Policy Briefing — U.S. EO 14028 on Improving the Nation’s Cybersecurity signed

Executive briefing: President Biden signed Executive Order (EO) 14028 on 12 May 2021, setting a compulsory modernization track for U.S. federal agencies and contractors: accelerated zero trust adoption, secure cloud migration, improved logging, supply-chain assurance via Software Bills of Materials (SBOMs), and standard incident playbooks.

While many milestones were due in 2021–2022, the obligations continue to anchor federal procurement expectations, FedRAMP authorizations, and agency FISMA audits. Security, legal, procurement, engineering, and vendor-management teams should treat EO 14028 as the baseline for all new federal-facing products and managed services and map it to current OMB, CISA, and NIST updates.

For navigation support, use the pillar hub, the federal incident-response guide, and adjacent briefs on OMB M-24-10 safety controls and critical-infrastructure detection benchmarks.

What the EO mandates

• Zero trust architecture (ZTA): Agencies must define ZTA roadmaps (aligned to NIST SP 800-207) and prioritize identity-centric access, microsegmentation, and continuous authentication for high-value assets.
• Cloud-first with secure tenancy: Move services to secure cloud with mandatory multi-factor authentication (MFA), DNSSEC, encrypted DNS, and secure DNS resolvers; FedRAMP High/Moderate baselines remain the floor for hosting federal data.
• Logging and event retention: Unified logging across network, endpoint, cloud, and identity systems with retention sufficient for incident reconstruction; agencies must share relevant logs with CISA and contractors must retain for contractual periods.
• Government-wide playbooks: CISA-issued incident response playbooks standardize preparation, detection, analysis, containment, eradication, recovery, and post-incident activities; contractors must align response SLAs and evidence collection.
• Supply-chain security and SBOMs: Software producers providing to the federal government must furnish SBOMs, attest to secure development practices (e.g., memory-safe languages where feasible, signed artifacts, provenance), and document vulnerability disclosure programs.
• Endpoint detection and response (EDR): Agencies need CISA-coordinated EDR deployment to gain real-time visibility; vendors supplying managed endpoints must prove compatibility with EDR telemetry and containment actions.
• Vulnerability management cadence: Rapid patch timelines with priority for known exploited vulnerabilities; EO 14028 underpins CISA’s Binding Operational Directives (e.g., KEV catalog) and scanning expectations.

Governance and accountability

Senior officials (Agency heads, CIOs, CISOs, Chief Data Officers, and procurement leads) are accountable for resourcing and verifying compliance. Prime contractors and SaaS vendors must embed EO 14028 control objectives into Statements of Work (SOWs), Authority to Operate (ATO) packages, and Continuous Monitoring Plans.

90-day sprint to align legacy systems

SBOM and supply-chain assurance

• Format and distribution: Support SPDX or CycloneDX; provide machine-readable SBOMs under vendor portal access controls with integrity checks.
• Provenance: Align with SLSA levels where feasible; sign artifacts; maintain dependency source attestations and release notes that map to vulnerabilities addressed.
• Vulnerability disclosure: Maintain a coordinated vulnerability disclosure (CVD) program with clear intake, timelines, and acknowledgment process; document exceptions and mitigations.
• Third-party components: Track licensing, export-control flags, and end-of-support dates; avoid components prohibited for federal environments.

Logging, detection, and incident response

Agencies and contractors must achieve forensic-quality logging that supports rapid containment and reporting to CISA and impacted customers.

• Coverage: Collect logs from identity (IdP, MFA), network (firewalls, DNS, VPN), endpoints (EDR), cloud (API/audit), and applications. Normalize to a central SIEM or SOAR for correlation.
• Retention: Maintain retention aligned with contractual clauses and OMB/CISA guidance; ensure immutable storage for high-risk systems.
• Detection engineering: Prioritize detections for credential abuse, lateral movement, data exfiltration, and supply-chain anomalies (e.g., unsigned packages, unexpected build runners).
• Response playbooks: Map actions to the CISA playbooks, including severity rating, communication channels, evidence handling, and timelines for initial notification.
• Exercises: Run at least quarterly tabletops that validate cloud isolation steps, credential revocation speed, and SBOM-driven impact analysis.

Metrics to demonstrate maturity

Supplier checklist for federal-facing products

• Include SBOM download location, signing method, and verification steps in security documentation.
• Document secure development lifecycle: code review, secret scanning, dependency pinning, reproducible builds, and release approval gates.
• Provide incident response RACI, 24/7 contact path, and escalation timelines aligned to CISA severity tiers.
• Maintain an ATO-ready package: system security plan (SSP), control inheritance from cloud platforms, continuous monitoring plan, and POA&Ms.
• Ensure support for federal identity standards (PIV/CAC, SAML/OIDC), audit logging export, and FIPS-validated cryptography where required.
• Coordinate with customers on penetration testing windows, data residency expectations, and lawful-access constraints.

Sustainment plan

EO 14028 is now the baseline for federal cyber programs. Sustainment requires:

• Quarterly reviews of zero trust progress, SBOM completeness, and KEV remediation against agency scorecards.
• Annual contract refresh to embed updated CISA directives, NIST controls, and FedRAMP revisions.
• Continuous visibility into supplier subcomponents via attestation renewals and inbound SBOM validation.
• Training for engineering, procurement, and SOC teams on evolving federal expectations and CISA playbook updates.

Keeping these motions tight aligns federal partners, reduces surprise findings during ATO renewals, and speeds adoption of new federal guidance built on EO 14028.