The U.S. Cybersecurity Executive Order 14028 

Understanding the Cybersecurity Executive Order 14028

Announced in May 2021, White House Executive Order 14028 on Improving the Nation’s Cybersecurity has a number of key initiatives that organizations using open source to develop applications should understand. At a high level, it states that organizations will need to begin to attest to the health, security, and provenance of the open source components that go into their applications.

The executive order also calls for the National Institute of Standards and Technology (NIST) to provide software supply chain regulations within one year. These guidelines will determine how organizations should check for vulnerabilities within applications.

Since the original publication of this page, NIST has released the NIST Secure Software Development Framework (SSDF). You can read about these guidelines and how they impact open source on our blog.

What organizations building with open source need to know

With an increase in cybersecurity attacks, from the SolarWinds hack on proprietary software to the Log4Shell incident with open source software, the U.S. government had to make the call to create much needed improvements to the nation's cybersecurity. Log4Shell in particular had a significant financial impact and highlighted the need for a sound support system for the open source maintainers behind the packages that make up 70% of the code in modern applications.

Within the executive order, they provided an outline of the recommended guidance to be created by NIST. Below are the items that are particularly key for organizations using open source to develop applications (emphasis ours):

(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;

(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website

and...

(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.

Why does my organization need to provide an SBOM? 

An SBOM provides a comprehensive list of the software components that comprise your applications. Having an accurate SBOM not only keeps you and your team informed on the ingredients list of the software in use at your organization, but it's also the first step towards compliance with government initiatives such as the ones outlined in Executive Order 14028.

What does it mean by "attesting"?

Furthermore, as a result of the executive order, NIST released the NIST SSDF, a series of guidelines that organizations selling to the government will need to self-attest that they comply with as soon as late 2023 for critical software, and early 2024 for all other software (as set by the  U.S. government Office of Management and Budget's (OMB) memorandum M-22-18 and its follow-up, memorandum M-23-16). Creating an SBOM is just the start towards attesting that your organization's software complies with NIST SSDF guidelines, because in addition to needing to provide an SBOM for the components of your applications, your organization will also need to attest that the open source dependencies in your organization’s applications follow secure software development best practices.

To learn how Tidelift can help your organization attest to the open source components used to build your applications, download a sample of the Tidelift open source attestation report.

Increasing government requirements 

Executive order 14028 is just the start of the U.S. government addressing the security of the software supply chain. As directed by the executive order, NIST released the NIST SSDF and the NIST Software Supply Chain Security Guidance. In September 2022, the OMB announced M-22-18, which created a timeline outlining when organizations selling to the U.S. government will need to self-attest that they comply with the guidelines provided in the NIST SSDF. In July 2023, the follow-up M-23-16 adjusted the deadlines and further honed in on the penalties associated with non-compliance.  

To learn more about these and other U.S. government initiatives, and to stay up-to-date on government policies and their relationship with the open source software supply chain, make sure to bookmark our government open source cybersecurity resource center and download the Tidelift guide to U.S. government cybersecurity requirements.