Timeline of Executive Order 14028
MAY 12, 2021
Sec. 2
click to expand
Removing Barriers to Sharing Threat Information
Sec. 3
click to expand
Modernizing Federal Government Cybersecurity
Sec. 4
click to expand
Enhancing Software Supply Chain Security
Sec. 5
click to expand
Establishing a Cyber Safety Review Board
Sec. 6
click to expand
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Sec. 7
click to expand
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
JUNE 11, 2021
30 days
Director of NIST
4(b) Solicit stakeholder input to identify existing or develop new standards,
tools, and best practices for complying with the order.
If you want to give input, now's the time.
Secretary of Homeland Security
5(a) Establish the Cyber Safety Review Board to review and assess significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses. Membership shall include Federal officials and representatives from private sector entities.
This deadline is a guess! No date is specificed in the Order, yet there are dependent deliverables. These dates may shift in the future once we have more information.
Director of CISA
7(c) Recommend to the Director of OMB options for implementing an EDR initiative, centrally located to support host-level visibility, attribution, and response regarding FCEB Information Systems.
JUNE 26, 2021
45 days
Secretary of Homeland Security
2(g)(i) Recommend to the FAR Council the contract language defining cyber
incidents requiring reporting, the information that must be reported, National Security
Systems reporting requirements, time periods, and the types of service providers covered.
Director of NIST
4(g) Publish a definition of the term "critical software".
Director of NSA
7(g) Recommend to the Secretary of Defense, the Director of National Intelligence, and the CNSS actions for improving detection of cyber incidents, EDR approaches, and whether such measures should be operated by agencies or through a centralized service.
JULY 11, 2021
60 days
Director of OMB
2(b), 2(c) Recommend updates to contract language
to ensure that IT and OT service providers collect,
preserve, and share with agencies information and
reporting relevant to cybersecurity event prevention,
detection, response, and investigation.
Director of CISA
2(i) Review current agency-specific cybersecurity
requirements and recommend to the FAR Council
standardized contract language.
What the heck is an OT Service provider and is my company considered one?
Head of Each Agency
3(b) Update existing agency plans to prioritize resources for the adoption cloud technology, develop a plan to implement Zero Trust Architecture,
including the migration steps outlined by NIST,
and report to the Director of OMB and the
APNSA regarding the plans.
Director of CISA
3(c)(iii) Issue for FCEB Agencies a cloud-service governance framework that identifies services and protections available based on incident severity and identifies associate data and processing activities.
Administrator of General Services
3(f) Modernize FedRAMP by:
- Establishing a training program to ensure agencies are trained and equipped to manage FedRAMP requests
- Improving communication with CSPs through automation and standardization of messages
- Incorporating automation throughout the lifecycle of FedRAMP
- Digitizing and streamlining documentation that vendors are required to complete
- Mapping relevant compliance frameworks onto requirements in the FedRAMP authorization process
Director of NIST
4(i) Publish guidance outlining security measures for "critical software"
4(r) Publish guidelines for minimum standards for vendors’ testing of their software source code
Secretary of Commerce
4(f) Publish the minimum elements for an SBOM.
Cyber Safety Review Board
5(d) Perform initial review of the SolarWinds incident.
This deadline is not specified in the Order, but two dependent deliverables are associated with the completion of this review.
Secretary of Defense and the Secretary of Homeland Security
7(j)(i) Establish procedures for the DoD and the DHS to immediately share with each other DoD Incident Response Orders or DHS Emergency Directives and Binding Operational Directives applying to their respective information networks.
JULY 26, 2021
75 days
Director of CISA
4(h) List of software categories meeting the definition of "critical software".
Is my product "critical software"?
Agencies
7(f) Establish or update MOA with CISA for the Continuous Diagnostics and Mitigation Program to ensure object level data, as defined in the MOA, are available and accessible to CISA.
AUGUST 10, 2021
90 days
Director of the NSA, Attorney General, Secretary of Homeland Security, Director of National Intelligence
2(g)(iii) Jointly develop
procedures for ensuring that
cyber incident reports are
promptly and appropriately
shared among agencies.
FAR Council
2(d) Preview contract language
proposed by Director of OMB and
publish proposed updates to the
FAR for public comment.
Director of OMB
3(c)(i) Develop a cloud-security strategy and provide guidance to agencies to ensure that risks from cloud-based services are understood and addressed, and that FCEB Agencies move closer to Zero Trust Architecture.
Director of CISA
3(c)(ii) Issue, for the FCEB, cloud-security technical reference architecture documentation recommending approaches to cloud migration and data protection for data collection and reporting
3(e) Establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology to ensure information sharing among agencies and CSPs.
Heads of FCEB Agencies
3(c)(iv) Evaluate the types and sensitivity of their unclassified data, and provide a report to the Director of CISA and the Director of OMB prioritizing identification of data considered to be the most sensitive and threatened, plus appropriate processing and storage solutions for it.
Will cellular-based SCADA services be lumped in as Cloud Services?
Administrator of the Office of Electronic Government
4(j) Require that agencies comply with NIST guidance on security measures for "citical software".
NIST security measures for critical software now take effect!
Secretary of Homeland Security
5(i) Provide to the President through the APNSA the recommendations of the Board based on the initial review, including:
- gaps in, and options for, the Board's composition
- proposed mission, scope, and responsibilities
- membership eligibility criteria for private sector representatives
- governance structure
- criteria for types of cyber incidents to be evaluated
- sources of information to be made available
- approach for protecting the information
- administrative and budgetary considerations
This deadline is ambiguous but appears to follow completion of the initial review.
Secretary of Defense, Director of National Intelligence, the CNSS
7(h) Review recommendations from the Director of the NSA and establish policies that effectuate those recommendations.
Director of CISA
7(i) Report to the Director of OMB and the APNSA how authorities granted to conduct threat-hunting activities on FCEB networks without prior authorization from agencies are being implemented; recommend procedures to ensure that mission-critical systems are not disrupted, procedures to notify system owners of vulnerable government systems, and the range of techniques that can be used.
SEPTEMBER 9, 2021
120 days
Secretary of Homeland Security and Director of OMB
2(e) Ensure that service
providers share data with
agencies, CISA, and the FBI as
necessary to respond to cyber
threats, incidents, and risks.
FAR Council
2(j) Review recommended
contract language from the
Director of CISA and publish
proposed updates to the FAR
for public comment.
Cyber Safety Review Board
5(d) Following an initial review of the SolarWinds incident, provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices.
This deadline depends on the establishment of the review board.
Director of CISA
6(b) Develop a playbook for FCEB agencies to use for planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems. Playbook shall incorporate applicable NIST standards and articulate progress through all phases of an incident response, as well as define key terms to provide a common lexicon.
Director of OMB
7(d) Require FCEB agencies to adopt government-wide EDR approaches, ensuring agencies have adequate resources to comply. Support the Director of CISA to engage in cyber hunt, detection, and response activities, ensuring access to agency data relevant to a threat and vulnerability analysis, as well as assessment and threat-hunting purposes.
SEPTEMBER 24, 2021
135 days
FAR Council
2(g)(ii) Review
recommendations on types of
incidents and information
required from Secretary of
Homeland Security and publish
proposed updates to the FAR
for public comment.
NOVEMBER 8, 2021
180 days
All Agencies
3(d) Adopt multi-factor authentication and encryption for data at rest and in transit. Heads of FCEB Agencies shall report to the Director of CISA, the Director of OMB, and the APNSA on their progress, CISA shall take all appropriate steps to maximize adoption. Those unable to fully adopt shall provide written rationale to the Director of CISA, the Director of OMB, and the APNSA.
Does my product have any cloud features? If so:
- Can it provide multi-factor authentication?
- What about encryption for data at rest and in transit?
Director of NIST
4(c) Publish preliminary guidelines based on consultations and on existing documents for enhancing software supply chain security.
FEBRUARY 6, 2022
270 days
Director of NIST
4(e) Publish guidance on practices that enhance software supply chain security:
- secure software development environments
- tools to maintain trusted source code
- tools to check for and remediate vulnerabilities
- publicly available summary information demonstrating conformance
- accurate, up-to-date provenance of software and components
- SBOMs
- vulnerability disclosure program
- attesting to secure software development practices and the integrity and provenance of open source software
4(t) Identify IoT cybersecurity criteria for a consumer labeling program
4(u) Identify secure software development practices for a consumer software labeling program.
Software supply chain security practices finalized. Are we compliant with that long list?
MARCH 8, 2022
300 days
Administrator of the Office of Electronic Government
4(k) Require that agencies comply with the NIST guidelines with respect to software procured after the date of this order.
Can I sell my new product to federal agencies (or companies that sell to federal agencies)?
MAY 7, 2022
360 days
Director of NIST
4(d) Publish additional guidelines for enhancing software supply chain security as well as procedures for periodic updating.
MAY 12, 2022
1 year
Secretary of Homeland Security
4(n) Recommend contract language to the FAR Council requiring software suppliers to comply with, and attest to complying with the order.
4(p) Following any final amendments to FAR, agencies shall remove software products that do not meet the requirements.
Can I comply with the contract language... and prove it?
Administrator of the Office of Electronic Government
4(q) Require agencies employing legacy software either to comply with the order or provide a plan outlining actions to
remediate or meet the requirements of the order, unless an extension or waiver is granted.
Can federal agencies still use my legacy products?
Director of NIST
4(w) Review the pilot programs focused on security capabilities of IoT devices and software development practices.
Secretary of Commerce
4(x) Report to President the progress made under this section and outline additional steps needed to secure the software supply chain.
Do I have a remediation plan for my legacy products?
Note: The EO text has been adjusted for brevity and clarity
- DHSDepartment of Homeland Security
- DoDDepartment of Defense
- CNSSCommittee on National Security Systems
- MOAMemoranda of Agreement
- EDREndpoint Detection and Response
- CSPCloud Service Provider
- NISTNational Institute of Standards and Technology
- CISACybersecurity & Infrastructure Security Agency
- FARFederal Acquisition Regulation
- SBOMSoftware Bill of Materials
- OMBOffice of Management and Budget
- IoTInternet of Things
- APNSAAssistant to the President for National Security Affairs
- FedRAMPFederal Risk and Authorization Management Program
- FCEBFederal Civilian Executive Branch