If you’re wondering about Executive Order 14028 and what it might mean for you, you’re not alone. Ever since it went into effect on May 12, many people have been asking the same questions. So, how do you know whether you’re affected or not? Read the overview of the order and answers to these and other questions you may have.
What is Executive Order 14028?
Executive Order 14028: Improving the Nation’s Cybersecurity was developed in response to the SolarWinds attack, which exposed sensitive data from top government agencies and major companies like Microsoft. The order mainly focuses on improving security for federal civilian agencies, such as the Department of the Treasury, Department of Education, and Veterans Affairs. It also seeks to use federal acquisition rules to improve national cybersecurity more broadly. It’s important to note that an executive order is grounded in statute and carries the same weight as a law.
Will it impact you?
The answer to this question is, “It depends.” The people who the order will impact the most are those who work in IT or IT security for a federal agency. That much is obvious. Beyond that, there are a few criteria that will determine whether the order will impact your business. If you are an IT provider or IT security provider for the federal government or sell software to the federal government, the executive order will also directly impact you.
The requirements of the Executive Order
There are four main requirements in the order. The first is to ensure all federal contracts require IT and IT security providers to share threat intel and report incidents. Section 2 of the order creates updates to the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) that preserve cyber event data, report cyber events to the Cybersecurity and Infrastructure Security Agency (CISA), and cooperate in investigations.
The second requirement is to bring federal civilian agencies up to Fortune 1000 standards. The following sections detail how to achieve these standards:
- Section 3 pushes cloud adoption, zero trusts, and multi-factor authorization.
- Section 6 charges CISA with developing an incident response playbook.
- Section 7 mandates endpoint detection and response (EDR).
- Section 8 sets logging requirements.
- Section 9 addresses national security systems.
The third main requirement is to improve the security of the software the federal government uses. To that end, section 4 directs the National Institute of Standards and Technology (NIST) to develop standards and for the Office of Management and Budgeting (OMB) to enforce them. There is a heavy emphasis on securing the development environment and vulnerability checking. The order also calls for a “Software Bill of Materials” and information labels for IoT devices.
The final main goal of the order is to investigate why incidents happen and to disseminate those findings. Investigations will fall to the Cyber Safety Review Board. Similar to the National Transportation Safety Board, this new board will be charged with investigating Solar Winds and recommending an ongoing process.
This massive executive order is likely to fundamentally shift how the federal government approaches cybersecurity and will undoubtedly affect everyone who sells IT or IT security to the federal government. Additionally, there will be downstream effects on other providers because the federal government is the largest purchaser of IT and IT security in the world.
When will these new requirements take effect?
Several milestones must be achieved before Executive Order 14028 can be fully enacted, many of which depend on the timing of input deadlines and the SolarWinds investigation, which in turn depends on when the Cyber Safety Review Board can be created. The requirements should be in place by the end of 2022.
What can you do to prepare?
That said, these are very aggressive timelines, so the time is now to start getting ready. You can expect to see federal agencies move very quickly to get on top of what they have been assigned in the order. They will likely reach out to the cybersecurity and IT communities for input on how to implement their assigned tasks. That means there are many opportunities for shaping the outcome of the executive order over the next couple of months. If the order will impact you, it’s a good idea to engage with the process.
For a more thorough analysis of Executive Order 14028, what it means for you, and how you can prepare for when it takes effect, watch the webinar with Rob Knake, “Unpacking Executive Order 14028: Improving the Nation’s Cybersecurity.”