May 31, 2024 By Jennifer Gregory 3 min read

Recently, the United States Government Accountability Office issued an update on the progress of Executive Order 14028, Improving the Nation’s Cybersecurity.

In 2021, the White House identified 55 leadership and oversight requirements that needed to be met to improve cybersecurity in federal IT systems, with all systems needing to meet or exceed the standard outlined. Executive Order (14028) on Improving the Nation’s Cybersecurity elaborated on the reasons for the requirement, stating that the “prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security.”

Additionally, the executive order (EO) said that completing these was essential because the government should lead by example to encourage the private sector to also reduce the risk of cybersecurity breaches and attacks.

The EO designated the agencies responsible for implementing the requirements: the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

The key requirements of this order focused on cybersecurity solutions including:

  • Removing barriers to threat information
  • Modernizing federal government cybersecurity
  • Enhancing software supply chain security
  • Establishing a cyber safety review board
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
  • Improving the federal government’s investigative and remediation capabilities

Update on progress toward the requirements

The April 2024 update reported that the three responsible agencies completed 49 of the requirements. The requirement for standardizing the playbook for responding to cybersecurity vulnerabilities and incidents was determined to be not applicable. Additionally, the agencies have partially completed the remaining five requirements.

Of the key requirements, modernizing federal government cybersecurity is the only one completely fulfilled. The efforts in that area included implementing or beginning implementation of zero trust architecture for federal agencies, securing cloud services and centralizing access to cybersecurity data.

Other initiatives included addressing unclassified data, making progress on implementing multifactor authentication and encryption and developing a cloud security technical reference architecture documentation.

Outstanding requirements remain

While the update commended the agencies on their efforts toward improving federal cybersecurity, the conclusion stressed the importance of completing the remaining requirements.

The five remaining requirements are:

1. Incorporate into the annual budget process a cost analysis of the steps to be taken in this section.

While the OMB partially incorporated a cost analysis into the annual budget process, they did not provide evidence for details on the implementation of all leadership and oversight requirements in the order.

2. Identify and make available to agencies a list of categories of software and software products in use or the acquisition process meeting the definition of “critical software.”

CISA and OMB assisted NIST with the criteria and guidelines for required federal government software security measures. CISA, OMB and NIST also created a definition of critical software and a preliminary list of common categories of software that are consistent with that definition. However, CISA did not issue the list of common categories of software by the September 2023 deadline.

3. Review the recommendations provided to the president for improving the board’s operations and take steps to implement them as appropriate.

CISA has not provided evidence of the steps taken to improve operations through recommendations for improving future operations. The update states that this step is key to allowing the board to effectively conduct its future incident reviews.

4. Ensure that agencies have adequate resources to comply with the requirements for adopting EDR approaches.

Although OMB reported that they had incorporated endpoint detection and response (EDR) within their guidance to agencies for budget submissions and included EDR in the list of FISMA metrics in fiscal year 2023, the agency was not able to provide proof of this documentation. The update shares the concern that without the proof, it’s possible that agencies will not receive sufficient funding for EDR initiatives.

5. Work with agency heads to ensure that agencies have adequate resources to comply with requirements for logging, log retention and log management.

OMB gave guidance to agencies regarding logging, such as log retention and log management. However, OMB did not demonstrate that the agencies had enough resources to implement logging, log retention or log management.

The update made specific executive action recommendations for the five remaining requirements to be completed by December 31, 2024.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today