Executive Order 14028: What Progress Has Been Made and What’s Next?

Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” signed in May 2021, is one of the most impactful federal policies shaping governance, risk, and compliance (GRC) strategies today. Nearly four years later, the order continues to drive structural reforms across agencies and contractors, from Zero Trust adoption to software supply chain accountability. For leaders focused on governance and compliance, the EO has become both a roadmap and a mandate for stronger risk management frameworks.

Progress in Governance, Risk, and Compliance

• Zero Trust Roadmaps: Nearly all agencies now maintain Zero Trust plans aligned with CISA’s maturity model. While adoption levels differ, governance structures have been formalized, making oversight and accountability more consistent.

• Software Supply Chain Requirements: The introduction of Software Bills of Materials (SBOMs) has redefined vendor accountability. Procurement contracts now include SBOM evidence, embedding compliance deeper into acquisition processes.

• Standardized Incident Playbooks: CISA’s vulnerability and incident response playbooks are now mandatory references for agencies, aligning operational response with governance mandates.

• Audit and Oversight: OMB, GAO, and agency inspectors general are embedding EO 14028 metrics into audit cycles, creating a compliance-driven feedback loop for continuous improvement.

Challenges Still Impacting Compliance

Despite meaningful progress, gaps remain in risk governance:

• Legacy Systems: Outdated platforms complicate compliance with Zero Trust and supply chain mandates.

• SBOM Maturity: Many vendors provide incomplete or inconsistent SBOM data, creating risk exposure for federal buyers.

• Workforce Shortages: Compliance professionals and cyber auditors remain in short supply, slowing oversight.

• Metrics vs. Outcomes: Agencies often track compliance activity (e.g., policy documents filed) rather than mission or risk outcomes (e.g., downtime reduced).

Leadership Perspective

What’s Next in GRC for EO 14028?

1. Expanded SBOM Enforcement: Procurement officers will increasingly reject vendors without mature SBOM practices, making compliance a competitive differentiator.

2. Deeper Integration with Federal Risk Frameworks: Expect further harmonization of EO 14028 mandates with FISMA, FedRAMP, and RMF requirements.

3. Automation in Compliance: Agencies will deploy AI-driven monitoring tools to track control effectiveness and detect compliance gaps in real time.

4. Cross-Sector Collaboration: EO 14028’s principles will extend to critical infrastructure, requiring governance models that bridge public and private partners.

5. Outcome-Based Reporting: OMB and CISA will push for reporting that connects compliance activities to risk reduction and mission readiness.

How GRC Leaders Should Prepare

• Embed Compliance in Procurement: Require SBOMs, security attestations, and risk management evidence as part of vendor contracts.

• Modernize Governance Structures: Establish boards and committees that oversee Zero Trust, SBOM, and incident playbook adoption.

• Align Budgets with Risk: Link compliance funding to mission impact metrics rather than static policy milestones.

• Strengthen Audit Readiness: Build documentation pipelines that map directly to NIST and OMB requirements, reducing audit friction.

Looking Ahead

EO 14028 has reshaped federal cybersecurity governance by elevating compliance, risk management, and accountability. While progress is evident, true success will come from moving beyond policy mandates to measurable reductions in risk and resilience gains. Agencies and contractors that align governance with mission outcomes will not only meet the letter of EO 14028 but also secure the trust of stakeholders and the public.

For details, see the full text of Executive Order 14028 and follow compliance guidance from CISA.