To further bolster America’s cybersecurity posture, President Joe Biden released Executive Order 14028, which lays out several key points that all organizations and government agencies must adhere to protect themselves from cyber threats. In September 2022, the Office of Management and Budget (OMB) issued a memorandum with additional detail that requires agencies to comply with NIST Guidance.
It is crucial to be aware of these evolving requirements and ensure your organization is taking steps to implement them, especially if you are a part of a compliance or cybersecurity team.
Let’s take a closer look at some key points outlined in EO 14028.
What is the Cybersecurity Executive Order (Executive Order 14028)?
The Cybersecurity Executive Order (Executive Order 14028) responds to the growing number of cyberattacks against government agencies, critical infrastructure and other companies. It is meant to help the U.S. government and private sector work together to better protect themselves from these threats.
EO 14028 is essential because it establishes a clear framework for how the government and private sector should work together to improve cybersecurity. It defines critical software and sets up a system for information sharing to help organizations protect themselves from cyber threats.
The executive order encourages a voluntary program for companies to participate in, which will help them share cyber threat information and identify and manage cybersecurity risks.
What you can expect as a private sector contractor
- Modifying contract language to reflect new guidance from the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA). If your company cannot accept the modification, you will not be able to participate in the Federal Government’s procurement process and sell software products.
- The U.S. General Services Administration (GSA) will provide updates on all significant developments.
- Continued guidance from OMB to enhance software supply chain security.
- Future updates to the Federal Acquisition Regulation (FAR).
Key Points to Improve the Nation’s Cybersecurity
There are several key points from Executive Order 14028 that organizations should be aware of and consider to improve their cybersecurity initiatives.
Remove barriers to threat information sharing between the government and the private sector
One of the main goals of President Biden’s Executive Order 14028 is to remove barriers to threat information sharing between the government and the private sector, protecting national security.
According to this 2021 White House announcement, the Federal Government contracts with the private sector, specifically Information Technology (IT) and Operational Technology (OT) service providers, to conduct various day-to-day functions on Federal Information Systems. These IT service providers, including secure cloud service providers, have unique access to and insight into cyber threats and incident and threat information on Federal Information Systems spanning various government networks.
At the same time, current contract terms or restrictions may restrict the sharing of cyber threat or incident information with executive departments and government agencies responsible for investigating or remediating cyber incidents, such as the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC).
The EO removes these contractual barriers and increases the sharing of information about cyber threats, cybersecurity incidents, and risks.
The Director of the Office of Management and Budget (OMB), in consultation with the Secretary of the Department of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, reviewed the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers.
They also recommended necessary updates to the FAR Council and other appropriate agencies, including descriptions of contractors covered by the proposed contract language.
Modernize and implement stronger cybersecurity standards in the federal government
The executive order signed by Biden sets out several directives and security measures that will modernize and strengthen cybersecurity standards for the federal government. The EO establishes a Federal Cybersecurity Framework, providing agencies with a common set of standards to follow—or a playbook—to protect their systems and data.
The Framework will also make it easier for businesses to sell products and services to the government, as they will be able to demonstrate that they meet the same cybersecurity standards as the federal government during the procurement process.
Meeting the requirements of Executive Order 14028 will help businesses show that they are taking cybersecurity seriously and are protecting their customers’ data.
Improve software supply chain security
Biden’s Executive Order 14028 mandates that businesses that sell to the Federal Government improve their software supply chain security. Other companies will want to follow similar practices but don’t have a mandate for compliance.
Compliance with the executive order will require businesses to manage and secure their software supply chains better. This is important because companies rely on software for critical operations, and poor security in the software supply chain can lead to data breaches, system failures, and other costly problems.
By improving software supply chain security, businesses can protect themselves from cyberattacks and ensure that their software is safe and reliable.
[Exiger’s supply chain risk management software helps your organization identify all risks that may lay deep within your supply chain]
Organizations must also know critical software and key access points to improve software supply chain security. By knowing this information, they can better protect their systems from potential attacks by ensuring that only trusted and verified software is used. Additionally, organizations can focus their security efforts on these areas to better protect their systems.
Companies also need to develop SBOM (software bill of materials) that list all of the software components in their products and track updates to those components. SBOM ensure that they are using only the latest and most secure versions of software components in their products, enabling them to track updates to components in their products more efficiently. SBOM empower companies to quickly identify and address any vulnerabilities that may have been introduced by changes to those components.
Create a standardized playbook for responding to cybersecurity vulnerabilities and incidents
Creating a standardized playbook for responding to cybersecurity vulnerabilities and incidents is crucial because it helps businesses better prepare for cyberattacks. It ensures that everyone is taking the same steps to protect their networks and data in the event of an attack.
The standardized playbook will help businesses identify the most appropriate incident response and security practices for different attacks, improving their chances of damage mitigation.
With a plan in place, businesses can also minimize the damage caused by a cyber incident and hopefully recover more quickly. A playbook avoids confusion while speeding up incident reporting and response time, which can be critical in preventing further damage.
Improve investigative and remediation capabilities
Executive Order 14028 aims to improve federal agencies’ investigative and remediation capabilities to protect businesses and the public from economic espionage, trade secret theft, and cybercrime. By improving these capabilities, agencies will be better equipped to identify and respond to threats, helping to ensure that businesses can operate safely and securely in today’s digital age.
Additionally, improved investigative and remediation capabilities will help deter malicious actors from engaging in adverse behavior, ultimately protecting businesses and consumers.
Other requirements by the EO
Further requirements from the Executive Order are summarized below:
- Service providers must share cyber incidents and threat information that could impact Government networks
- The Federal Government shifts to secure cloud services and Zero Trust Architecture (ZTA), replacing outdated trust-based security models. The Zero Trust Architecture and security model rejects the idea that users can be trusted just because they are on a trusted network. All users are untrusted until they can be proven trustworthy. This new way of thinking will help to improve actual network security by ensuring that only authorized users have access to sensitive data and systems.
- Deployment of multifactor authentication and encryption within a specific period
- Established baseline security standards for secure software development, requiring developers to maintain greater visibility into their software and make security data publicly available
- A Cybersecurity Safety Review Board, co-chaired by government and private sector leads. The review board will convene following a significant cyber incident to analyze the incident and provide recommendations for improving cybersecurity
- Ability to identify and prevent cyber attacks on Federal networks by facilitating a government-wide endpoint detection and response system and improved information sharing within the Federal Government
- Creation of a cybersecurity event log requirements for Federal departments and agencies
Ensure Compliance with Executive Order 14028 with Exiger
Executive Order 14028 is vital to improve business software supply chain security. By complying with the executive order, businesses can protect themselves from cyberattacks and ensure that their software is safe and reliable.
Exiger offers a suite of solutions that can help organizations comply with the executive order and improve their software supply chain security.
Contact us today to learn more about how we can help you secure your business’ future.
Looking to empower your company or government agency to protect your supply chains from lurking risk? Look no further than Exiger’s world’s first real-time Supply Chain Explorer.