Executive Order 14028 on Improving the Nation's Cybersecurity
The May 2021 executive order that reshaped federal software supply chain security, mandated SBOMs, and accelerated zero trust adoption across civilian agencies.
Executive Order 14028, "Improving the Nation's Cybersecurity," signed May 12, 2021, in the immediate aftermath of the SolarWinds and Colonial Pipeline incidents, issued binding directives across seven domains: removing barriers to threat information sharing between government and private sector; modernizing federal government cybersecurity (zero trust, cloud migration, MFA, encryption); enhancing software supply chain security (SBOM mandates, secure development attestations); establishing a Cyber Safety Review Board (CSRB); standardizing playbooks for cyber incident response; improving detection of cybersecurity vulnerabilities and incidents on federal networks (EDR mandate); and improving investigative and remediation capabilities. Most directives carried 60-to-180-day implementation timelines and required NIST, CISA, OMB, and NSA to produce implementing guidance.
Section 4 of EO 14028, on software supply chain security, has the broadest engineering impact. It directed NIST to publish guidance on secure software development practices (resulting in NIST SP 800-218 SSDF and NIST SP 800-161r1 for SCRM) and on minimum software supply chain security standards, including SBOM requirements. OMB Memorandum M-22-18 (September 2022) operationalized Section 4 for federal software procurement: vendors of software used by federal agencies must now self-attest to conformance with the NIST SSDF using a standard self-attestation form, or provide a third-party assessment. For "critical software" (as defined by NIST), attestation must include an SBOM. Federal agencies must also implement endpoint detection and response (EDR) solutions meeting CISA's technical reference architecture.
The EO's zero trust mandate, implemented through OMB M-22-09 ("Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," January 2022), set specific measurable milestones for all federal civilian agencies by end of FY2024: enterprise-wide MFA using phishing-resistant methods (PIV/FIDO2), all DNS queries encrypted (DoH/DoT), all HTTP traffic encrypted, and all application traffic authorized at the application layer rather than the network perimeter. NSA's Cybersecurity Advisory "Embracing a Zero Trust Security Model" (February 2021) provides the technical implementation guidance for National Security Systems. These mandates create a procurement ripple effect: any contractor building software or operating infrastructure for a federal agency must demonstrate SSDF conformance and provide SBOMs as a contract deliverable.
We help federal contractors and agencies navigate EO 14028 obligations end-to-end: SSDF gap assessments and self-attestation preparation, automated SBOM generation integrated into CI/CD pipelines (CycloneDX and SPDX formats), phishing-resistant MFA deployment across federal tenants, and zero trust architecture implementation aligned to OMB M-22-09 milestones. We track CISA, NIST, and OMB implementing guidance releases and update client compliance programs within 30 days.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.