The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate.