866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What is Executive Order 14028? Blog Feature
Douglas Barbin

By: Douglas Barbin

Print/Save as PDF

What is Executive Order 14028?

Federal Assessments

In May of 2021, President Biden issued Executive Order on Improving the Nation’s Cybersecurity (E0 14028), an EO that took specific and significant aim at federal IT systems as well as the private sector technology and software providers that support it.

If you’re a private company and software provider, upon review of the EO, your primary focus was likely on section 4 and the content regarding software supply chain security. You likely made certain moves to try and improve yours even as the threat landscape has continued to change and different solutions to help have emerged.

Fast forward to now, in 2023, where some of these “solutions” include standards that have now been developed—soon, companies will be required to attest to their compliance in accordance with the new CISA self-attestation form.

As you prepare to accommodate these new requirements, we’ve done some work to help you do so. Companies attesting to software development security will need experienced experts like Schellman to review your practices and ensure that you meet the requirements of the NIST Secure Software Development Framework (SSDF).

In that, our NIST-based Software Security Assessment service has the potential to be exactly what you need, and in this article, we’ll explain how.

EO 14028 and Your Software Security

First, let’s recap how we arrived at this point—it began with the issuing of Executive Order 14028 “Improving the Nation’s Cybersecurity” on May 12, 2021, which contained the following sections:

  1. Policy
  2. Removing Barriers to Sharing Threat Information
  3. Modernizing Federal Cybersecurity
  4. Enhancing Software Supply Chain Security*
  5. Establishing a Cyber Safety Review Board
  6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  8. Improving the Federal Government’s Investigative and Remediation Capabilities
  9. National Security Systems
  10. Definitions

* As we mentioned before, for software developers, the most applicable portion of the requirements are within section 4: Enhancing Software Supply Chain Security.

The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.

Sec. 4. Enhancing Software Supply Chain Security of Executive Order 14028

In tandem with the issuing of this EO, NIST was instructed to develop standards for software security and secure software development as relevant to Section 4—these were subsequently published in February of 2022 as SP 800-218 Secure Software Development Framework.

Per further instructions within the EO, NIST also published several other documents and guidance, including Security Measures for “EO-Critical Software” Use and the overarching NIST Security Software Framework.

Meanwhile, the order also required that the Cybersecurity Infrastructure and Security Agency (CISA) ensure software producers self-attest to the requirements. That form to do so has since been published in draft, and companies will be expected to sign off on their software security beginning later this year (in 2023).

How to Comply with EO 14028 and Secure Your Software

At this time, the CISA attestation form is the means to assert compliance with the EO and SP 800-218, and it was also recently announced that CISA will be maintaining a repository of these attestations.

Knowing this, we recognized that, given the urgency of these new compliance requirements and the complexity of software security, our clients—and other organizations—might be seeking more specialized assistance in complying.

That’s why we decided to leverage our cybersecurity expertise and combine it with our customized methodology to yield what we now offer what we call our Software Security Assessment (S3A) Service. Using the reporting structure provided by CISA, Schellman—as one of the first authorized FedRAMP 3PAOs—can assess the controls and provide a complementary report alongside the attestation.

 

Schellman’s NIST Software Security Assessment

 

Specifically designed to address the intricacies of software security, our approach during an S3A starts with our testing of your implementation of the minimum attestation requirements as outlined in EO 14028 subsection (4)(e) along with the broader requirements of NIST 800-218.

We test against the specific requirements as set forth in the NIST SSDF. Areas of review include but are not limited to:

  • Software development lifecycle (SDLC) processes
  • Basic secure code development training capabilities for engineering personnel
  • Secure code testing practices
  • Source code security
  • Separation of duties
  • Security and authentication to source code
  • Use of static and dynamic testing
  • Review of advanced secure coding and testing capabilities for engineering personnel
  • Review of Software Bills of Material (SBOM)

Once our evaluation is complete, we compile the results into a compliance report that is specifically tailored to supplement the requirements of the CISA Secure Software Development Attestation Form with a focus on the control alignment of your software practices with the NIST SSDF.

With this report in hand, you can be confident in signing that required self-attestation with the added boon that yours was supported by a third-party review.

Other Considerations for Your Software Security

Since arriving in office, President Biden and his administration have taken an active approach to improving the nation’s cybersecurity, including an unveiling of an entirely new strategy. Executive Order 14028 represents another branch of this new emphasis, and compliance with the new standards surrounding the Order’s software security components will soon be required.

At Schellman, we believe that prioritizing software security and compliance is essential for protecting your organization and its customers. We’re committed to helping you navigate this new journey with confidence to the achievement of your software security goals, and that’s why we created our new S3A service that can help any organization more easily comply.

Now that you understand a little more about it, you can take more informed steps for your organization when moving forward toward compliance, but we understand if you have further questions. If you’re interested in learning more about our new service, we encourage you to reach out to us so we can address any concerns you may have and help you better determine if this is the right step for you.

About Douglas Barbin

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.