Compromised supplier accounts pose a serious threat in cybersecurity. Reports estimate that over eighty percent of businesses face attacks from compromised supplier accounts.
Software supply chain security is a perennial issue for businesses, government agencies, and other entities. As a result, the Biden administration passed Executive Order 14028 in mid-2021. This executive order is designed to combat challenges associated with rising cybersecurity breaches and threats. But how can your organization ensure you are complying with this executive order and engaging in best practices?
This post will walk you through the basics of Executive Order 14028, then provide you with four steps you can follow to ensure your organization complies with the order.
What Is Executive Order 14028?
Issued in May of 2021, Executive Order 14028 aims to improve software supply chain security. This order provides guidelines and standards for evaluating and implementing software security tools and practices.
Additionally, EO 14028 charges NIST with heading up labeling efforts. These efforts strive to encourage manufacturers to produce software products that consider cybersecurity risks.
Related Read: How to Identify Database Security Threats in 5 Steps
One of the main goals of this executive order is to improve federal agencies’ ability to protect businesses and the public from cybercrime. The standards and stipulations outlined in the order aim to better equip agencies to investigate and remediate cybersecurity risks for businesses and individuals.
Some of the other specifics of the order include:
- The Federal Government’s implementation of Zero Trust as defined by NIST in 800-207
- Elimination of obstacles in threat information sharing between public and private sectors
- Inclusion of language that obligates IT service providers to share breach data
- Requiring the deployment of multi-factor authentication and encryption
- Establishing a labeling system for software security to help businesses and members of the public easily identify safe software
- Creating the Cyber Safety Review Board
Who Does Executive Order 14028 Apply to?
Who needs to worry about EO 14028? All federal agencies and businesses or contractors that work with or sell to the Federal Government must comply with this order.
Other businesses may choose to follow these standards as best practice. However, these other businesses will not be required to comply.
How to Comply with Executive Order 14028
1. Create a Response Playbook
The first step to complying with Executive Order 14028 is to create an internal guide to walk your organization through the processes you need to respond properly to vulnerabilities, incidents, and breaches.
Your plan may be called an Incident Response Plan (IRP) or a Disaster Recovery Plan (DRP).
Related Read: Reviewing the 5 Stages of the Cybersecurity Lifecycle
This order sets forth an official playbook for government departments and agencies. You can set your organization up for success by doing the same internally.
Your response playbook gives your organization the steps required to take action that will help mitigate damage from a breach or incident. Additionally, this guide will help you hold your organization accountable to a high standard internally.
2. Develop a Software Bill of Materials
You will need a software bill of materials (SBOM) to comply with the order properly. Your SBOM is a document that lists all the components of your software products. This document allows you to track software updates of each component, ensuring that your users are using the most updated and secure versions of your products.
Creating and using an SBOM makes it easier to identify vulnerabilities in various components of your software solutions. This information readily available makes it easier for you to patch vulnerabilities before a breach.
3. Implement Robust File Integrity Monitoring
File integrity monitoring (FIM) can help you comply with EO 14028. FIM detects changes to critical files, including system, application, and configuration files. This process aligns with Tenet number five of NIST’s 800-207.
Tenet five of 800-207 requires that organizations continuously monitor and measure the security posture of all assets. Implementing FIM processes and software can help you monitor changes to critical files and configurations.
FIM is a small component of your larger overall integrity management processes and systems. You should explore a system integrity assurance solution for the best results in keeping your data compliant and secure.
System integrity assurance, possible through a solution like CimTrak, allows you to not only see unauthorized changes but also to roll back those changes or prevent the changes altogether. Keeping a close eye on your system integrity can help you comply with other regulations like PCI-DSS, HIPAA, NERC, and more, in addition to EO 14028.
4. Implement a Zero Trust Solution
Adopting a Zero Trust Architecture is required to comply with Executive Order 14028. But what is Zero Trust? Essentially, Zero Trust establishes that the traditional cybersecurity approach is fundamentally wrong.
Rather than protecting your perimeter and assuming that all actors within the perimeter are trusted, Zero Trust works by minimizing access and creating personalized user profiles for every user in your system. This setup ensures users only access the data they need when needed.
Using a Zero Trust approach, you will continuously verify users, devices, and services. This approach limits an intruder’s ability to move laterally within your system. If a hacker breaches your network, Zero Trust will limit the data they can access.
For more information on Zero Trust implementation, explore our post, How To Implement Zero Trust In Your Organization.
What Executive Order 14028 Means For Your Organization
Your team must understand the key components of Executive Order 14028 to remain compliant with the order and to ensure you maintain strong supply chain software cybersecurity.
Shifting to a more modern approach to cybersecurity, like the model outlined in a Zero Trust Architecture, can be challenging. However, with the right tools and processes in place, your team can maintain a strong cybersecurity posture relatively easily.
Zero Trust alone is not enough to ensure your compliance with Executive Order 14028—or to protect your organization from a breach. But what is missing from the Zero Trust model?
Explore our free resource, the Missing Components of Zero Trust, today to see what your organization needs to comply with EO 14028 and keep your data secure.
March 30, 2023