On May 12, 2021, President Biden issued the “Executive Order on Improving the Nation’s Cybersecurity (14028).” It’s a game-changing piece of legislation. And, like a lot of federal policy, it’s dense and hard to read, often raising as many questions as it answers. This order is frequently referred to as the Executive Order on Cybersecurity.
To help break things down, this article answers the following questions:
- What is Executive Order 14028?
- What are the requirements laid out in Executive Order 14028?
- What happens next?
What is Executive Order 14028?
Executive Order (EO) 14028 puts all Federal Agencies on notice to tighten up cybersecurity across the board. It lays out specific requirements and a timeline for action. It states, “The Federal Government must improve its efforts to identify, deter, protect against, detect and respond to these actions and actors.”
No more winging it! The Executive Order calls for “bold changes and significant investments” and warns that incremental improvements will fail to provide “the security we need.”
“Prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
What are the requirements laid out in Executive Order 14028?
The EO broadly outlines a wide range of standards and requirements for cybersecurity, grouped into sections.
Section 2: Removing Barriers to Sharing Threat Information
Current confidentiality policies (and other red tape) get in the way of inter-agency information sharing. The intentions are good, but the lack of threat reporting across agencies makes it harder to identify and prevent risks. The EO calls for policy reform that removes these barriers and increases sharing among agencies.
Section 3: Modernizing Federal Government Cybersecurity
The EO directs the Federal Government to move quickly to adopt best practices, like Zero Trust Architecture, and to secure cloud services including SaaS and PaaS. They must do a better job centralizing and analyzing threat risks, and invest in the technology and people to meet these modernization goals.
Section 4: Enhancing Software Supply Chain Security
The government contracts with thousands of private companies to provide tech infrastructure to power critical functions. These systems and software keep our government running, but security levels vary, and the process lacks transparency. The EO directs agencies to require software vendors to “show their work” and ensure all software components and packages are secured against cyber threats. It directs the Secretary of Commerce and the Director of NIST to develop standard requirements for development environments, Software Bill of Materials (SBOMs), and code provenance.
Section 5: Establishing a Cyber Safety Review Board
The Secretary of Homeland Security has created a new board called the Cyber Safety Review Board (CSRB) to review major cyber events and make concrete recommendations to strengthen cybersecurity at the national level. The board has 15 members, from the public sector (including the Department of Defense, Department of Justice, CISA, NSA, FBI) and the private sector (including Google, Microsoft, and Crowdstrike). The board provides a direct path to the Secretary of Homeland Security and the President, which gives them tremendous power and authority to get things done.
Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.
This one is pretty self explanatory. There is currently a lot of variation in the way government agencies identify, remediate, and recover from vulnerabilities and attacks. The EO requires that standard operating procedures for response be developed and adopted by all government agencies.
Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
This section directs all agencies to take an aggressive approach to identifying potential vulnerabilities. It requires all Federal Civilian Executive Branches (FCEBs) to deploy an Endpoint Detection and Response (EDR) initiative to actively hunt, contain, and remediate potential threats.
Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities.
Network information and systems logs provide invaluable information for investigating and remediating threats, if you can access them. The EO requires all agencies and IT service providers collect and maintain this data, and provide it when requested by the Secretary of Homeland Security.
Section 9: National Security Systems
National Security Systems (NSS) include any information system used or operated by an agency (or a contractor) involving intelligence activities, military forces, weapons, security administration, or classified information. The EO directs the Secretary of Defense to adopt cybersecurity standards that are equal or exceed what is expected of other Federal Agencies, as outlined above. Put simply, if you work in national security, you need to do even better than what has been spelled out in the Executive Order.
What happens next?
For each of the issues outlined in the sections above, the Executive Order lays out milestones and a timeline for implementation. Over the next two years, we can expect to see more specific requirements issued in each of the categories above.
In summary, the Executive Order is a broad and aggressive mandate from the Oval Office to the public and private sectors to ratchet up cybersecurity. As the specific guidelines roll out, there will be many opportunities and implications for every developer who works with the Federal Government.
About SOOS
SOOS is the easy-to-integrate software security solution for your whole team. Catch and fix open source vulnerabilities on every build. Manage licenses and generate SBOMs. Scan your web apps and APIs. Get started today with SOOS SCA & DAST for one low monthly price. Try us out with a 30-day free trial.
