LLMpediaThe first transparent, open encyclopedia generated by LLMs

Executive Order 14028

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SolarWinds cyberattack Hop 6
Expansion Funnel Raw 57 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted57
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Executive Order 14028
TitleExecutive Order 14028
Number14028
SignedbyJoseph R. Biden
DateMay 12, 2021
TopicCybersecurity
PrecededbyExecutive Order 13991
RelatedHomeland Security Presidential Directive,Cybersecurity and Infrastructure Security Agency,National Institute of Standards and Technology

Executive Order 14028 is a 2021 presidential directive issued by Joseph R. Biden focused on improving national cybersecurity posture following high-profile breaches. It directed coordinated action across Department of Homeland Security, Department of Defense, Office of Management and Budget, National Security Council, and civilian agencies such as Department of Justice and Department of Commerce. The Order set timelines for modernizing federal cybersecurity, fostering information sharing with the private sector, and advancing secure software development practices.

Background and Context

The Order was issued amid revelations from incidents including the SolarWinds cyberattack, the Colonial Pipeline ransomware attack, and compromises attributed to actors linked to Russia and North Korea. It references prior instruments like the Homeland Security Presidential Directive series and builds on statutory frameworks such as the Federal Information Security Modernization Act of 2014 and authorities exercised under the Presidential Policy Directive architecture. The White House response followed sustained congressional attention from committees such as the United States Senate Committee on Homeland Security and Governmental Affairs and the United States House Committee on Homeland Security.

Key Provisions and Objectives

The Order outlines objectives including elevating cybersecurity across federal civilian agencies, accelerating adoption of Zero Trust Architecture principles, and enhancing supply chain security for software and information technology products. It mandates creation of standards involving the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency, as well as directives to the Office of Management and Budget to revise federal procurement and incident response playbooks. It calls for enhanced information sharing with private-sector entities like Microsoft, Google, Amazon Web Services, and major insurers active in cyber risk transfer.

Implementation and Federal Agency Roles

Implementation required interagency coordination led by the National Security Council and operational work by CISA and NIST. The Department of Justice was assigned responsibilities for legal frameworks governing disclosure and pursuit of malicious actors, while the Federal Bureau of Investigation and National Cyber Investigative Joint Task Force retained investigative duties. The Office of Management and Budget issued guidance to agency heads on funding and procurement changes, and the General Services Administration was tasked with updating acquisition policies. The Order leveraged technical expertise from laboratories such as National Institute of Standards and Technology laboratories and academic partners including Massachusetts Institute of Technology and Carnegie Mellon University.

Cybersecurity Standards and Technical Directives

The Order mandated development of standards for endpoint detection, multifactor authentication, and encryption strategies, referencing models like Zero Trust Architecture and the NIST Cybersecurity Framework. It directed NIST to produce a Software Supply Chain Security standards roadmap and required agencies to adopt standardized event logging and telemetry for faster detection of intrusions. Technical directives addressed secure software development lifecycle practices influenced by work from Open Web Application Security Project contributors and standards bodies such as the Internet Engineering Task Force and International Organization for Standardization. Timelines compelled agencies to implement centralized logging, incident response drills, and standardized breach protocols.

Impact on Public and Private Sectors

For federal contractors and vendors, the Order altered procurement expectations, emphasizing secure-by-design software, vulnerability disclosure, and SBOM (software bill of materials) requirements that affected companies like SolarWinds, FireEye, CrowdStrike, and major defense contractors including Lockheed Martin and Northrop Grumman. The private sector saw increased collaboration mechanisms with CISA and incentives for cyber insurance markets involving reinsurers like Munich Re and Lloyd's of London. State and local entities, including New York City agencies and California departments, drew on federal guidance to update their own cybersecurity controls. Academic and research institutions secured federal grants tied to priorities in the Order, affecting centers at Stanford University and University of Maryland.

Legally, the Order operated within the president's executive authorities while respecting statutes such as the Federal Information Security Modernization Act of 2014 and coordination with Congress of the United States oversight. It raised questions about procurement law under the Federal Acquisition Regulation and potential tensions with privacy protections in statutes like the Privacy Act of 1974 and sectoral rules such as the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act. Policy analysts compared the Order’s mandates to international frameworks including the European Union's cybersecurity initiatives and discussed implications for transnational data flows and export controls overseen by Department of Commerce bureaus.

Reception, Criticism, and Subsequent Developments

Reception among elected officials and industry groups such as the Chamber of Commerce and Information Technology Industry Council was mixed: many praised centralized standards and investment, while some expressed concerns about implementation cost, legal authority, and interoperability with legacy systems at agencies including Social Security Administration and Department of Veterans Affairs. Civil liberties organizations like the ACLU and privacy advocates scrutinized telemetry and logging requirements. Subsequent developments included agency guidance from OMB, technical standards from NIST, and rulemaking related to procurement; congressional hearings in the United States Senate and litigation over related contracts occurred as part of the evolving policy landscape.

Category:United States executive orders