PolicyExecutive Order 14028 on Improving the Nation's Cybersecurity
On 12 May 2021 President Biden signed Executive Order 14028, mandating federal cybersecurity modernization including zero trust architecture, software supply chain security, and improved incident reporting.
Fact-checked and reviewed — Kodi C.
On , President Biden signed Executive Order 14028, establishing sweeping cybersecurity requirements for federal agencies and their contractors. The order, issued in the wake of the SolarWinds and Colonial Pipeline incidents, mandates zero trust architecture adoption, software supply chain security measures, standardized incident response playbooks, and improved logging requirements. While directly applicable to federal systems, the order sets expectations that influence private sector security practices.
Key requirements and timelines
The order establishes multiple workstreams with aggressive timelines. Federal agencies must develop zero trust architecture setup plans within 60 days and adopt multi-factor authentication and encryption for data at rest and in transit within 180 days. CISA is tasked with developing a cloud security technical reference architecture to guide agency migrations.
Software supply chain requirements direct NIST to publish guidelines for secure software development practices, including criteria for software bills of materials (SBOMs). Agencies must require vendors to provide SBOMs and attest to secure development practices. The order also sets up a Cyber Safety Review Board to analyze significant cyber incidents affecting federal systems.
Logging and detection improvements
The order mandates significant improvements to federal logging capabilities, recognizing that inadequate log retention hampered investigation of the SolarWinds compromise. Agencies must maintain logs for specified retention periods, implement centralized log analysis, and share threat information with CISA. OMB Memorandum M-21-31 then established specific logging requirements including event types, retention periods, and access controls.
Endpoint detection and response (EDR) capabilities must be deployed across federal civilian networks, with centralized visibility enabling government-wide threat hunting. These requirements set up a baseline that federal contractors and suppliers are now expected to meet.
Implications for federal contractors
Organizations selling software to the federal government face new requirements around secure development practices and transparency. Software vendors must attest to following secure development practices aligned with NIST guidance and provide SBOMs upon request. Critical software—defined to include software with elevated privileges or network functions—faces additional scrutiny.
Contractors should evaluate their software development practices against NIST's Secure Software Development Framework (SSDF) and prepare to generate and maintain SBOMs for products sold to government customers. The requirements are flowing into contract language and will now become baseline expectations for federal procurement.
Policy Development and Analysis
Policy analysis should assess the implications of this development for organizational operations, compliance obligations, and strategic positioning. Impact assessments should consider both direct requirements and indirect effects through industry practices, customer expectations, and competitive dynamics.
Policy development processes should engage relevant teams to ensure full consideration of diverse perspectives and practical setup constraints. Feedback mechanisms should capture lessons learned and drive policy refinements based on operational experience.
Policy Implementation Monitoring
Policy teams should track setup progress and monitor for developments that may affect requirements or interpretation. Stakeholder engagement should ensure relevant parties understand policy implications and their responsibilities for compliance. Documentation should support audit and examination processes by demonstrating timely awareness and appropriate response to policy developments.
Regular reviews should assess ongoing compliance status and identify any gaps requiring additional attention or resource allocation.
Continue in the Policy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
AI Policy Implementation Guide
Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…
-
Digital Markets Compliance Guide
Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…
-
Semiconductor Industrial Strategy Policy Guide
Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.
Coverage intelligence
- Published
- Coverage pillar
- Policy
- Source credibility
- 95/100 — high confidence
- Topics
- executive order · zero trust · software supply chain · federal cybersecurity
- Sources cited
- 3 sources (hitehouse.gov, cvedetails.com, iso.org)
- Reading time
- 5 min
Source material
- Executive Order on Improving the Nation's Cybersecurity — The White House
- CVE Details - Vulnerability Database — CVE Details
- ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.