On May 12, 2021, the landscape of US government IT security changed forever. In the wake of catastrophic incidents like the SolarWinds supply chain attack and the Colonial Pipeline ransomware crisis, the White House issued Executive Order 14028, titled “Improving the Nation’s Cybersecurity.”
This was not merely a suggestion paper; it was a sweeping mandate effectively rewriting the rulebook for how federal agencies protect data, how they interact with cloud providers, and-crucially-how software vendors must build their products.
For federal agencies and private sector contractors alike, understanding what is Executive Order 14028 is no longer optional. It is the baseline for doing business with the US government. This guide provides a comprehensive summary of the order, its requirements, and the path to compliance.
Executive Order 14028 Summary: The Seven Key Pillars
To grasp the scope of the order, it is helpful to break it down into its core components. A concise Executive Order 14028 summary reveals seven strategic pillars designed to modernize federal defenses:
- Removing Barriers to Threat Information Sharing: Removing contractual barriers that previously prevented IT providers from sharing breach information with the government.
- Modernizing Federal Government Cybersecurity: Mandating the shift to Zero Trust Architecture (ZTA) and secure cloud services.
- Enhancing Software Supply Chain Security: Requiring a Software Bill of Materials (SBOM) for critical software.
- Establishing a Cyber Safety Review Board: Creating a standardized board to analyze significant cyber incidents (modeled after the NTSB).
- Standardizing Incident Response: Creating a unified playbook for responding to vulnerabilities and incidents across all agencies.
- Improving Detection of Cyber Vulnerabilities: Mandating the deployment of Endpoint Detection and Response (EDR) initiatives.
- Investigative and Remediation Capabilities: Improving logging and log retention requirements to aid in forensics.
The Core Mandate: Zero Trust Architecture
Perhaps the most significant technical shift driven by the cybersecurity Executive Order 14028 is the requirement for all federal agencies to adopt a Zero Trust Architecture (ZTA).
The order explicitly recognizes that the traditional perimeter-based security model is broken. Agencies can no longer trust a user or device simply because they are “inside” the network. Instead, they must adhere to the principles outlined in NIST SP 800-207: Never Trust, Always Verify.
Implementing Zero Trust in Government
Compliance requires a fundamental restructuring of agency networks. This involves:
- Phishing-Resistant MFA: Moving away from SMS codes to hardware keys and FIDO2 standards.
- Microsegmentation: Breaking flat networks into granular zones to prevent lateral movement.
- Encryption: Enforcing robust encryption for data both at rest and in transit.
For agencies struggling to overhaul legacy infrastructure, the path to Zero Trust can be complex. Specialized integrators are often required to bridge the gap between legacy systems and modern mandates. Leveraging comprehensive TerraZone Solutions for State, Federal, and Defense Agencies allows organizations to deploy a unified Zero Trust framework that aligns with the strict requirements of EO 14028, ensuring identity verification and data protection are baked into the architecture.
Enhancing Software Supply Chain Security
The SolarWinds attack demonstrated that even if an agency’s defenses are perfect, they can still be compromised through the software they buy. EO 14028 addresses this by placing strict obligations on the private sector.
The Rise of the SBOM
The order mandates that software developers selling to the government must provide a Software Bill of Materials (SBOM). An SBOM is essentially a list of ingredients for software-detailing every open-source library and third-party component used in the code.
This requirement forces transparency. If a vulnerability is discovered in a common library (like Log4j), agencies can instantly check their SBOMs to see if they are affected, rather than waiting for vendor notifications.
Cloud Security and FedRAMP Modernization
What is Executive Order 14028 doing for the cloud? It creates a “Cloud First” but “Secure Cloud” policy. The order directs CISA and the GSA to modernize the FedRAMP program, making it easier for agencies to adopt secure cloud technologies while ensuring those technologies meet rigorous encryption and logging standards.
Agencies are required to implement:
- Data Rights Management (DRM): ensuring data remains protected even outside the agency’s direct control.
- Continuous Monitoring: Replacing “Point-in-Time” assessments with real-time visibility into cloud security posture.
From Cybersecurity to AI Safety: The Link to Executive Order 14110
As we navigate through 2025, the mandates of EO 14028 have become the foundational bedrock for the government’s newest strategic initiative: Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence), issued in late 2023.
It is critical for agencies to understand that EO 14110 does not replace EO 14028; rather, it relies upon it. Secure AI is impossible without a secure environment. The Zero Trust Architecture mandated by EO 14028 provides the necessary access controls to ensure that powerful Generative AI models are not manipulated or accessed by unauthorized actors.
Furthermore, the principles of Software Supply Chain Security (SBOM) are now being adapted to the “AI Supply Chain.” Just as agencies must know the ingredients of their software, EO 14110 pushes for transparency regarding the datasets used to train government AI models. By adhering to the rigorous identity and data encryption standards of EO 14028, agencies create the “clean room” environment required to safely deploy cutting-edge AI capabilities.
Incident Response and Logging
A major failure point in past breaches was the lack of visibility-agencies didn’t know they were breached until months later because logs were either not kept or not analyzed.
Cybersecurity Executive Order 14028 mandates:
- Centralized Logging: Logs must be retained and made accessible to CISA and the FBI for investigation.
- EDR Deployment: Agencies must deploy Endpoint Detection and Response tools to actively hunt for malicious activity on government devices.
The Impact on the Private Sector (Contractors)
While the order is directed at federal agencies, its ripple effects are felt throughout the Defense Industrial Base (DIB) and the broader tech sector. Any company that sells software or services to the US government must now comply with NIST standards derived from the EO.
If your organization provides IT services to the government, you are now contractually obligated to report cyber incidents within hours, not days. Failure to comply can result in contract termination and legal liability under the False Claims Act.
Conclusion: Moving Toward Compliance
Executive Order 14028 is a living directive. It has spawned subsequent memorandums (like OMB M-22-09) that set specific deadlines for ZTA implementation. For federal CIOs and private sector CISOs, the message is clear: modernization is not a luxury; it is the law.
To navigate this transition, organizations must move beyond piecemeal tools and adopt holistic security platforms. Implementing robust TerraZone cybersecurity solutions helps organizations automate compliance with EO 14028, covering everything from secure file transfer and content disarmament to cross-domain interoperability, ensuring that the mission remains secure in a hostile digital environment.
Table: Key Deadlines and Milestones of EO 14028
Milestone | Responsible Agency | Requirement |
Zero Trust Strategy | Agency Heads | Develop and submit a plan to implement Zero Trust Architecture. |
Cloud Security | CISA / OMB | Develop a Federal Cloud Security Strategy and update FedRAMP. |
Software Supply Chain | NIST | Publish guidelines for enhancing software supply chain security (SBOM). |
Incident Logging | OMB | Establish requirements for logging, log retention, and log management. |
Consumer Labeling | NIST | Initiate pilot programs for IoT and software consumer security labeling. |
