The President’s Executive Order 14028, titled Improving the Nation’s Cybersecurity, commanded the public and private sectors to enhance the security and integrity of the software supply chain. The initiative seeks to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns.
What does this mean for your organization, and how can you leverage these guidelines to enhance your software supply chain security?
Summary of Executive Order 14028 requirements
- Service providers must share cyber incident and threat information that could impact Government networks
- The Federal government will adopt secure cloud services, zero-trust architecture, multi factor authentication (MFA), and encryption within a specific time period
- Software procured by the government must meet baseline development security standards, including requiring developers to maintain greater visibility into their software and making security data publicly available
- A Cybersecurity Safety Review Board, co-chaired by government and private sector leads, will convene after a significant cyber incident to analyze what happened and make recommendations for improving cybersecurity
- A playbook and set of definitions will standardize cyber incident understanding and response by Federal departments and agencies to respond together
- A government-wide endpoint detection and response system will improve the ability to detect malicious cyber activity on Federal networks
- New cybersecurity event log requirements will apply to Federal departments and agencies
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
Executive Order 14028
It commanded the private sector to partner with the Federal Government to protect the Nation from malicious cyber actors, adapt to the continuously changing threat environment, ensure products are built and operate securely, and ultimately foster a more secure cyberspace.
This includes systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).
The EO went on to assure that the prevention, detection, assessment, and remediation of cyber incidents is a top priority for the Administration, and essential to national and economic security.
This EO is one more step in the right direction to deal with nation-state supply chain attacks. Recent attacks, such as those suffered by Colonial Pipeline, Kaseya, SolarWinds, or Log4j have brought the topic of supply chain security to the front pages, and to the board agenda.
Read More: Understanding Supply Chain Data Breaches in the Aftermath of SolarWinds
Who is affected?
The most directly affected sector is that of federal government IT service providers. However, as with previous Executive Orders and regulations, it is expected this will have a cascading effect: from federal contractors to organizations across different industries, as new standards are set and practices are adopted.
As PwC analysts put it:
- Federal executive agencies are expected to modernize their technology environment and security practices.
- Federal contractors will likely see new cybersecurity standards built into contract terms, and will be required to share more information on cyber incidents.
- The private sector will likely see a focus on software supply chain security, as well as on transparency through proposed consumer security labeling on software and internet of things (IoT) devices. As a result, software and IoT device companies should expect new security requirements and assessment standards.
The impact on your business
The private sector, academia, government agencies, and others will cooperate in identifying existing or developing new standards, tools, best practices, and other guidelines to enhance software supply chain security.
Those guidelines, while ultimately aimed at federal agencies, are also available for industry and others to use, including your organization. They cover topics such as criteria to evaluate software security or security practices of developers and suppliers, or innovative tools or methods to demonstrate conformance with secure practices.
Agencies like CISA and NIST have put together these useful resources:
- EO 14028 – Improving the Nation’s Cybersecurity
- NIST security measures for “EO-critical software” use under EO 14028
- NIST recommended minimum standards for vendor or developer verification (testing) of software under EO 14028
- Protecting critical software through enhanced security measures
- Moving the U.S. government towards zero trust cybersecurity principles
- Statement from CISA Acting Director Wales on Executive Order to Improve the Nation’s Cybersecurity
- No Trust? No Problem: Maturing Towards Zero Trust Architectures
- Cloudy With a Chance of Migration: Helping Agencies Make the Move to the Cloud
Don’t let zero days be “wake up calls.”
Unpredictable vulnerabilities will be an ongoing concern for security teams inthe foreseeable future.
In this guide you will learn the fundamentals of zero days, patterns from our statistical analysis, and tips to reduce risk and remediate zero days if/when they happen.
