Executive Order 14028, titled “Improving the Nation’s Cybersecurity,” was issued by the Biden Administration on May 12, 2021. This directive aims to enhance the cybersecurity posture of federal agencies and critical infrastructure by enforcing stricter security measures, greater transparency in software development, and stronger supply chain protections.
The order was largely a response to high-profile cyberattacks, including the SolarWinds supply chain compromise and the Colonial Pipeline ransomware attack, both of which exposed vulnerabilities in U.S. critical infrastructure and government systems.
EO 14028 sets new security requirements for software vendors selling to the U.S. government and introduces wider cybersecurity initiatives that affect the private sector, technology providers, and enterprises handling sensitive data.
Its core goals include:
Enhancing visibility into software supply chains – Mandating Software Bill of Materials (SBOMs) and improved software transparency.
Improving vulnerability detection and response – Implementing Zero Trust security principles across federal systems.
Modernizing federal cybersecurity standards – Accelerating cloud adoption and endpoint detection capabilities.
Strengthening incident response coordination – Requiring faster breach detection, reporting, and threat intelligence sharing.
The primary focus of EO 14028 is on U.S. federal agencies and government contractors, but its impact extends to:
Software vendors selling to the government – Companies that provide software or cloud services to federal agencies must comply with EO 14028’s security mandates.
Critical infrastructure providers – Sectors such as energy, healthcare, finance, and defense are expected to follow new security best practices.
Enterprises adopting cybersecurity best practices – Many private companies are aligning with EO 14028 to improve security resilience and avoid supply chain risks.
EO 14028 introduces several security initiatives to protect federal networks and improve software integrity:
Mandatory Software Bill of Materials (SBOMs) – Vendors must provide a detailed list of software components and dependencies to enhance transparency and security.
Zero Trust Architecture Adoption – Federal agencies must implement Zero Trust security models, requiring strict identity verification and least-privilege access controls.
Enhanced Vulnerability Disclosure Programs – Vendors must create standardized processes for reporting and remediating software vulnerabilities.
Stronger Cloud Security Standards – Federal systems must adopt cloud security best practices, including multi-factor authentication (MFA) and encryption.
Improved Endpoint Detection & Response (EDR) – Agencies must deploy EDR solutions to detect and contain cyber threats more effectively.
Faster Threat Intelligence Sharing – The government will streamline threat intelligence reporting and collaboration between federal agencies and private sector partners.
For software vendors, compliance with EO 14028 requires proactive security measures:
Adopt SBOM best practices – Maintain an accurate, real-time inventory of software components and ensure transparency in third-party dependencies.
Implement Zero Trust security – Enforce strict authentication, continuous monitoring, and network segmentation to limit cyber risks.
Strengthen vulnerability management – Develop structured patching policies and rapid vulnerability disclosure programs.
Enhance security automation – Utilize automated scanning, threat intelligence, and compliance monitoring tools to meet federal security requirements.
Align with NIST cybersecurity frameworks – Follow NIST 800-218 (Secure Software Development Framework) and NIST 800-53 for risk-based security controls.
EO 14028 is shaping the future of cybersecurity regulations in the United States. Even private sector companies that are not directly affected today are aligning their security strategies with its principles to stay ahead of evolving compliance requirements.
By adopting the security measures outlined in EO 14028, organizations can reduce their exposure to supply chain attacks, improve security resilience, and enhance trust with customers and government partners.