Exiger Regulatory Roundup, Episode 10: Deep Dive on Executive Order 14028

Mary Kopczynski, CEO of RegAlytics, breaks down this week’s hot regulatory topics, exclusively for Exiger.

Today, we’re doing our first ever deep dive, where instead of giving you a quick glance of regulatory news, I’m going to talk about one thing.  But don’t worry, we still reviewed the 20,166 alerts last week and hand selected the most important ones you need to be aware of included at the end of this blog post.

Executive Order 14028

Today’s focus is Executive Order 14028 on Improving the Nation’s Cybersecurity. Why is an executive order from May 12 of 2021 worth talking about today? Because it is the context for why we are under a flurry of new government contracting rules that will take effort to meet as they come online and also important. In later deep dives, I will break each one of these down so you can completely understand what’s going on. But for now, let’s start with the why. 

So where do we begin? I’m going to take us back to a time when the world was seemingly normal. September of 2019.  Remember?  We were enjoying the hustle and bustle of very full and busy lives. I do recall John Oliver making a “good riddance 2019” video ending with a dumpster fire. Little did we know what 2020 would have in store with the pandemic.

September 2019: SolarWinds Breach

But why September of 2019?  Because back then we had no idea, but we do know now, that a group of Russian-sponsored hackers called Nobellium, gained access to the SolarWinds network. SolarWinds is major software company based in Tulsa, Oklahoma, which provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. Among the company’s products is an IT performance monitoring system called Orion.

In October, the hackers injected a small test into Orion, which worked, so on February 20, they injected malicious code into Orion. 

March 2020: SolarWinds Deploys Hacked Code

Fast forward to March of 2020, while all of us were in the process of walking away from our offices for what we believed was a few weeks, SolarWinds unknowingly starts sending out Orion software updates with hacked code.

More than 18,000 companies were impacted, as were government agencies including Homeland Security, the State Department, Commerce and Treasury. It wasn’t detected until late 2020. This time in which the hackers had access unknown is called “dwell” time, and the average dwell time is 95 days. This 14-month window of dwell time was so huge that it’s still not fully confirmed today that the infection is over, given the potential of adversaries to mask their activity while in networks.

Executive Order 14028

The SolarWinds attack was the principal impetus for EO 14028, and it was meant to address some of the issues that made the federal government susceptible to the attack. This is by no means the first executive order on cyber, but it’s the one driving the action today.

In this order, it’s clear that – “incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

There are three main requirements in the order, and all of them are affecting government agencies and contractors and others that work in security now. 

Remove Barriers to Sharing Threat Information

First, the EO calls for a complete review of all Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) to be reviewed to Remove Barriers to Sharing Threat Information. It’s a funny of way of saying it, because in the description, it talks about more than just removing barriers. It says Homeland Security and the OMB shall ensure to the greatest extent possible that service providers share data with agencies, CISA and the FBI.  

Modernizing Federal Government Cybersecurity

The second part is about Modernizing Federal Government Cybersecurity — bringing these agencies up to Fortune 1000 standards.  This includes zero trust architecture, multi-factor authentication and more.

Enhancing Software Supply Chain Security

The third part is what’s getting a lot of attention: Enhancing Software Supply Chain Security. Some of this, you are already doing, like using multi-factor authentication, encrypting data, and monitoring trust relationships; but some of these requirements — like maintaining accurate and up-to-date data, provenance of software code or components (aka a “Software Bill of Materials” or SBOM) and performing audits, you may not be.

Software Bill of Materials

So this is why your organization is going to have to change if you intend to stay a supplier to the U.S. government. And some of these requirements — for example, a Software Bill of Materials and Hardware Bill of Materials — is where your relationship to Exiger is going to be of great use.

We’ll cover all of this in later deep dives, but today is just the primer and the why. In our next deep dive, I’ll be talking about cyber incident reporting.

Executive Order 14028 Alerts

Agency	Title
National Institute of Standards and Technology	Executive Order 14028: Guidelines for Enhancing Software Supply Chain Security
National Institute of Standards and Technology	Improving the Nation’s Cybersecurity: Progress and Next Steps in Carrying Out Executive Order 14028
National Institute of Standards and Technology	NIST Issues Guidance on Software, IoT Security and Labeling
National Institute of Standards and Technology	NIST Held Webinar on Progress and Next Steps in Carrying Out Executive Order 14028
U.S. Cybersecurity and Infrastructure Security Agency	CISA Releases Second Version of Guidance for Secure Migration to the Cloud
U.S. Cybersecurity and Infrastructure Security Agency	CISA Releases Incident and Vulnerability Response Playbooks to Strengthen Cybersecurity for Federal Civilian Agencies
U.S. Cybersecurity and Infrastructure Security Agency	CISA Releases Incident and Vulnerability Response Playbooks to Strengthen Cybersecurity for Federal Civilian Agencies
U.S. Executive Office of the President	Executive Order 14028 – Defense and National Security: Cybersecurity, Improvement Efforts
U.S. Executive Office of the President	President Biden Signs National Security Memorandum to Improve the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
U.S. Executive Office of the President	Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
U.S. Office of Management and Budget	Zero Trust Strategy Document

SolarWinds Alerts

Federal Bureau of Investigation; U.S. Cybersecurity and Infrastructure Security Agency; U.S. Office of the Director of National Intelligence	Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)
Indiana Office of the Secretary of State, Securities Division	Compliance Alert: Alert Regarding SolarWinds Cybersecurity Incident
New York State Department of Financial Services	Supply Chain Compromise Alert
North American Securities Administrators Association	NASAA Reminds Firms to Contact Regulators with Issues Related to Malicious Versions of SolarWinds Software
U.S. Cybersecurity and Infrastructure Security Agency	CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection
U.S. Cybersecurity and Infrastructure Security Agency	CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products
U.S. Department of Justice	Department of Justice Statement on Solarwinds Update
U.S. Executive Office of the President	Press Briefing by Press Secretary Jen Psaki and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, February 17, 2021
U.S. Executive Office of the President	Background Press Call by Senior Administration Officials on Executive Order Charting a New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks
U.S. Executive Office of the President	Background Press Call by Senior Administration Officials on the Administration’s Response to the Microsoft and Solarwinds Intrusions
U.S. Executive Office of the President	Statement by Deputy National Security Advisor for Cyber and Emerging Technology on Solarwinds and Microsoft Exchange Incidents

Other Interesting Alerts

Agency	Title
Bank for International Settlements	Big Techs in Finance
California Department of Finance; California Office of the Governor	California Selected as a National Hydrogen Hub
California Department of Transportation	Arriving Soon in California: First Intercity Zero-Emission, Hydrogen Passenger Trains in North America
California Governor’s Office of Business and Economic Development	California Awarded Up to $1.2 Billion to Advance Hydrogen Roadmap and Meet Climate and Clean Energy Goals
Congressional Research Service	Israel and Hamas October 2023 Conflict: Frequently Asked Questions (FAQs)
Federal Trade Commission; Federal Trade Commission, Bureau of Competition	FTC Approves Final Order to Prevent Interlocking Directorate Arrangement, Anticompetitive Information Exchange in EQT, Quantum Energy Deal
Financial Conduct Authority	Final Notice 2023: Equifax Limited
Financial Conduct Authority	Financial Watchdog Fines Equifax Ltd £11 Million for Role in One of the Largest Cyber-Security Breaches in History
Greenhouse Gas Protocol	Statement: California’s Climate Corporate Data Accountability Act Requires Companies to Disclose Greenhouse Gas Emissions by 2026
Illinois Office of the Governor	Governor Pritzker Announces $1 Billion Federal Funding for the Midwest Hydrogen Hub
Michigan Office of the Governor	Governor Whitmer Announces Michigan Wins Funding for Clean Hydrogen Hub, Creating Thousands of Good-Paying Jobs and Building a Brighter, Cleaner Future
North Dakota Office of the Governor	Burgum Applauds DOE Selecting Heartland Hydrogen Hub Formed by Governors of ND, MN, MT and WI
Pennsylvania Office of the Governor	Governor Josh Shapiro: Pennsylvania the Only State to Secure Two Regional Clean Hydrogen Hub Projects
U.S. Executive Office of the President	Readout of President Biden’s Call With President Mahmoud Abbas of the Palestinian Authority
U.S. National Aeronautics and Space Administration	Final Rule: Federal Acquisition Regulation Supplement Mentor-Protege Program
U.S. Senate, Committee on Energy and Natural Resources	Manchin Announces West Virginia Selected as New Home of Appalachian Hydrogen Hub
World Bank Group	Statement by World Bank President Ajay Banga, IMF Managing Director Kristalina Georgieva, Moroccos Minister of Economy and Finance Nadia Fettah, and Bank Al-Maghrib Governor Abdellatif Jouahri on the Marrakech Principles for Global Cooperation
World Bank Group	Climate Finance Update
World Bank Group	Statement by World Bank Managing Director Anna Bjerde and Uruguay Minister of Economy and Finance Azucena Arbeleche