The U.S. Cybersecurity Executive Order 14028 

Understanding the Cybersecurity Executive Order 14028

Executive order 14028 calls for the National Institute of Standards and Technology (NIST) to provide software supply chain regulations within one year. These guidelines will determine how organizations should check for vulnerabilities within applications. (Since writing this, NIST has released the NIST Secure Software Development Framework (SSDF). You can read about these guidelines and how they impact open source on our blog.)

Why do I need to create an SBOM?

An SBOM provides a comprehensive list of the software components that comprise your applications. With the Tidelift Subscription, you will not only know which open source components are in use within your organization, you'll also be able to check the health of those applications. This report includes information on open source licenses, vulnerabilities, and dependencies. 

Protecting your open source supply chain

Managing the security of your organization’s open source supply chain can be incredibly complex. Proprietary software like SolarWinds, which was involved in a recent hack, is created by a single supplier—but with open source software, there can be dozens of open source maintainers with commit privileges for a single component. Up to 70% of code that makes up the modern application is open source—and wrangling thousands of different suppliers can seem like an insurmountable task. With the Tidelift Subscription, you can easily generate a report that satisfies the new mandatory federal requirements.

On average it takes 3 days for a disclosed open source vulnerability to be exploited. If malicious code is injected into an open source package within your application, a breach could occur at deployment, giving developers zero time to react. This malicious code serves as a backdoor into your organization.  

Preventing malicious code injection starts at the source

Tidelift partners with your organization and the developers behind open source projects to proactively protect your open source supply chain upstream. This means the open source that runs 70% of your applications is protected and maintained at the source. 

Increasing government requirements 

The call for more secure software supply chains doesn’t end with executive order 14028. At the top of 2022, the U.S. Federal Trade Commission (FTC) issued a warning in response to the Log4Shell vulnerability incident, emphasizing the need for organizations to prepare for future, similar vulnerabilities to help prevent both compromised consumer data and the resulting fines for failing to do so (in this report the FTC refers back to the Equifax data breach, where Equifax was fined $700 million dollars). 

In September of 2022, the U.S. National Security Agency (NSA) partnered with the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence to release a report entitled Securing the Software Supply Chain for Developers. This report made it clear that software tools alone are not enough to ensure open source supply chain security—organizations must dedicate time and resources to establishing open source management best practices within their organization, all while maintaining an active partnership with suppliers to validate secure development practices.

Furthermore, in the same month as the announcement of the NSA report, the U.S. government’s Office of Management and Budget (part of the Executive Office of the President) released memorandum M-22-18 on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. A follow up to executive order 14028, “this memorandum requires agencies to comply with the NIST Guidance and any subsequent updates.”