EO 14028: what you need to know about the new cybersecurity standards for software suppliers

Feb 9, 2023 2:17:35 PM
alt="futuristic cybersecurity landscape, government building in the cyber engineered sacred geometry grid, two people making a decision"
Are you aware of Executive Order 14028, or "The Executive Order on Improving the Nation's Cybersecurity"? This mandate creates mandatory security protocols for all software consumed by US governmental entities. The White House Office of Management and Budget (OMB) just revealed strict timeframes for these standards to be implemented. If you're struggling to comprehend the impact this could have on your software business, we've got you covered! This post will simplify it all for you in a way that's easy to understand and provide steps for getting ready.

Some background

In May 2021, President Biden took a notable step against the increasing cyber threats by signing Executive Order 14028. This order necessitated The National Institute of Standards and Technology (NIST) to issue advisories concerning betterment in software supply chain security. Following suit, in July 2021, the United States Department of Commerce delivered its findings for Minimum Elements for a Software Bill of Materials (SBOM), emphasizing new measures to bolster security when it comes to software utilized by Federal Government entities. On February 2022, NIST launched the Secure Software Development Framework (SSDF) and accompanying Software Supply Chain Security Guidance—collectively named “NIST Guidance”.
This past September 2022, the Office of Management and Budget (OMB) mandated that all Federal agencies abide by NIST guidelines when employing third-party software. As June 2023 draws near, it is essential to become compliant with this guidance as "critical software" will be an absolute requirement for federal departments; until September 2023, every single agency must have fulfilled this mandate.

What this implies for you?

If your software is used or sold by the US Federal government, you need to stay alert! To avoid your software products from being removed by legal authorities due to violation of the Executive Order 14028, it is mandatory for you to demonstrate SSDF conformance through a self-attestation process and provide an SBOM as well as other evidence of SSDF compliance upon request. Plus, customers may also require participating in a Vulnerability Disclosure Program - so even if such requirements don't apply at present, they might soon become industry standards due to the new rules from the Federal Government.

What's in Scope

The Office of Management and Budget has announced a memo requiring software used by government agencies to meet their standards, including those already purchased as well as free or liberally licensed products. Agencies have been instructed to develop an inventory of all the software they use by December 2022 and determine which items are "critical" for compliance purposes before June 2023.

How to prepare?

To guarantee success with your preparation process, here are the key steps:
  1. 1.
    Peruse the Executive Order 14028 and become familiar with it.
  2. 2.
    Read the SSDF and its Practices to understand how to proceed to become compliant. When using templates/procedures that third-parties prepared, send an inquiry to NIST to get a confirmation, if the format is adequate up front.
  3. 3.
    Prepare a SBOM that lists all relevant data, components and supply chain dependencies involved in your software development process. It is a mandatory and dynamic tool to provide transparency and attest your organization's trustworthiness.
To wrap it up, EO 14028 and the OMB memorandum have established new cybersecurity standards for software providers. This is applicable if your organization's software is utilized by government agencies in the US - requiring you to provide self-attestation of SSDF conformance, an SBOM as well as other documents proving compliance with SSDF upon request. To get started on this process efficiently, take a look at the Executive Order 14028 then become acquainted with the SSDF and derive mandatory actions your organization has to take. Finally prepare an SBOM that covers all components and relationships involved in your Software Supply Chain and make sure that it's constantly updated.
Adhering to the stringent new Federal Government standards has never been more imperative: prioritize software security today. By following this straightforward guide, you can guarantee that your software provides the utmost protection for customer privacy and security with full compliance under these laws.

How can we help ensure the safety of your supply chain

At Cyberfame, our mission is to empower businesses with the tools they need to secure their supply chain. We understand the importance of protecting the integrity and reliability of your supply chain, and that's why we've developed a cutting-edge tool that makes security insight easier than ever before. A powerful scanning and mapping tool that gives you a complete overview of your supply chain in just minutes. It provides you the foundation for getting aligned with SSDF as well as creating your SBOM. Whether you're looking to identify potential risks, mitigate threats, or simply stay ahead of the curve, Cyberfame has got you covered.
Check out our beta app today at and take the first step towards a more secure supply chain.