Impact of Executive Order (EO) 14028: Improving the Nation’s Cybersecurity

Impact of Executive Order (EO) 14028: Improving the Nation’s Cybersecurity

Written by Senior Manager Bill Wright

What Events Lead up to the issuance of EO 14028?

Cyber criminals and terrorists are becoming more sophisticated and organized and constitute a greater threat than ever before.  The SolarWinds compromise, Microsoft (MS) Exchange Server vulnerabilities, and the Pulse Connect Secure vulnerability have caused the Cybersecurity and Infrastructure Security Agency (CISA) to issue three Emergency Directives in 2021, the same as the total for all of 2020.  While the Colonial Pipeline ransomware attack did not directly impact Federal information systems, it did affect critical infrastructure, thereby posing a threat to our nation’s security.  Many of the more serious attacks, including SolarWinds, have been officially attributed to nation-state threat actors.  While the annual evaluation of Executive Branch agency information security programs shows gradual improvement over the past few years, gradual improvements are not enough.  Many agencies still lack the resources to secure their systems sufficiently to meet the growing threat.

What is the EO Trying to Accomplish?

President Biden’s EO on Improving the Nation’s Cybersecurity released on May 12 is both timely and needed.  The EO includes mandates in seven separate areas and explicitly tasks no fewer than 16 Federal agencies and organizations with specific actions, most with deadlines attached.  Several provisions in the EO require action by all Executive Branch agencies to improve their cybersecurity posture.  Taking a lesson from the Global War on Terror, the EO stresses the importance of sharing threat and security incident information, particularly between the service providers who support Federal information systems and the Executive Branch investigative agencies.  With regard to technical solutions, the EO directs agencies to accelerate movement to secure cloud services and move toward Zero Trust Architecture.  As demonstrated the by the SolarWinds compromise, the security of the software supply chain used by both the Government and private entities is currently insufficient to meet sophisticated threats.

The EO states that the Federal Government will seek input from the private sector and academic resources, in addition to government cybersecurity experts, to find solutions.  Following the model of the National Transportation Safety Board, which, along with its predecessor organizations, has investigated major transportation incidents to determine causes and improve safety, the EO establishes a Cyber Safety Review Board to investigate cyber incidents.  This Board will include membership from both Federal agencies and the private sector.

As Federal workers return to offices as the pandemic restrictions begin to ease, they face a backlog of work.  Most agencies lack the resources to take on major new cybersecurity efforts, such as those set forth in the EO.  In the budget proposal just released, the Biden administration has proposed significant funding increases to support Federal information technology (IT) modernization and cybersecurity initiatives.

With Kearney & Company, P.C.’s (Kearney) extensive experience in assessing the security of Federal information systems over the last decade, we understand what is needed to close the cybersecurity gap.  We stand ready to help Federal agencies meet the EO mandates.

Connect with us

This publication is for informational purposes only and does not constitute professional advice or services.  Readers should first consult with a professional before acting with regard to the subjects mentioned herein.  

Kearney & Company is a CPA firm that is focused on providing accounting and consulting services to the Federal Government. For more information about Kearney & Company, please visit us at www.kearneyco.com or contact Mr. Phil Moore, Partner, at (703) 931-5600 or via e-mail at [email protected]