What is Executive Order 14028?
Executive Order 14028 is a cybersecurity order issued by President Biden requiring agencies to improve and standardize defenses of their digital systems. The EO spawned a number of policy changes to improve software supply chain security, mandate Zero Trust cybersecurity principles, and phishing-resistant MFA. The recent frequency of widespread and invasive cyber attacks has prompted the government to take action. Learn more about how EO 14028 works, who it affects, and more below.
Executive Order 14028 Definition
President Joe Biden issued Executive Order 14028 on May 12th, 2021 following a series of devastating cyber attacks on the public and private sector. The executive order on cybersecurity requires civilian agencies in the federal government to make sweeping improvements to their existing digital protections and policies. It requires these agencies – and entities that work with the federal government – to review existing cybersecurity measures, identify where they fall short of what the executive order requires, and make any necessary upgrades on a prescribed timeline. Executive Order 14028 transforms federal cybersecurity as we know it and makes it formidable against today’s advanced, often state-sponsored cyber attacks. It will also, however, require immediate and ongoing action from many in the public and private sectors.
Executive Order 14028 FAQs
What Is Executive Order 14028?
Before focusing on the Biden cybersecurity executive order, it’s important to answer a broader question – what is an executive order? It’s a directive from a sitting president that mandates the federal government to operate in a certain way. Every president since Washington has issued at least one executive order, and each one is numbered consecutively, meaning the cybersecurity executive order is the 14,028th order to ever be issued by a president. It’s important to mention that executive orders are different from legislation because they require no approval from congress and can’t be overturned by Congress either. As such, the mandates included in Executive Order 14028 are unlikely to change or go away.
Those mandates all relate to how the federal government handles cybersecurity in terms of the defensive tools it uses, the techniques it applies, and the policies and protocols it enforces. Importantly, the executive order on cybersecurity addresses both information technology (IT) and operational technology (OT), meaning digital systems that control physical assets. As such, Executive Order 14028 applies to almost every technology in use across the federal government. That’s intentional; the overarching purpose of the White House cybersecurity executive order is not just to improve defenses but also to standardize them across agencies, offices, and technologies. The executive order on cybersecurity aims to put equal defenses in place across agencies so that no part of the federal government contains vulnerabilities and security gaps through which hackers could gain entry.
How Does Executive Order 14028 Work?
Something that distinguishes Executive Order 14028 from previous executive orders is the length of the document. Typically, executive orders are only a few pages long. President Biden’s cybersecurity executive order, by comparison, is 15 pages long and contains 74 actionable directives. This suggests that the federal government takes this issue very seriously, that it feels current defenses are seriously inadequate, and that it will take a significant amount of work to comply with the executive order.
A document of such length, variety, and complexity cannot be easily summarized. However, Executive Order 14028 has been arranged into sections based on what the mandates within each section strive to do. Outlining those sections gives a good indication of how the executive order works and what it aims to accomplish:
- Remove barriers to threat information sharing between the public and private sectors – Executive Order 14028 requires IT providers to share information about breaches or threats that could affect the federal government, even if those providers are contractually obligated to keep that information private.
- Modernize and implement stronger cybersecurity standards in the federal government – Executive Order 14028 mandates that all agencies move towards secure cloud services and zero trust architecture. It also mandates the use of phishing-resistant multi-factor authentication and encryption.
- Improve software supply chain security – Executive Order 14028 establishes baseline security standards for software sold to the federal government. There will also be a pilot program to create an “Energy Star” style of label that distinguishes secure software.
- Establish a cybersecurity safety review board – Executive Order 14028 creates a board of public and private sector leaders to convene in the wake of security incidents. The board will analyze the causes and consequences of those incidents, then recommend ways to prevent a repeat.
- Create a standard playbook for responding to cybersecurity incidents – Executive Order 14028 establishes a standard playbook for all agencies to follow when responding to an incident. It also establishes a dictionary of terms and definitions so that everyone uses identical language around cybersecurity.
- Improve detection of cybersecurity incidents on federal government networks – Executive Order 14028 implements a government-wide program of endpoint detection and response along with measures to improve information sharing among federal agencies with the intention to improve detection and expedite the response government wide.
- Improve investigative and remediation capabilities – Executive Order 14028 requires all federal agencies to keep an event log. These logs make it easier to detect and remediate incidents, and easier to assess the full extent of the damage afterwards.
Who Does Executive Order 14028 Affect?
Executive Order 14028 affects more enterprises, organizations, and individuals than might seem apparent. It applies to civilian agencies in the federal government, which totals around 400 agencies, and also to any company that sells software or IT services to the federal government. State and local governments are adopting the EO requirements following the federal government’s lead. Following the EO lead, we expect heavily regulated industries such as healthcare and financial services to update their requirements as well to meet the new security bar that the EO has set. Every organization should investigate further if and how they are affected by Executive Order 14028. And for those responsible for securing federal agencies or securing software sold to those agencies, the need to comply is a foregone conclusion and it’s time to put plans in place starting immediately.
Executive Order 14028 vs Two Factor Authentication
Compliance with the executive order requires federal agencies to adopt multi factor authentication (MFA) within 180 days of the executive order being released (that deadline has already passed). Many agencies were already compliant because of the widespread use of PIV smart cards throughout the federal government. However, Executive Order 14028 requires agencies to utilize MFA across all devices and scenarios. Smart cards are commonly used by federal agencies to meet the requirement, but do not cover all scenarios such as:
- Some employees and contractors are not eligible for smart cards.
- Smart cards do not support/work with mobile devices like phones and tablets.
- Cloud services struggle with smart card authentication without additional infrastructure.
- Smart card reader requirements that add cost and management.
- Smart card badges may inadvertently reveal identities in sensitive scenarios.
For all these reasons, compliance with Executive Order 14028 may require a supplement to existing smart cards. In January 2022, FIPS 201-3 expanded the definition of what can be used as a derived PIV credential to include authenticators that meet an Authenticator Assurance Level (AAL) of 2 or 3. This allows for more MFA options to be used where smart cards might not be practical. That said, some forms of MFA will not be compliant. The executive order on cybersecurity specifically calls for MFA. The follow-on OMB M-22-09 memorandum requires phishing-resistant MFA. Executive Order 14028 required OMB to further develop actionable zero trust policies and a key component of that work was to ensure the authentication process was well protected. Therefore, authentication reliant on sending codes or notifications to a phone or email account will not be compliant. OMB M-22-09 calls out smart cards and WebAuthn authentication mechanisms as phishing-resistant. Agencies will need to investigate whether the exclusive use of smart cards complies with the executive order (now and in the future) and what alternatives can fill the gap while also complying.
Executive Order 14028 vs Zero Trust Architecture
President Biden’s cybersecurity executive order has led to a flurry of other cybersecurity directives coming from agencies like the Office of Management and Budget (OMB) and the National Institute of Standards in Technology (NIST). One of those directives. OMB-22-09 issued by the OMB in early 2022 – mandates federal agencies adopt a zero trust architecture by the end of fiscal year 2024. That memorandum identifies five pillars of a zero trust strategy, the first of which (identity) mandates the use of phishing-resistant MFA to identify and authenticate users requesting access. As the document itself states, “Strong authentication is a necessary component of a zero trust architecture, and MFA will be a critical part of the Federal Government’s security baseline.” Implementing zero trust architecture will require more than just phishing-resistant MFA, of course. But as both Executive Order 14028 and this memorandum make clear, secure authentication will be a cornerstone of federal cybersecurity from here forward.
Does Yubico Support Executive Order 14028?
Yubico has been a cybersecurity partner to the federal government since 2015 when President Obama specifically recognized the importance of our work. Since then, we have been at the forefront of both innovation in authentication technology and improvements to federal cybersecurity across agencies, including those with the highest security priorities and most challenging security requirements.
That partnership continues and strengthens following the cybersecurity executive order. Our latest security key, the YubiKey 5, is the first PIV device to also comply with FIDO2 specifications. The Cybersecurity and Infrastructure Security Agency (CISA) has called FIDO2 the “gold standard” for MFA, and NIST has sanctioned it as an approved specification for personal identity verification (PIV). The YubiKey 5 FIPS Series enables government agencies and regulated industries to meet the highest authenticator assurance level 3 (AAL3) requirements. More than just supporting Executive Order 14028, the YubiKey takes authentication to new levels of security, accessibility, and scalability.
Find out more about how Yubico supports the Executive Order 14028 MFA requirement here.