Executive Order 14028 (EO14028)

Addressing Software Vulnerabilities and Dependencies

Software vulnerabilities pose a major threat to national security, especially when embedded in critical infrastructure systems. EO14028 urges federal agencies to actively manage and secure their software, highlighting the importance of transparency in software dependencies for quick identification and remediation of vulnerabilities.

The Critical Role of SBOMs

Software Bill of Materials (SBOMs) play a crucial role by providing a detailed inventory of software components and their dependencies. Recognized as an essential tool in EO14028, SBOMs enhance vulnerability management, license compliance, and risk assessment.

Minimum Elements of SBOMs

EO14028 has prompted the establishment of guidelines defining the minimum required elements in an SBOM, ensuring industry-wide consistency and facilitating the interpretation and utilization of SBOM data by various tools and systems.

The minimum elements include:

• Supplier Name: Entity that created the component.
• Component Name: Name of the software component.
• Version of the Component: Specific version of the component.
• Component Hash: Cryptographic hash of the component.
• Dependency Relationship: Details on component relationships and dependencies.
• Licenses: Associated component licenses.

Links to Guidance and Additional Information

• Executive Order on Improving the Nation's Cybersecurity | The White House
• The Minimum Elements For a Software Bill of Materials (SBOM)
• Definition of Critical Software Under Executive Order (EO) 14028
• NIST - Secure Software Development Framework (SSDF) Version 1.1

Enhancing Software Supply Chain Security with SBOM Observer

SBOM Observer is a vital tool in reinforcing software supply chain security, as highlighted in EO14028. It aids organizations in creating, managing, and validating SBOMs, ensuring they meet the required standards and guidelines.

• Policy Enforcement: SBOM Observer ensures that SBOMs comply with the minimum elements required by EO14028, providing organizations with the assurance that their software inventory meets federal standards.
• Dependency Transparency: The tool offers unparalleled visibility into software dependencies, helping organizations identify and mitigate vulnerabilities in their software supply chain.
• Continuous Monitoring: SBOM Observer provides continuous monitoring of SBOMs, ensuring they remain up-to-date and reflective of the current software environment.
• Collaborative Workflows: The tool fosters collaboration among various stakeholders, enhancing the overall security posture and response to potential threats.

EO14028 marks a significant stride in enhancing U.S. national cybersecurity, with a particular focus on fortifying the software supply chain. The order establishes a foundational framework for a more secure digital infrastructure, bolstered by the implementation of SBOMs and a transparent view of software dependencies. This proactive approach is a giant leap towards a resilient digital ecosystem, ensuring the protection of national security and the integrity of vital infrastructure.