Connect with us

Hi, what are you looking for?

Cyber Security

FDA Tells NIST Securing ‘Critical Software’ Extends Beyond Devices

Two federal agencies were among those who submitted comments to the National Institute of Standards and Technology for shaping deliverables under a recent executive order.

The Food and Drug Administration is encouraging the National Institute of Standards and Technology to adopt a view of “critical software” that encompasses not just that in physical devices, but also third-party software the devices rely on.

“Safe and effective devices are essential to effective patient care and healthcare delivery, and thus, software is ‘critical software’ generally (i) where it meets the definition of device and (ii) where the software is necessary for the safe and effective use of a device,” the FDA wrote in comments NIST published Friday.

NIST issued a call for position papers on May 13 to help inform its work complying with Executive Order 14028, the administration’s response to a series of major cybersecurity incidents that compromised federal agencies and critical infrastructure.

Among other things, the agency is tasked with identifying criteria for determining “critical software,” which the executive order says agencies should prioritize in applying new procurement standards.  

The agency received more than 150 comments mostly from industry representatives. The Consumer Technology Association wrote that critical technology should be “narrowly defined,” for example. But the FDA and the National Science Foundation also weighed in, both drawing attention to the integrated nature of operational technology such as the industrial control systems that manage physical processes in electric utilities and the information technology that connects it.

“The complex integration of heterogeneous software within physical-world engineered systems creates challenges in securing their supply chains, including in designating which software components are critical,” the NSF wrote. “In particular, determining which software components are critical – i.e. both vulnerable to intrusion and causative of systemic failures upon attack – is especially challenging in the [cyber-physical systems] space because of their complex interdependencies with other physical/cyber components and their complex provenance.”

NSF called attention to research it’s been doing in the area, saying it should be helpful though “in its nascency.” 

The FDA similarly highlighted its work in the field, which is already being implemented. The agency is at the forefront of efforts to standardize a cybersecurity bill of materials—more comprehensive than a software bill of materials, this includes hardware and other components—for the manufacture and use of medical devices. 

Kevin Fu, the FDA’s acting director of medical device cybersecurity, paid particular attention to the use of the cloud in his comments.

“Critical functions are shifting from on premises software infrastructure to distributed and remote infrastructure, including newly essential cloud services depended upon during the diagnosis and treatment of disease,” he said. 

Source: https://www.nextgov.com/cybersecurity/2021/06/fda-tells-nist-securing-critical-software-extends-beyond-devices/174720/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Agency resources are intended to address the longstanding challenges health systems and hospitals have faced from increasingly advanced cyberattacks. The Cybersecurity and Infrastructure Security...

Cyber Security

The agency is utilizing a relaunched cybersecurity coordination center and additional programs to significantly ramp up interactions with key partners, a top official said....

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO