What Is Executive Order 14028 (U.S. Cybersecurity Executive Order)?
The Cybersecurity Executive Order (Executive Order 14028) is a U.S. executive order issued by President Biden on May 12, 2021. The order seeks to address the growing threat of cyber attacks and data breaches, ensuring the security and integrity of the software used by the federal government and promoting secure software development practices.
Executive Order 14028 outlines a series of actions to be taken by federal agencies and defines cybersecurity requirements for government contractors. It directs the creation of a Cyber Safety Review Board, establishes a cybersecurity training program for federal employees, and calls for the implementation of stronger cybersecurity standards for federal networks and systems.
The following image shows the initial timeline for implementing EO14028 in the U.S. Government.
This is part of a series of articles about DevSecOps.
In this article:
Who is Affected by Executive Order 14028?
Executive Order 14028 affects the following parties:
- Federal agencies: The order requires federal agencies to take specific actions to improve the cybersecurity of their networks and systems, such as implementing stronger security measures, conducting regular risk assessments, and providing cybersecurity training for employees.
- Critical Infrastructure: The order recognizes the importance of protecting critical infrastructure, such as power plants, water systems, and financial institutions, from cyber threats and directs agencies to work with these organizations to improve their cybersecurity.
- Federal Contractors: The order requires federal contractors to take steps to secure their systems and networks when handling sensitive information on behalf of the government.
Executive Order 14028: Requirements and Goals
The four main requirements and goals of Executive Order 14028 are:
Sharing Threat Intelligence and Incident Reporting
The first requirement is to ensure that all federal contracts for IT and IT security services include provisions for the sharing of threat intelligence and the reporting of cybersecurity incidents. This is aimed at improving the overall visibility into potential cyber threats and enabling faster response times.
Section 2 of Executive Order 14028 creates updates to the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) to require contractors to preserve data related to cyber events, report cyber events to the Cybersecurity and Infrastructure Security Agency (CISA), and cooperate in investigations.
Under this requirement, federal contracts for IT and IT security services must include provisions for the sharing of threat intelligence and the reporting of cybersecurity incidents. This means that contractors must collect and preserve data related to any potential cyber threats or incidents and share that information with CISA in a timely manner.
Additionally, contractors must cooperate with CISA in any investigations related to cyber events. By requiring contractors to share information about cyber events and incidents, the government can better understand the nature and extent of cyber threats and take appropriate actions to mitigate them.
Upgrading to Fortune 1000 Standards
The second requirement is to bring federal civilian agencies up to the standards of the Fortune 1000, a group of the largest and most successful companies in the U.S. This is aimed at ensuring that the federal government has a minimum level of cybersecurity comparable to that of the private sector.
To achieve this requirement, the following sections of the order outline specific steps and requirements:
- Cloud Adoption, Zero Trust, and Multi-Factor Authorization: Section 3 of the order pushes for the adoption of cloud computing, zero trust security models, and multi-factor authentication. This is aimed at improving the security of federal agencies’ IT systems and reducing the risk of cyber attacks.
- Incident Response Playbook: Section 6 charges CISA with developing an incident response playbook. This playbook will provide guidance on how federal agencies should respond to cyber incidents and help ensure a coordinated response to any incidents that occur.
- Endpoint Detection and Response (EDR): Section 7 of the order mandates the use of EDR, a type of security software that monitors endpoints (such as laptops, desktops, and servers) for suspicious activity and provides real-time visibility into potential cyber threats.
- Logging Requirements: Section 8 sets logging requirements for federal agencies, including the collection and preservation of log data and the use of automated tools for log analysis. This is aimed at improving visibility into potential cyber threats and enabling faster response times.
- National Security Systems: Section 9 addresses national security systems, which are IT systems that are used to support national security missions and are subject to special security requirements. This section mandates the implementation of additional security measures for these systems to ensure the protection of sensitive information and operations.
Improving Software Security
The third main requirement of Executive Order 14028 is to improve the security of the software that the federal government uses. To achieve this requirement, the following steps and requirements are outlined in the order:
- NIST Standards Development: Section 4 of the order directs the National Institute of Standards and Technology (NIST) to develop standards for software security. These standards will provide guidelines and best practices for the secure development, testing, and deployment of software used by federal agencies.
- OMB Enforcement: The Office of Management and Budget (OMB) is charged with enforcing the software security standards developed by NIST. The OMB will ensure that federal agencies are following the standards and implementing appropriate software security measures.
- Vulnerability Checking: The order calls for the regular checking of software for vulnerabilities and the timely remediation of any vulnerabilities that are discovered. This is aimed at reducing the risk of software being exploited by attackers and ensuring that federal agencies are using secure software.
- Software Bill of Materials (SBOM): The order calls for the creation of an SBOM for software used by federal agencies. A software bill of materials is a comprehensive list of the components that make up a software application and is used to help manage security risks.
Investigating and Disseminating Incident Findings
The final goal of the order is to investigate significant cyber incidents that occur within the federal government, understand why they happened, and disseminate those findings to other agencies and the public. This is aimed at improving the overall cybersecurity posture of the government and preventing similar incidents from happening in the future.
Section 5 of the order creates a Cyber Safety Review Board to investigate incidents that occur in the federal government’s IT systems. The board will be responsible for determining the root cause of incidents and making recommendations for how to prevent similar incidents from happening in the future.
The findings of the investigations conducted by the board will be disseminated to relevant stakeholders, including federal agencies and contractors. The goal of disseminating these findings is to ensure that they are widely known and understood, so that federal agencies and contractors can take appropriate action to prevent similar incidents from happening in the future.
NIST’s Responsibilities Under Executive Order 14028
NIST has multiple responsibilities under Executive Order 14028 to enhance software supply chain security. These include:
- Developing standards, tools, best practices, and other guidelines to enhance software supply chain security based on input from the private sector, academia, government agencies, and others.
- Evaluating software security and security practices of developers and suppliers.
- Demonstrating conformance with secure practices through innovative tools or methods.
- Publishing security measures for critical software and minimum standards for software testing.
- Issuing preliminary and additional guidelines for enhancing software supply chain security.
- Identifying practices that enhance software supply chain security and references to standards, procedures, and criteria.
- Identifying IoT cybersecurity criteria and secure software development criteria for a consumer labeling program.
- Providing additional information on its software supply chain guidance plans including review and update procedures.