In May 2021, the White House released the Executive Order on Improving the Nation’s Cybersecurity, also known as EO 14028. The document is fairly dense, but its contents are of the utmost concern for federal agencies, critical infrastructure, and government contractors (especially cloud service providers and software developers).
The order is meant to improve the nation’s cybersecurity and protect federal government networks. The White House states that incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline attack are a “sobering reminder” that U.S. entities increasingly face advanced malicious cyber activity from both nation-state actors and cyber criminals. The recent Change Healthcare incident could easily be added to the list.
As insufficient cybersecurity leaves public and private sector entities more vulnerable to intrusions, EO 14028 aims to tackle the issue head on. In the document, the government also calls for increased participation from the private sector that owns and operates a large part of U.S. critical infrastructure.
In this article, we’ll dig into what EO 14028 contains along with its core initiatives. We’ll also look at which companies are most affected by the order and how they can approach it with a solid compliance plan.
EO 14028’s 7 core areas of emphasis
The Executive Order on Improving the Nation’s Cybersecurity focuses on seven areas of action which are:
1. Remove barriers to threat information sharing between government and the private sector
The Executive Order requires IT service providers to share certain breach information. As per the White House, “Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses.”
2. Modernize and implement stronger cybersecurity standards in the federal government
The Executive Order aims to move the Federal government towards secure cloud services and a zero-trust architecture. It also mandates the deployment of multifactor authentication (MFA) and encryption within a specific time period.
3. Improve software supply chain security
EO 14028 establishes baseline security standards for development of software sold to the government. It also requires developers to maintain greater visibility into their software and make security data publicly available. The Office of Management and Budget (OMB) will enforce software security standards developed by NIST, which includes vulnerability checks and the creation of a software bill of materials (SBOM).
4. Establish a cybersecurity safety review board
The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that will analyze significant cyber events and then make recommendations on how to improve cybersecurity.
5. Create a standard playbook for responding to cyber incidents
EO 14028 creates a standardized playbook for cyber incident response by federal departments and agencies. The playbook will ensure all Federal agencies are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
6. Improve detection of cybersecurity incidents on federal government networks
Executive Order 14028 improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response (EDR) system and improved information sharing within the Federal government.
7. Improve investigative and remediation capabilities
Poor logging hurts an organization’s ability to detect intrusions, mitigate in-progress hacks, and determine the extent of damage after an attack. EO 14028 creates cybersecurity event log requirements for federal departments and agencies.
Who is affected by Executive Order 14028?
The Executive Order on Improving the Nation’s Cybersecurity primarily impacts two broad categories of entities:
Federal government agencies
The order directs federal government agencies to enhance their cybersecurity measures, adopt best practices, and improve their software supply chain security. This includes agencies at various levels of the government, from federal departments to independent agencies and regulatory bodies.
Private sector companies
EO 14028 also has implications for companies operating in the private sector that may include:
Government contractors and suppliers
Companies that provide goods and services to the federal government, including technology vendors, software developers, and contractors involved in federal projects, may be required to adhere to new cybersecurity standards and supply chain security measures outlined in the order.
Critical infrastructure operators
Entities operating critical infrastructure sectors like energy, transportation, finance, healthcare, and telecommunications may be impacted by the executive order. They may need to strengthen their cybersecurity practices to align with the recommended standards and requirements, particularly if they have connections to federal networks or if their operations are deemed critical to national security.
Software and technology companies
Companies involved in developing and supplying software and technology products, including software vendors, cloud service providers, and IT service providers, may be subject to new regulations and guidelines aimed at improving software supply chain security and promoting transparency in software procurement.
Financial institutions
Banks, financial services firms, and other entities in the financial sector may be affected by the executive order’s provisions related to enhancing cybersecurity standards and information sharing, particularly if they have interactions with federal agencies or provide services critical to the functioning of the economy.
Cloud providers and FedRAMP compliance
One of the goals of EO 14028 is to standardize common cybersecurity contractual requirements across agencies to streamline and improve compliance for vendors and the Federal Government. We can see an example of this in what the order says about the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP requires that covered companies implement a set of security controls to ensure that all federal data is secure in cloud environments. All cloud service providers (including IaaS, PaaS, SaaS applications) used by federal agencies must demonstrate FedRAMP compliance.
The Executive Order tasks the Administrator of General Services, in consultation with the Director of OMB and other agencies, to modernize FedRAMP. This process includes identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process.
Software supply chain rules
Another core goal of EO 14028 is to establish baseline security standards for development of software sold to the government. The order states that NIST, CISA, and the OMB will be involved in establishing guidance outlining security measures for critical software including applying practices of least privilege, network segmentation, and proper configuration.
Furthermore, suppliers of software available for purchase by agencies will be presented contracts that mandate compliance with this guidance. What happens to software products that do not meet requirements? Unfortunately, they will be removed from contracts, such as Federal Supply Schedules, Federal Government-wide Acquisition Contracts, Blanket Purchase Agreements, and Multiple Award Contracts.
The Executive Order requires agencies employing software developed and procured prior to the date of the order (i.e. legacy software) either to comply with requirements or to present a plan showing how they will remediate or meet the requirements. Additionally, agencies seeking renewal of software contracts, including legacy software, will be required to comply with the order.
Compliance challenges that come with EO 14028
For government contractors and providers, regulations such as Executive Order 14028 are by no means easy to navigate. For starters, the order was released in May 2021, but in June 2023 a memorandum was released extending the timelines for agencies to collect attestations from software producers.
As per the memo, attestations must be collected from software producers used by government agencies since the “producer of that end product is best positioned to ensure its security.” An attestation serves as an affirmative statement that the producer follows the secure software development minimum requirements and reflects best practices for minimizing risk as articulated in NIST’s SSDF.
This memo isn’t the only information stemming from the Executive Order. For instance, the law firm Covington & Burling has published at least 34 blogs written about Executive Order 14028 news and updates since the order’s release. Meanwhile, for companies involved in the booming AI market, the White House also released the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.
With the myriad of regulations and orders, it’s pretty much impossible to remain up to date with all relevant updates without a large resource drain. The ideal solution would be to build a scalable process where you can adapt to EO 14028 (and other pressing regulatory updates) without it consuming too much of your time.
How continuous compliance can help
How can organizations remain compliant when regulations are added or updated every month? The answer is to stay compliant continuously. In fact, the world is moving toward continuous monitoring as the standard. Continuous compliance may sound onerous at first. That’s because your teams are already laden with security questionnaires, audit documentation requests, and other manual compliance operations processes.
Best practice — for both compliance and security — would be to build automation into your process to fully take over repetitive tasks within your system security plan. Automation helps organizations save time, improves visibility, and cushions the blow when new requirements pop up that increase your workload. Additionally, automation is likely something auditors will consider best practice in the near future since it makes their jobs easier too.
Hyperproof’s powerful compliance operations platform is specifically designed to automate evidence collection and link evidence to requirements and controls with dozens of integrations. This means your proof is always up-to-date for your next audit. For FedRAMP in particular, you can:
- Automatically generate SSP Appendix A reports to get a comprehensive overview of your security program and prepare for your FedRAMP audit
- Use Hyperproof’s Jumpstart feature to map your existing FedRAMP controls across multiple frameworks like ISO 27001 and NIST SP 800-53 so you can quickly add new frameworks
How to scale compliance
Automation is key for scaling. As your organization grows, expands into new markets, or acquires other organizations, your compliance must keep up with expansion. For a large-scale organization, the nuances and rapid rate of change for directives such as Executive Order 14028 are formidable. If you multiply this by any number of other regulatory or certification bodies, you can easily overwhelm your teams and risk being non-compliant.
The best solution not only automates each separate compliance requirement, but also detects and coordinates overlap to minimize the work your teams have to do. Advanced compliance operations optimize your efforts by mapping common controls to compliance requirements, automating evidence collection, mitigating issues, and monitoring your compliance posture, all in one place.
How EO 14028 impacts multi-product vendors
What if your company is selling multiple products to different segments, markets, or government agencies? Or what if different departments within your company acquire new systems that require security? Or maybe your company includes multiple operational sites or geographies within the scope of a standard or certification.
It’s likely that all these scenarios will be required to meet compliance standards within some frameworks. Given the ongoing cyber risk, the rules are likely to become more stringent, not less.
For multi-product vendors, compliance teams need to onboard additional product lines, systems, divisions, entities and/or owners onto existing controls. But creating an individual control for each new product is neither scalable nor efficient.
Hyperproof’s unique multi-scope controls management feature addresses the problem that arises when an organization’s reach and its respective compliance burden grows. Multi-scope controls management lets your central compliance team implement controls and communicate control requirements across multiple entities or units within your organization that fall in-scope. This provides you with the flexibility to scope or structure the relevant entities that need to adhere to controls requirements.
Instead of creating a separate control for each entity, you can manage and share common information and overall health at parent control levels that is then shared with child controls as read-only.
Use new tools and strategies to keep up with EO 14028
Cyber attacks are not going away any time soon. Executive Order 14028 is an important step in addressing the risks associated with our current reality. It’s imperative that the government takes a leadership role in securing its services, critical infrastructure, and the needs of society.
Inevitably, the order ushers in important regulations that affect a wide number of organizations working with U.S. government agencies. And to keep up with all the requirements, new tools and strategies are required to make compliance simpler, easier, and more transparent.
Monthly Newsletter