How has Executive Order 14028 affected federal cybersecurity so far?

Recently, the United States Government Accountability Office issued an update on the progress of Executive Order 14028, Improving the Nation’s Cybersecurity.

In 2021, the White House identified 55 leadership and oversight requirements that needed to be met to improve cybersecurity in federal IT systems, with all systems needing to meet or exceed the standard outlined. Executive Order (14028) on Improving the Nation’s Cybersecurity elaborated on the reasons for the requirement, stating that the “prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security.”

Additionally, the executive order (EO) said that completing these was essential because the government should lead by example to encourage the private sector to also reduce the risk of cybersecurity breaches and attacks.

The EO designated the agencies responsible for implementing the requirements: the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

The key requirements of this order focused on cybersecurity solutions including:

• Removing barriers to threat information
• Modernizing federal government cybersecurity
• Enhancing software supply chain security
• Establishing a cyber safety review board
• Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
• Improving the federal government’s investigative and remediation capabilities

Update on progress toward the requirements

The April 2024 update reported that the three responsible agencies completed 49 of the requirements. The requirement for standardizing the playbook for responding to cybersecurity vulnerabilities and incidents was determined to be not applicable. Additionally, the agencies have partially completed the remaining five requirements.

Of the key requirements, modernizing federal government cybersecurity is the only one completely fulfilled. The efforts in that area included implementing or beginning implementation of zero trust architecture for federal agencies, securing cloud services and centralizing access to cybersecurity data.

Other initiatives included addressing unclassified data, making progress on implementing multifactor authentication and encryption and developing a cloud security technical reference architecture documentation.

Outstanding requirements remain

While the update commended the agencies on their efforts toward improving federal cybersecurity, the conclusion stressed the importance of completing the remaining requirements.

The five remaining requirements are:

1. Incorporate into the annual budget process a cost analysis of the steps to be taken in this section.

While the OMB partially incorporated a cost analysis into the annual budget process, they did not provide evidence for details on the implementation of all leadership and oversight requirements in the order.

2. Identify and make available to agencies a list of categories of software and software products in use or the acquisition process meeting the definition of “critical software.”

CISA and OMB assisted NIST with the criteria and guidelines for required federal government software security measures. CISA, OMB and NIST also created a definition of critical software and a preliminary list of common categories of software that are consistent with that definition. However, CISA did not issue the list of common categories of software by the September 2023 deadline.

3. Review the recommendations provided to the president for improving the board’s operations and take steps to implement them as appropriate.

CISA has not provided evidence of the steps taken to improve operations through recommendations for improving future operations. The update states that this step is key to allowing the board to effectively conduct its future incident reviews.

4. Ensure that agencies have adequate resources to comply with the requirements for adopting EDR approaches.

Although OMB reported that they had incorporated endpoint detection and response (EDR) within their guidance to agencies for budget submissions and included EDR in the list of FISMA metrics in fiscal year 2023, the agency was not able to provide proof of this documentation. The update shares the concern that without the proof, it’s possible that agencies will not receive sufficient funding for EDR initiatives.

5. Work with agency heads to ensure that agencies have adequate resources to comply with requirements for logging, log retention and log management.

OMB gave guidance to agencies regarding logging, such as log retention and log management. However, OMB did not demonstrate that the agencies had enough resources to implement logging, log retention or log management.

The update made specific executive action recommendations for the five remaining requirements to be completed by December 31, 2024.

Continue Reading