May 31, 2024 By Jennifer Gregory 3 min read

Recently, the United States Government Accountability Office issued an update on the progress of Executive Order 14028, Improving the Nation’s Cybersecurity.

In 2021, the White House identified 55 leadership and oversight requirements that needed to be met to improve cybersecurity in federal IT systems, with all systems needing to meet or exceed the standard outlined. Executive Order (14028) on Improving the Nation’s Cybersecurity elaborated on the reasons for the requirement, stating that the “prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security.”

Additionally, the executive order (EO) said that completing these was essential because the government should lead by example to encourage the private sector to also reduce the risk of cybersecurity breaches and attacks.

The EO designated the agencies responsible for implementing the requirements: the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

The key requirements of this order focused on cybersecurity solutions including:

  • Removing barriers to threat information
  • Modernizing federal government cybersecurity
  • Enhancing software supply chain security
  • Establishing a cyber safety review board
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
  • Improving the federal government’s investigative and remediation capabilities

Update on progress toward the requirements

The April 2024 update reported that the three responsible agencies completed 49 of the requirements. The requirement for standardizing the playbook for responding to cybersecurity vulnerabilities and incidents was determined to be not applicable. Additionally, the agencies have partially completed the remaining five requirements.

Of the key requirements, modernizing federal government cybersecurity is the only one completely fulfilled. The efforts in that area included implementing or beginning implementation of zero trust architecture for federal agencies, securing cloud services and centralizing access to cybersecurity data.

Other initiatives included addressing unclassified data, making progress on implementing multifactor authentication and encryption and developing a cloud security technical reference architecture documentation.

Outstanding requirements remain

While the update commended the agencies on their efforts toward improving federal cybersecurity, the conclusion stressed the importance of completing the remaining requirements.

The five remaining requirements are:

1. Incorporate into the annual budget process a cost analysis of the steps to be taken in this section.

While the OMB partially incorporated a cost analysis into the annual budget process, they did not provide evidence for details on the implementation of all leadership and oversight requirements in the order.

2. Identify and make available to agencies a list of categories of software and software products in use or the acquisition process meeting the definition of “critical software.”

CISA and OMB assisted NIST with the criteria and guidelines for required federal government software security measures. CISA, OMB and NIST also created a definition of critical software and a preliminary list of common categories of software that are consistent with that definition. However, CISA did not issue the list of common categories of software by the September 2023 deadline.

3. Review the recommendations provided to the president for improving the board’s operations and take steps to implement them as appropriate.

CISA has not provided evidence of the steps taken to improve operations through recommendations for improving future operations. The update states that this step is key to allowing the board to effectively conduct its future incident reviews.

4. Ensure that agencies have adequate resources to comply with the requirements for adopting EDR approaches.

Although OMB reported that they had incorporated endpoint detection and response (EDR) within their guidance to agencies for budget submissions and included EDR in the list of FISMA metrics in fiscal year 2023, the agency was not able to provide proof of this documentation. The update shares the concern that without the proof, it’s possible that agencies will not receive sufficient funding for EDR initiatives.

5. Work with agency heads to ensure that agencies have adequate resources to comply with requirements for logging, log retention and log management.

OMB gave guidance to agencies regarding logging, such as log retention and log management. However, OMB did not demonstrate that the agencies had enough resources to implement logging, log retention or log management.

The update made specific executive action recommendations for the five remaining requirements to be completed by December 31, 2024.

More from News

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today