Executive Order 14028: Improving the Nation's Cybersecurity
Executive Order 14028 - "Improving the Nation's Cybersecurity" (issued May 12, 2021) requires agencies to enhance cybersecurity and software supply chain integrity.
Summary of EO 14028 requirements
- Requires service providers to share cyber incident and threat information that could impact Government networks.
- Moves the Federal government to secure cloud services, zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period.
- Establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
- Establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make recommendations for improving cybersecurity.
- Creates a standardized playbook and set of definitions for cyber incident response by Federal departments and agencies.
- Improves the ability to detect malicious cyber activity on Federal networks by enabling a governmentwide endpoint detection and response system and improved information sharing within the Federal government.
- Creates cybersecurity event log requirements for Federal departments and agencies.
- Requires amendments to the FAR to align with requirements in the EO.
What contractors can expect
- Modification of contract language to reflect new guidance from NIST and CISA. If your company cannot accept the modification, you will not be able to sell to the Federal government.
- GSA will keep you informed; communicating with you regarding all major developments.
- Future updates to the Federal Acquisition Regulation.
What contractors can do
Read and understand the Executive Order and related memos
- M-23-16, Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices [PDF - 298 KB].
- OMB M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.
- Executive Order 14028 - Improving the Nation's Cybersecurity.
- M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles [PDF].
- National Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.
- M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements [PDF].
- M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response [PDF].
- M-21-31 Improving the Federal Government%u2019s Investigative and Remediation Capabilities Related to Cybersecurity Incident [PDF].
- M-21-30 Protecting Critical Software Through Enhanced Security Measures [PDF].
Provide feedback
Look out for the FAR rules’ public comment periods and provide feedback.
Update your compliance program
Stay on top of proposed updates to the FAR and prepare for changes that could impact your entity’s compliance.
Educate
Communicate and train your purchasing/procurement and materials management professionals to ensure they are familiar with your compliance plan and potential changes.
Why these changes are important
- Adversaries are using increasingly sophisticated methods and cyber operations to attack the supply chain, gain access to critical infrastructure, and steal sensitive information.
- Foreign owned or controlled Information and Communications Technology products may create vulnerabilities in U.S. supply chains.
- IT providers are often hesitant or unable to voluntarily share information about a cyber incident.
- The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.
- The planned FAR rules will ensure contractors keep national security interests in mind by requiring contractors to follow a set of standardized rules when doing business with the Federal government.
Resources
- Acquisition policy library and resources
- EO 14028 - Improving the Nation's Cybersecurity
- Critical software definition
- NIST security measures for "EO-critical software" use under EO 14028
- NIST recommended minimum standards for vendor or developer verification (testing) of software under EO 14028
- Protecting critical software through enhanced security measures
- Moving the U.S. government towards zero trust cybersecurity principles
- Regulations.gov (information on the development of Federal regulations)
Tell us what you think
Last updated: Aug 19, 2024
JOIN THE CONVERSATION
An official website of the U.S. General Services Administration
Looking for U.S. government information and services?
PER DIEM LOOK-UP
1 Choose a location
Error, The Per Diem API is not responding. Please try again later.
No results could be found for the location you've entered.
Get my location Current location
City (optional)
2 Choose a date
Select Fiscal Year
Travel start date (mm/dd/yyyy)
Travel end date (mm/dd/yyyy)
Rates are available between 10/1/2022 and 09/30/2025.
The End Date of your trip can not occur before the Start Date.
Next Next Search
Additional terms and conditions New Search Print Results
Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.
Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."
Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."
When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.
