Executive Order (EO) 14028 - Improving the Nation's Cybersecurity - May 12, 2021

This is a companion publication to DHG’s GovCon Report Vol. 27, No. 2, March – May 2021, which discusses Executive Order 14028 in fuller context, including actions started by agencies in response to the Executive Order, funding provided or proposed, Government Accountability Office (GAO) reports on cyber and recent Department of Commerce (Commerce) actions on information communications and technology services.

Overview

EO 14028 is an unusually long EO with a detailed set of actions to address the cybersecurity of government agencies, their suppliers and the private sector overall. Common themes are:

  • Report and Share: Federal agencies and their service providers must report cybersecurity incidents. Standardized reporting is needed, and barriers to reporting should be removed.
  • Modernize and Standardize: Modernized security approaches need to be put in place across federal agencies. Standard cybersecurity contract language for suppliers is needed.
  • Detect and Respond: Better detection and a common “playbook” for responses are tasked under the EO.
  • Investigate and Learn: A Cyber Safety Review Board, like the National Transportation Safety Board, will be established to look at significant incidents.

The EO has 11 sections – the first nine have policy and actions and the final two have supplementary-type material:

  1. Policy
  2. Removing Barriers to Sharing Threat Information
  3. Modernizing Federal Government Cybersecurity
  4. Enhancing Software Supply Chain Security
  5. Establishing a Cyber Safety Review Board
  6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  8. Improving the Federal Government’s Investigative and Remediation Capabilities
  9. National Security Systems
  10. Definitions
  11. General Provisions

1. Policy

… the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.

2. Removing Barriers to Sharing Threat Information

Title Action Assigned Agency Days* Date
Information/Operational Technology (IT/OT) Service Providers (a) Service Providers have insights on cyber threats and incidents; barriers to them sharing information should be removed.
(b)/(c) Review FAR/DFARS IT/OT contract language & amend to: collect/ preserve cyber event info and share info (also see 8(b)/(e)). OMB 60 Jul 11
(d) Publish proposed changes. FAR Council 90 after (c) Oct 9
(e) Ensure sharing w/government responders (e.g., CISA, FBI). DHS/OMB 120 Sep 9
Information and Communications Technology (ICT) Service Providers (f) Service Providers promptly report cyber incidents to federal agencies; if federal agency is civilian, also report to CISA
(g)(i) Recommend to FAR Council contract language for reporting cyber incidents and what should be reported. DHS 45 Jun 26
(g)(ii) Publish proposed changes. FAR Council 90 Aug 10
(g)(iii) Ensure incident sharing. DoD 90 Aug 11
Contract Cybersecurity Requirements (h) Agency specific cybersecurity requirements should be standardized to improve compliance.
(i) Review agency-specific requirements and recommend standard language. DHS 60 Jul 11
(j) Publish proposed changes. FAR Council 60 after (i) Sep 9
(k) Update agency guidance. Agencies After final FAR
Budget (l) Incorporate cost analysis of Section 4 recommendations in annual budget. OMB
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

3. Modernizing Federal Government Cybersecurity

Title Action Assigned Agency Days* Date
Policy (a) Federal government must modernize its approach to cybersecurity while protecting privacy and civil liberties.
Agencies and Cloud Technology (b) Update plans to move to cloud technology and zero trust architecture IAW OMB/NIST guidance; report plans to OMB and the President's Advisor. Agencies 60 Jul 11
(c)(i) Develop federal cloud-security strategy and provide guidance to agencies. OMB 90 Aug 10
(c)(ii) Issue architecture to illustrates approaches to cloud migration. CISA 90 Aug 10
(c)(iii) Develop/issue a cloud-service governance framework. CISA 60 Jul 11
(c)(iv) Provide report on unclassified data to DHS and OMB. CISA & Civilian Agencies 90 Aug10
(d) Adopt multi-factor authentication and encryption for data at rest and in transit. Report progress every 60 days until the 180-day mark; if not then complete, say why not. Progress reports and "not complete" reports go to OMB and the President's Advisor. Civilian Agencies 180 Nov 8
(e) Establish framework for incident response on cloud technology. CISA 90 Aug 10
FedRAMP (f) Begin modernizing FedRAMP GSA 60 Jul 11
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

4. Enhancing Software Supply Chain Security

Title Action Assigned Agency Days* Date
Policy (a) Security of software is vital to the government's ability to perform. The government must take action to rapidly improve the security and integrity of the software supply chain - priority on critical software.
Standards, Practices, Guidance (b) Solicit input from gov't., private sector, academia, others for standards, tools, and best practices. NIST 30 Jun 11
(c) Publish preliminary guidelines. NIST 180 Nov 8
(d) Publish additional guidelines. NIST 360 May 8, 2022
(e) Issue guidance on practices for supply chain security. 90 after (c) Feb 6, 2022
(f) Publish min. elements for software bill of materials (SBOM). Commerce 60 Jul 11
Critical Software (g) Publish definition of “critical software” [performs functions critical to trust (e.g., direct access to networking resources)] for use w/supply chain security practices. NIST 45 Jun 26
(h) Tell agencies what software is critical. CISA 30 after (g) Jul 26
(i) Publish guidance on security for critical software. NIST 60 Jul 11
(j) Ensure agencies comply w/security measures. OMB 30 after (i) Aug 10
Agency Compliance w/ Above (k) Require agencies to comply w/guidelines for software bought after EO date. [extensions and waivers in (l)/(m)] OMB 30 after (e) Aug 11
Supplier Compliance (n) Recommend contract language requiring gov't. software suppliers to attest to compliance with security of supply chain and critical software (i.e., (g) through (k)). DHS 365 May 12
(o) Amend the FAR. FAR Council Not Stated
(p) Remove noncompliant software from all contracts. Agencies After Final FAR
(q) Require agency legacy software be compliant or remediated. OMB Not specified
(r) Publish min. standards for software code testing. Commerce 60 Jul 11
Internet-of-Things (IoT) (s)/(v) Initiate pilot programs on IoT devices and software to educate public and on security and incentivize manufacturers. Conduct pilots per OMB and NIST guidance. Commerce Not specified
(t) Identify IoT cybersecurity criteria for a consumer labeling program. Commerce 270 Feb 6, 2022
(u) Identify secure software development practices/criteria for a consumer software labeling program. Commerce 270 Feb 6, 2022
(w) Review pilots and report to the President's Advisor. NIST One Year May 13, 2022
Wrap-Up (x) Report to POTUS on Section 4, including additional steps needed. Commerce One Year May 13, 2023
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

5. Establishing a Cyber Safety Review Board

Title Action Assigned Agency Days* Date
Board Functioning (a) Establish Board. DHS
(b)/(c) & (e)-(h) Board members, functions.
(k) Renew Board. DHS Every 2 yrs.
SolarWinds Review (d) Review SolarWinds; provide recommendations to DHS. Board 90 after Board established
(i) Provide report/recommendations to President. DHS 30 after review complete
(j) Implement recommendations. DHS Not stated
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

6. Standardizing the Federal Government's Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

Title Action Assigned Agency Days* Date
(a) Current incident response procedures vary. Standardized processes ensure a more coordinated response.
(b) Develop playbook. DHS 120 Sep 9
(c ) Issue guidance on using. OMB Not stated
(d) - (g) Agency internal.
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

Title Action Assigned Agency Days* Date
Policy (a) Federal government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.
Endpoint Detection and Response (EDR) (b) Civilian agencies shall use EDR.
(c) Recommend (to OMB) an EDR initiative to detect incidents; do active hunting, containment and remediation; and incident response. CISA 30 Jun 11
(d)/(e) Adopt civilian agency-wide EDR approach. OMB 90 after (c) Sep 9
(f) Establish/update MOAs w/CISA for diagnostics, mitigation. Agencies 75 Jul 26
National Security Systems (g) Recommend actions for improving detection of cyber incidents affecting National Security Systems. NSA 45 Jun 26
(h) Implement (g) recommendations as appropriate. DoD, DNI, CNSS 90 Aug 10
Other (i) Report on threat-hunting in civilian agencies. CISA 90 Aug 11
(j) Establish procedures for sharing DoD Incident Response Orders and DHS Emergency Directives and Binding Operational Directives. DoD/DHS 60 Jul 11
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

8. Improving the Federal Government's Investigative and Remediation Capabilities

Title Action Assigned Agency Days* Date
Policy (a) Agencies and IT Service Providers must collect and maintain information from network and system logs as it is invaluable for investigation and remediation purposes.
Board Functioning (b)/(e) Provide to OMB recommendations on requirements for logging events and retaining relevant data. Requirements shall include providing logs to CISA and the FBI, and other agencies as required. (Should be included in FAR changes in 2(b)/(c)). DHS 14
(c) Formulate policies for agencies regarding logging, log retention, and log management. OMB 90 after (b)
(d) Work with agencies to ensure they have adequate resources for (c ). OMB
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

9. National Security Systems

Title Action Assigned Agency Days* Date
(a) Adopt standards that equal/exceed those in EO. DoD 60 Jul 11
(b) EO does not alter authority of National Manager for National Security Systems. Civilian agency networks remain under authority of DHS/CISA.
*Days are "Days after Date of Executive Order (May 12, 2021)" unless otherwise noted.
Dates are "2021" unless otherwise stated.

ABOUT THE AUTHORS

GET IN
TOUCH
© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.
praxity