At the end of July 2021, US President Joe Biden issued a directive that could immediately affect IoT security. The president directed the National Institute of Standards and Technology (NIST) to update the definition of what constitutes “critical” software components typically found within supply chains.
As part of the Administration’s executive order, NIST was asked to review and secure the nation’s critical supply chains. As part of that order, NIST had to decide which aspects of cybersecurity technology should be contained in the first implementation phase of the executive order. NIST excluded embedded software and firmware components, acknowledging that they are “critical” in securing systems but declared that they are too complex to be included in the early order phase.
NIST has stated that they coordinated with other agencies, such as the Cybersecurity & Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence, and the Department of National Security when coming up with the outline for phase one of the order. Still, these agencies and others that the NIST worked with have said they would devise their own list of software categories that come under the scope of the first phase of the review.
NIST’s Review of Biden’s Executive Order Confuses Experts
Experts who have chimed in on the NIST’s decision to exclude embedded software and firmware from the order are more than a little confused, as these low-level controls for device hardware are relatively basic in the overall process of cybersecurity. NIST’s definition of what is “too complex” could exclude such critical elements as firewalls merely because they’re on devices rather than cloud-based.
At Allegro Software, we agree with these experts. Just because NIST considers embedded software and firmware complex does not mean these should necessarily be excluded from the executive order. If anything, something complex requires more elevated security standards and warrants attention.
Why NIST Drew the Line at Embedded Software and Firmware
Those of us in the field of IoT security wonder if the NIST drew the line at embedded software and firmware because they don’t want to get in over their heads. If NIST overextends its definition of what signifies critical software, the agency could open itself up to deterring private tech companies from working alongside the federal government. Although a valid concern, this fear does not legitimize the exclusion of this class of software.
A lack of clarity is a significant concern regarding NIST’s dismissal of embedded software and firmware as critical elements. Experts believe this requires the immediate attention of the president’s newly appointed task force on supply chain disruptions. There are hopes that either NIST will add clarity to their intent or that CISA will add this contested category to their list of applicable software.
Suppose these components don’t find themselves as a part of phase two of the executive order. In such a scenario, cybersecurity as a whole could be in serious jeopardy, leading to severe repercussions.
We Can Help
At Allegro Software, we stay on top of the current trends in IoT security and how they can be incorporated into protecting your business. We’ll use our proven framework and cutting-edge technology to integrate a proactive security approach into your IoT and embedded system designs. Contact us today and find out how Allegro Software can keep your IoT devices safe from threats.
Allegro Software, headquartered in Boxborough, Massachusetts, is a leading provider of IoT edge security and connectivity software toolkits to manufacturers worldwide. Field-proven in over 250,000,000 devices, our solutions enable OEMs in the Energy, Healthcare, Medical, Military, Enterprise, and Consumer sectors to create connected, secure devices using TLS, SSH, FIPS 140-2 and more. Since 1996, Allegro has been at the forefront of leading the evolution of embedded device management, security, and connectivity with its patented embedded web server and security toolkits.