aDolus Logo Timeline of Executive Order 14028

Icon of the Whitehouse

MAY 12, 2021

Sec. 2
Removing Barriers to Sharing Threat Information

Sec. 3
Modernizing Federal Government Cybersecurity

Sec. 4
Enhancing Software Supply Chain Security

JUNE 11, 2021

30 days

Director of NIST
4(b) Solicit stakeholder input to identify existing or develop new standards, tools, and best practices for complying with the order.

If you want to give input, now's the time.

JUNE 26, 2021

45 days

Secretary of Homeland Security
2(g)(i) Recommend to the FAR Council the contract language defining cyber incidents requiring reporting, the information that must be reported, National Security Systems reporting requirements, time periods, and the types of service providers covered.

Director of NIST
4(g) Publish a definition of the term "critical software".

JULY 11, 2021

60 days

Director of OMB
2(b), 2(c) Recommend updates to contract language to ensure that IT and OT service providers collect, preserve, and share with agencies information and reporting relevant to cybersecurity event prevention, detection, response, and investigation.

Director of CISA
2(i) Review current agency-specific cybersecurity requirements and recommend to the FAR Council standardized contract language.

What the heck is an OT Service provider and is my company considered one?

Head of Each Agency
3(b) Update existing agency plans to prioritize resources for the adoption of cloud technology, develop a plan to implement Zero Trust Architecture, including the migration steps outlined by NIST, and report to the Director of OMB and the APNSA regarding the plans.

Director of CISA
3(c)(iii) Issue, for FCEB Agencies, a cloud-service governance framework that identifies services and protections available based on incident severity and identifies associate data and processing activities.

Administrator of General Services
3(f) Modernize FedRAMP by:

  • Establishing a training program to ensure agencies are trained and equipped to manage FedRAMP requests
  • Improving communication with CSPs through automation and standardization of messages
  • Incorporating automation throughout the lifecycle of FedRAMP
  • Digitizing and streamlining documentation that vendors are required to complete
  • Mapping relevant compliance frameworks onto requirements in the FedRAMP authorization process

Director of NIST
4(i) Publish guidance outlining security measures for "critical software".
4(r) Publish guidelines for minimum standards for vendors' testing of their software source code.

Does my source code testing meet these standards?

Secretary of Commerce
4(f) Publish the minimum elements for an SBOM.

Can I publish an SBOM that meets these requirements?

JULY 26, 2021

75 days

Director of CISA
4(h) Provide a list of software categories meeting the definition of "critical software".

Is my product "critical software"?

AUGUST 10, 2021

90 days

Director of the NSA, Attorney General, Secretary of Homeland Security, Director of National Intelligence
2(g)(iii) Jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.

FAR Council
2(d) Preview contract language proposed by Director of OMB and publish proposed updates to the FAR for public comment.

Director of OMB
3(c)(i) Develop a cloud-security strategy and provide guidance to agencies to ensure that risks from cloud-based services are understood and addressed and that FCEB Agencies move closer to Zero Trust Architecture.

Director of CISA
3(c)(ii) Issue, for the FCEB, cloud-security technical reference architecture documentation recommending approaches to cloud migration and data protection for data collection and reporting
3(e) Establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology to ensure information sharing among agencies and CSPs.

Heads of FCEB Agencies
3(c)(iv) Evaluate the types and sensitivity of their unclassified data and provide a report to the Director of CISA and the Director of OMB prioritizing identification of data considered to be the most sensitive and threatened, plus appropriate processing and storage solutions for it.

Will cellular-based SCADA services be lumped in as Cloud Services?

Administrator of the Office of Electronic Government
4(j) Require that agencies comply with NIST guidance on security measures for "critical software".

NIST security measures for critical software now take effect!

SEPTEMBER 9, 2021

120 days

Secretary of Homeland Security and Director of OMB
2(e) Ensure that service providers share data with agencies, CISA, and the FBI as necessary to respond to cyber threats, incidents, and risks.

FAR Council
2(j) Review recommended contract language from the Director of CISA and publish proposed updates to the FAR for public comment.

SEPTEMBER 24, 2021

135 days

FAR Council
2(g)(ii) Review recommendations on types of incidents and information required from Secretary of Homeland Security and publish proposed updates to the FAR for public comment.

NOVEMBER 8, 2021

180 days

All Agencies
3(d) Adopt multi-factor authentication and encryption for data at rest and in transit. Heads of FCEB Agencies shall report to the Director of CISA, the Director of OMB, and the APNSA on their progress, CISA shall take all appropriate steps to maximize adoption. Those unable to fully adopt shall provide written rationale to the Director of CISA, the Director of OMB, and the APNSA.

  • Does my product have any cloud features?
    If so:
  • Can it provide multi-factor authentication?
  • What about encryption for data at rest and in transit?

Director of NIST
4(c) Publish preliminary guidelines based on consultations and on existing documents for enhancing software supply chain security.

FEBRUARY 6, 2022

270 days

Director of NIST
4(e) Publish guidance on practices that enhance software supply chain security:

  • secure software development environments
  • tools to maintain trusted source code
  • tools to check for and remediate vulnerabilities
  • publicly available summary information demonstrating conformance
  • accurate, up-to-date provenance of software and components
  • SBOMs
  • vulnerability disclosure program
  • attesting to secure software development practices and the integrity and provenance of open source software
4(t) Identify IoT cybersecurity criteria for a consumer labeling program
4(u) Identify secure software development practices for a consumer software labeling program

Software supply chain security practices finalized. Are we compliant with that long list?

MARCH 8, 2022

300 days

Administrator of the Office of Electronic Government
4(k) Require that agencies comply with the NIST guidelines with respect to software procured after the date of this order

Can I sell my new product to federal agencies (or companies that sell to federal agencies)?

MAY 7, 2022

360 days

Director of NIST
4(d) Publish additional guidelines for enhancing software supply chain security as well as procedures for periodic updating.

MAY 12, 2022

1 year

Secretary of Homeland Security
4(n) Recommend contract language to the FAR Council requiring software suppliers to comply with and attest to complying with the order.
4(p) Require agencies to remove software products that do not meet the requirements, following any final amendments to FAR.

Can I comply with the contract language... and prove it?

Administrator of the Office of Electronic Government
4(q) Require agencies employing legacy software to either comply with the order or provide a plan outlining actions to remediate or meet the requirements of the order, unless an extension or waiver is granted.

Can federal agencies still use my legacy products?

Director of NIST
4(w) Review the pilot programs focused on security capabilities of IoT devices and software development practices.

Secretary of Commerce
4(x) Report to President the progress made under this section and outline additional steps needed to secure the software supply chain.

Do I have a remediation plan for my legacy products?

Note: The EO text has been adjusted for brevity and clarity.

  • DHSDepartment of Homeland Security
  • DoDDepartment of Defense
  • CNSSCommittee on National Security Systems
  • MOAMemoranda of Agreement
  • EDREndpoint Detection and Response
  • CSPCloud Service Provider
  • NISTNational Institute of Standards and Technology
  • CISACybersecurity & Infrastructure Security Agency
  • FARFederal Acquisition Regulation
  • SBOMSoftware Bill of Materials
  • OMBOffice of Management and Budget
  • IoTInternet of Things
  • APNSAAssistant to the President for National Security Affairs
  • FedRAMPFederal Risk and Authorization Management Program
  • FCEBFederal Civilian Executive Branch

Feedback