FCEB Information Systems.
- Deadline
- EO+30d
NIST Publishes Critical Software Definition
To coordinate the definition with its eventual application, NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with CISA, the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase. Additional guidance on applying this definition for implementing the EO will be forthcoming from CISA and OMB. NIST worked closely with CISA and OMB to ensure that the definition and recommendations are consistent with their plans.
- From NIST
Deadline for Executive Order Sec. 2(g)(i)
Within 45 days of the date of this order, the Secretary of Homeland Security, in consultation with the Secretary of Defense acting through the Director of the National Security Agency (NSA), the Attorney General, and the Director of OMB, shall recommend to the FAR Council contract language that identifies: (A) the nature of cyber incidents that require reporting; (B) the types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation; (C) appropriate and effective protections for privacy and civil liberties; (D) the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection; (E) National Security Systems reporting requirements; and (F) the type of contractors and associated service providers to be covered by the proposed contract language.
- Deadline
- EO+45d
- Responsibility of HS
- Removing Barriers to Sharing Threat Information (Sec. 2)
Deadline for Executive Order Sec. 4(g)
Within 45 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, the Secretary of Homeland Security acting through the Director of CISA, the Director of OMB, and the Director of National Intelligence, shall publish a definition of the term “critical software” for inclusion in the guidance issued pursuant to subsection (e) of this section. That definition shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.
- Deadline
- EO+45d
Deadline for Executive Order Sec. 7(g)
Within 45 days of the date of this order, the Director of the NSA as the National Manager for National Security Systems (National Manager) shall recommend to the Secretary of Defense, the Director of National Intelligence, and the Committee on National Security Systems (CNSS) appropriate actions for improving detection of cyber incidents affecting National Security Systems, to the extent permitted by applicable law, including recommendations concerning EDR approaches and whether such measures should be operated by agencies or through a centralized service of common concern provided by the National Manager.
- Deadline
- EO+45d
Deadline for Executive Order Sec. 2(b)
Recommend updates to acquisition regulation contract requirements.
Within 60 days of the date of this order, the Director of the Office of Management and Budget (OMB), in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, shall review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommendations shall include descriptions of contractors to be covered by the proposed contract language.
- Deadline
- EO+60d
- Responsibility of OMB
- Removing Barriers to Sharing Threat Information (Sec. 2)
Deadline for Executive Order Sec. 2(i)
Within 60 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Secretary of Defense acting through the Director of the NSA, the Director of OMB, and the Administrator of General Services, shall review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Such recommendations shall include consideration of the scope of contractors and associated service providers to be covered by the proposed contract language.
- Deadline
- EO+60d
- Responsibility of HS
- Responsibility of CISA
- Responsibility of NSA
- Responsibility of OMB
- Responsibility of Admin of GS
- Removing Barriers to Sharing Threat Information (Sec. 2)
Deadline for Executive Order Sec. 3(b)
Within 60 days of the date of this order, the head of each agency shall: (i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance; (ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and (iii) provide a report to the Director of OMB and the Assistant to the President and National Security Advisor (APNSA) discussing the plans required pursuant to subsection (b)(i) and (ii) of this section.
- Deadline
- EO+60d
- Responsibility of Agency Heads
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 3(c)(iii)
Within 60 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA shall develop and issue, for FCEB Agencies, a cloud-service governance framework. That framework shall identify a range of services and protections available to agencies based on incident severity. That framework shall also identify data and processing activities associated with those services and protections.
- Deadline
- EO+60d
- Responsibility of HS
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 3(f)
Within 60 days of the date of this order, the Administrator of General Services, in consultation with the Director of OMB and the heads of other agencies as the Administrator of General Services deems appropriate, shall begin modernizing FedRAMP [... (5 specific actions)]
- Deadline
- EO+60d
Deadline for Executive Order Sec. 4(f)
Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.
- Deadline
- EO+60d
Deadline for Executive Order Sec. 4(i)
Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, shall publish guidance outlining security measures for critical software as defined in subsection (g) of this section, including applying practices of least privilege, network segmentation, and proper configuration.
- Deadline
- EO+60d
Deadline for Executive Order Sec. 4(r)
Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, shall publish guidelines recommending minimum standards for vendors' testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).
- Deadline
- EO+60d
Deadline for Executive Order Sec. 7(j)(i)
within 60 days of the date of this order, establish procedures for the Department of Defense and the Department of Homeland Security to immediately share with each other Department of Defense Incident Response Orders or Department of Homeland Security Emergency Directives and Binding Operational Directives applying to their respective information networks;
- Deadline
- EO+60d
Deadline for Executive Order Sec. 9(a)
Within 60 days of the date of this order, the Secretary of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs. Such requirements shall be codified in a National Security Memorandum (NSM). Until such time as that NSM is issued, programs, standards, or requirements established pursuant to this order shall not apply with respect to National Security Systems.
- Deadline
- EO+60d
Deadline for Executive Order Sec. 7(f)
Defending FCEB Information Systems requires that the Secretary of Homeland Security acting through the Director of CISA have access to agency data that are relevant to a threat and vulnerability analysis, as well as for assessment and threat-hunting purposes. Within 75 days of the date of this order, agencies shall establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program to ensure object level data, as defined in the MOA, are available and accessible to CISA, consistent with applicable law.
- Deadline
- EO+75d
Deadline for Executive Order Sec. 2(g)(iii)
Within 90 days of the date of this order, the Secretary of Defense acting through the Director of the NSA, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.
- Deadline
- EO+90d
- Responsibility of NSA
- Responsibility of HS
- Responsibility of NI
- Removing Barriers to Sharing Threat Information (Sec. 2)
Deadline for Executive Order Sec. 3(c)(i)
Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.
- Deadline
- EO+90d
- Responsibility of OMB
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 3(c)(ii)
Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Director of OMB and the Administrator of General Services acting through FedRAMP, shall develop and issue, for the FCEB, cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.
- Deadline
- EO+90d
- Responsibility of HS
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 3(c)(iv)
Within 90 days of the date of this order, the heads of FCEB Agencies, in consultation with the Secretary of Homeland Security acting through the Director of CISA, shall evaluate the types and sensitivity of their respective agency's unclassified data, and shall provide to the Secretary of Homeland Security through the Director of CISA and to the Director of OMB a report based on such evaluation. The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.
- Deadline
- EO+90d
- Responsibility of FCEB Agency Heads
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 3(e)
Establish a Framework to Collaborate on CyberSecurity and Incident Response
Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs.
- Deadline
- EO+90d
- Responsibility of HS
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 7(h)
Within 90 days of the date of this order, the Secretary of Defense, the Director of National Intelligence, and the CNSS shall review the recommendations submitted under subsection (g) of this section and, as appropriate, establish policies that effectuate those recommendations, consistent with applicable law.
- Deadline
- EO+90d
Deadline for Executive Order Sec. 7(i)
Within 90 days of the date of this order, the Director of CISA shall provide to the Director of OMB and the APNSA a report describing how authorities granted under section 1705 of Public Law 116-283, to conduct threat-hunting activities on FCEB networks without prior authorization from agencies, are being implemented. This report shall also recommend procedures to ensure that mission-critical systems are not disrupted, procedures for notifying system owners of vulnerable government systems, and the range of techniques that can be used during testing of FCEB Information Systems. The Director of CISA shall provide quarterly reports to the APNSA and the Director of OMB regarding actions taken under section 1705 of Public Law 116-283.
- Deadline
- EO+90d
Deadline for Executive Order Sec. 2(e)
Ensure service providers share data to enable the Federal Government to respond to cyber threats, incidents, and risks.
Within 120 days of the date of this order, the Secretary of Homeland Security and the Director of OMB shall take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks.
- Deadline
- EO+120d
- Responsibility of HS
- Responsibility of OMB
- Removing Barriers to Sharing Threat Information (Sec. 2)
Deadline for Executive Order Sec. 6(b)
Within 120 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Director of OMB, the Federal Chief Information Officers Council, and the Federal Chief Information Security Council, and in coordination with the Secretary of Defense acting through the Director of the NSA, the Attorney General, and the Director of National Intelligence, shall develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems. [...specific playbook inclusions]
- Deadline
- EO+120d
Deadline for Executive Order Sec. 3(d)
Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws. [...]
- Deadline
- EO+180d
- Responsibility of all Agencies
- Modernizing Federal Government Cybersecurity (Sec. 3)
Deadline for Executive Order Sec. 4(c)
Within 180 days of the date of this order, the Director of NIST shall publish preliminary guidelines, based on the consultations described in subsection (b) of this section and drawing on existing documents as practicable, for enhancing software supply chain security and meeting the requirements of this section.
- Deadline
- EO+180d
Deadline for Executive Order Sec. 4(t)
Within 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law. The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products. The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation.
- Deadline
- EO+270d
Deadline for Executive Order Sec. 4(u)
Within 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the FTC and representatives from other agencies as the Director of NIST deems appropriate, shall identify secure software development practices or criteria for a consumer software labeling program, and shall consider whether such a consumer software labeling program may be operated in conjunction with or modeled after any similar existing government programs, consistent with applicable law. The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone. The Director of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation.
- Deadline
- EO+270d
Deadline for Executive Order Sec. 4(d)
Within 360 days of the date of this order, the Director of NIST shall publish additional guidelines that include procedures for periodic review and updating of the guidelines described in subsection (c) of this section.
- Deadline
- EO+360d
Deadline for Executive Order Sec. 4(n)
Within 1 year of the date of this order, the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Attorney General, the Director of OMB, and the Administrator of the Office of Electronic Government within OMB, shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section
- Deadline
- EO+1y
Deadline for Executive Order Sec. 4(w)
Within 1 year of the date of this order, the Director of NIST shall conduct a review of the pilot programs, consult with the private sector and relevant agencies to assess the effectiveness of the programs, determine what improvements can be made going forward, and submit a summary report to the APNSA.
- Deadline
- EO+1y
Deadline for Executive Order Sec. 4(x)
Within 1 year of the date of this order, the Secretary of Commerce, in consultation with the heads of other agencies as the Secretary of Commerce deems appropriate, shall provide to the President, through the APNSA, a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain.
- Deadline
- EO+1y