Impact of Executive Order 14028 on Developing Secure Architectures Across Multi-Cloud Infrastructures

  • Executive Order (EO) 14028 charges federal agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

  • Even as the EO outlines a set of best practices -- which especially targets cloud-cyber security issues -- the private sector is still in a position to influence the direction that the inevitable mandates are likely to take, according to Rick McElroy of VMware.

  • The EO directs federal agencies to solicit input from the private sector, academia, government agencies, and others and to identify existing practices, develop new standards, tools, best practices, and other guidelines that will enhance software supply chain security by evaluating software security and practices while exploring innovative tools or methods to demonstrate conformance with secure practices.

The President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028),” issued on May 12, 2021, charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. Beyond federal agencies, the order will immediately affect the security operations of private sector entities that do business with the government and establish new conventions for the rest of the private and public sectors (including state and local government agencies).

According to analysts at IDC, the executive order opens a new window into new requirements and expectations that will likely have to be met by enterprise technologists tasked with the prevention, detection, assessment, and remediation of cyber incidents. There is increasing recognition that detection and response at speed will be critical to reducing the potential damage inflicted by bad actors in cyberspace. 

According to Rick McElroy, principal cybersecurity strategist at VMware, in a podcast interview with BizTechReports, the good news is that the industry is still in the early stages of the game when it comes to responding to the EO. 

“Even as the EO outlines a set of best practices -- which especially targets cloud-cyber security issues -- the private sector is still in a position to influence the direction that the inevitable mandates are likely to take,” he says.  

The EO directs federal agencies to solicit input from the private sector, academia, government agencies, and others and to identify existing practices, develop new standards, tools, best practices, and other guidelines that will enhance software supply chain security by evaluating software security and practices while exploring innovative tools or methods to demonstrate conformance with secure practices.

Game-Changing Guidance

“The EO is probably the single largest executive order for cybersecurity in the last 25 years. It will have a large impact on federal entities, as well as any supplier of technology or services to the federal government,” says McElroy 

One of the most essential features of the EO, he explains, is that it turbocharges communication and information sharing requirements in the event of breaches. It offers the potential of moving toward a true real-time threat intelligence model. 

“It also moves the community toward comprehensive adoption of zero-trust principles -- which I think is huge -- while mandating things like multi-factor authentication, enhanced cloud-based security as well as endpoint detection and response.” 

On the software security front, the EO is pushing security professionals to take a much closer look at the inner workings of software used to underpin critical operations on the software security front. 

“It stresses the importance of software developers to provide a clear ‘bill of materials’ -- or SBOMs.” This, McElroy says, is like a nutrition label that provides clear visibility into the executable code that is included in applications so that a more granular approach to software security can be taken. 

The EO also provides a significant shot in the arm to the DevSecOps community. The 14028 executive order explicitly endorses adopting modern software development life cycle (SDLC) management that leverages efficient automation practices for the development process while injecting security capabilities into the development process. 

“As organizations consume a greater variety of public-cloud services that are integrated into on-prem and edge-computing resources, the EO encourages DevSecOps processes for the deployment -- and subsequent care and feeding -- of application and infrastructure resources,” he concludes.

For more information or to schedule a podcast interview, please contact Melissa at MFisher@Biztechreports.com.