The National Institute of Standards and Technology (NIST) has released its definition of what software should be considered ‘critical,’ which will dictate the types of software that will need to meet certain security requirements.

What is NIST?

If you work in IT, you may have heard of some of their published standards, which are requirements that companies adhere to in order to receive certain security certifications necessary to work with the federal government.

The organization existed long before cybersecurity was even a concept, though.  NIST was founded in 1901 and has a mission, “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

In the early 1900’s, NIST was fulfilling this goal through things like measurement standardization, but in recent years, their focus has been on standardizing best practices for security.  While NIST isn’t a regulatory agency, its universal standards are still treated as gospel when working with the government.

What Changed?

The change in defining what software is considered critical comes from a desire to implement an executive order from President Biden regarding cybersecurity.  The previous way of thinking was that a piece of software would be deemed critical depending on how it was used; now, software will be classified based on its actual features and functionality.

NIST has published an initial list of 11 types of software that will fall under this definition and the Cybersecurity and Infrastructure Security Agency will now follow up with a definitive list.

What it Means

If you’re a vendor that creates software being sold to the federal government, these changes should be welcome, as they bring clarity to which software is considered critical.  Previously, vendors would have to know or guess how their software would actually be used, creating confusion about whether or not it was deemed critical.

The wider implication of applying these security standards to government vendors is that the general public will benefit as well.  If the security standards need to be built into the product being sold to the government, there’s no sense in having a separate, less secure software for other customers.  Given the pace at which cyberattacks have been increasing, it’s important that this rising tide of security requirements lifts standards for not just working with the government, but any citizen as well.

Security is always a front of mind topic for Extract, particularly because we offer a software that automates the process of shielding sensitive data from the public.  Our software, ID Shield, automatically reads documents and redacts any personally identifiable information of your choosing.  If you’re interested in learning more about how we do this, please reach out and we’d be happy to set you up with an introductory call or demonstration of the software.

About the Author: Chris Mack

Chris is a Marketing Manager at Extract with experience in product development, data analysis, and both traditional and digital marketing. Chris received his bachelor’s degree in English from Bucknell University and has an MBA from the University of Notre Dame. A passionate marketer, Chris strives to make complex ideas more accessible to those around him in a compelling way.