[BreachExchange] FDA Tells NIST Securing ‘Critical Software’ Extends Beyond Devices

[Sophia Kingsbury]

https://www.nextgov.com/cybersecurity/2021/06/fda-tells-nist-securing-critical-software-extends-beyond-devices/174720/

The Food and Drug Administration is encouraging the National Institute of
Standards and Technology to adopt a view of "critical software" that
encompasses not just that in physical devices, but also third-party
software the devices rely on.

“Safe and effective devices are essential to effective patient care and
healthcare delivery, and thus, software is ‘critical software’ generally
(i) where it meets the definition of device and (ii) where the software is
necessary for the safe and effective use of a device,” the FDA wrote in
comments NIST published Friday.

NIST issued a call for position papers on May 13 to help inform its work
complying with Executive Order 14028, the administration’s response to a
series of major cybersecurity incidents that compromised federal agencies
and critical infrastructure.

Among other things, the agency is tasked with identifying criteria for
determining “critical software,” which the executive order says agencies
should prioritize in applying new procurement standards.

The agency received more than 150 comments mostly from industry
representatives. The Consumer Technology Association wrote that critical
technology should be “narrowly defined,” for example. But the FDA and the
National Science Foundation also weighed in, both drawing attention to the
integrated nature of operational technology such as the industrial control
systems that manage physical processes in electric utilities and the
information technology that connects it.

“The complex integration of heterogeneous software within physical-world
engineered systems creates challenges in securing their supply chains,
including in designating which software components are critical,” the NSF
wrote. “In particular, determining which software components are critical –
i.e. both vulnerable to intrusion and causative of systemic failures upon
attack – is especially challenging in the [cyber-physical systems] space
because of their complex interdependencies with other physical/cyber
components and their complex provenance.”

NSF called attention to research it’s been doing in the area, saying it
should be helpful though “in its nascency.”

The FDA similarly highlighted its work in the field, which is already being
implemented. The agency is at the forefront of efforts to standardize a
cybersecurity bill of materials—more comprehensive than a software bill of
materials, this includes hardware and other components—for the manufacture
and use of medical devices.

Kevin Fu, the FDA’s acting director of medical device cybersecurity, paid
particular attention to the use of the cloud in his comments.

“Critical functions are shifting from on premises software infrastructure
to distributed and remote infrastructure, including newly essential cloud
services depended upon during the diagnosis and treatment of disease,” he
said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210615/f46ce1d1/attachment.html>