What is Executive Order 14028?
In May of 2021, President Biden issued Executive Order on Improving the Nation’s Cybersecurity (E0 14028), an EO that took specific and significant aim at federal IT systems as well as the private sector technology and software providers that support it.
If you’re a private company and software provider, upon review of the EO, your primary focus was likely on section 4 and the content regarding software supply chain security. You likely made certain moves to try and improve yours even as the threat landscape has continued to change and different solutions to help have emerged.
Fast forward to now, in 2023, where some of these “solutions” include standards that have now been developed—soon, companies will be required to attest to their compliance in accordance with the new CISA self-attestation form.
As you prepare to accommodate these new requirements, we’ve done some work to help you do so. Companies attesting to software development security will need experienced experts like Schellman to review your practices and ensure that you meet the requirements of the NIST Secure Software Development Framework (SSDF).
In that, our NIST-based Software Security Assessment service has the potential to be exactly what you need, and in this article, we’ll explain how.
EO 14028 and Your Software Security
First, let’s recap how we arrived at this point—it began with the issuing of Executive Order 14028 “Improving the Nation’s Cybersecurity” on May 12, 2021, which contained the following sections:
- Removing Barriers to Sharing Threat Information
- Modernizing Federal Cybersecurity
- Enhancing Software Supply Chain Security*
- Establishing a Cyber Safety Review Board
- Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Improving the Federal Government’s Investigative and Remediation Capabilities
- National Security Systems
* As we mentioned before, for software developers, the most applicable portion of the requirements are within section 4: Enhancing Software Supply Chain Security.
The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.
– Sec. 4. Enhancing Software Supply Chain Security of Executive Order 14028
In tandem with the issuing of this EO, NIST was instructed to develop standards for software security and secure software development as relevant to Section 4—these were subsequently published in February of 2022 as SP 800-218 Secure Software Development Framework.
Per further instructions within the EO, NIST also published several other documents and guidance, including Security Measures for “EO-Critical Software” Use and the overarching NIST Security Software Framework.
Meanwhile, the order also required that the Cybersecurity Infrastructure and Security Agency (CISA) ensure software producers self-attest to the requirements. That form to do so has since been published in draft, and companies will be expected to sign off on their software security beginning later this year (in 2023).
How to Comply with EO 14028 and Secure Your Software
At this time, the CISA attestation form is the means to assert compliance with the EO and SP 800-218, and it was also recently announced that CISA will be maintaining a repository of these attestations.
Knowing this, we recognized that, given the urgency of these new compliance requirements and the complexity of software security, our clients—and other organizations—might be seeking more specialized assistance in complying.
That’s why we decided to leverage our cybersecurity expertise and combine it with our customized methodology to yield what we now offer what we call our Software Security Assessment (S3A) Service. Using the reporting structure provided by CISA, Schellman—as one of the first authorized FedRAMP 3PAOs—can assess the controls and provide a complementary report alongside the attestation.
Schellman’s NIST Software Security Assessment
Specifically designed to address the intricacies of software security, our approach during an S3A starts with our testing of your implementation of the minimum attestation requirements as outlined in EO 14028 subsection (4)(e) along with the broader requirements of NIST 800-218.
We test against the specific requirements as set forth in the NIST SSDF. Areas of review include but are not limited to:
- Software development lifecycle (SDLC) processes
- Basic secure code development training capabilities for engineering personnel
- Secure code testing practices
- Source code security
- Separation of duties
- Security and authentication to source code
- Use of static and dynamic testing
- Review of advanced secure coding and testing capabilities for engineering personnel
- Review of Software Bills of Material (SBOM)
Once our evaluation is complete, we compile the results into a compliance report that is specifically tailored to supplement the requirements of the CISA Secure Software Development Attestation Form with a focus on the control alignment of your software practices with the NIST SSDF.
With this report in hand, you can be confident in signing that required self-attestation with the added boon that yours was supported by a third-party review.
Other Considerations for Your Software Security
Since arriving in office, President Biden and his administration have taken an active approach to improving the nation’s cybersecurity, including an unveiling of an entirely new strategy. Executive Order 14028 represents another branch of this new emphasis, and compliance with the new standards surrounding the Order’s software security components will soon be required.
At Schellman, we believe that prioritizing software security and compliance is essential for protecting your organization and its customers. We’re committed to helping you navigate this new journey with confidence to the achievement of your software security goals, and that’s why we created our new S3A service that can help any organization more easily comply.
Now that you understand a little more about it, you can take more informed steps for your organization when moving forward toward compliance, but we understand if you have further questions. If you’re interested in learning more about our new service, we encourage you to reach out to us so we can address any concerns you may have and help you better determine if this is the right step for you.
About Douglas Barbin
As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.