Executive Order 14028: Improving the Nation's Cybersecurity
Executive Order (EO) 14028 - "Improving the Nation's Cybersecurity" (issued May 12, 2021) requires agencies to enhance cybersecurity and software supply chain integrity.
Summary of EO 14028 requirements
- Requires service providers to share cyber incident and threat information that could impact Government networks
- Moves the Federal government to secure cloud services, zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period
- Establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available
- Establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make recommendations for improving cybersecurity
- Creates a standardized playbook and set of definitions for cyber incident response by Federal departments and agencies
- Improves the ability to detect malicious cyber activity on Federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government
- Creates cybersecurity event log requirements for Federal departments and agencies
- Requires amendments to the FAR to align with requirements in the EO
What contractors can expect
- Modification of contract language to reflect new guidance from NIST and CISA. If your company cannot accept the modification, you will not be able to sell to the Federal government
- GSA will keep you informed; communicating with you regarding all major developments
- Future updates to the Federal Acquisition Regulation (FAR)
What contractors can do
Read and understand the Executive Order and related memos
- OMB M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.
- Executive Order 14028 - Improving the Nation's Cybersecurity
- M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles [PDF]
- National Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
- M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements [PDF]
- M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response [PDF]
- M-21-31 Improving the Federal Government%u2019s Investigative and Remediation Capabilities Related to Cybersecurity Incident [PDF]
- M-21-30 Protecting Critical Software Through Enhanced Security Measures [PDF]
Look out for the FAR rules’ public comment periods and provide feedback.
Update your compliance program
Stay on top of proposed updates to the FAR and prepare for changes that could impact your entity’s compliance.
Communicate and train your purchasing/procurement and materials management professionals to ensure they are familiar with your compliance plan and potential changes.
Why these changes are important
- Adversaries are using increasingly sophisticated methods and cyber operations to attack the supply chain, gain access to critical infrastructure, and steal sensitive information.
- Foreign owned or controlled Information and Communications Technology (ICT) products may create vulnerabilities in U.S. Supply Chains.
- IT providers are often hesitant or unable to voluntarily share information about a cyber incident.
- The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.
- The planned FAR rules will ensure contractors keep national security interests in mind by requiring contractors to follow a set of standardized rules when doing business with the Federal government.
- Acquisition policy library and resources
- EO 14028 - Improving the Nation's Cybersecurity
- Critical software definition
- NIST security measures for "EO-critical software" use under EO 14028
- NIST recommended minimum standards for vendor or developer verification (testing) of software under EO 14028
- Protecting critical software through enhanced security measures
- Moving the U.S. government towards zero trust cybersecurity principles
- Regulations.gov (information on the development of Federal regulations)