Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Attention A T users. To access the combo box on this page please perform the following steps. 1. Press the alt key and then the down arrow. 2. Use the up and down arrows to navigate this combo box. 3. Press enter on the item you wish to view. This will take you to the page listed.
Menu
Menu
Veterans Crisis Line Badge
My healthevet badge

Office of Acquisition and Logistics (OAL)

 

Notice regarding Executive Order 14028, Improving the Nation's Cybersecurity

Summary

This notification is being provided to alert software contractors (including producers and resellers) to read and understand Executive Order (EO) 14028, Improving the Nation's Cybersecurity (issued May 12, 2021) requiring agencies to enhance cybersecurity and software supply chain integrity. Further, as defined in the Software Security Guidance Under Executive Order (EO) 14028 Section 4e, these requirements apply to all software acquired and/or used by VA, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software, as well as products containing software). On September 14, 2022, Office of Management and Budget (OMB) released Memorandum M-22-18 to instruct Federal agencies to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. This includes new software purchases, software renewals and major version changes for software developed or modified after the issuance date of M-22-18.

What to expect

The FAR Council has opened a proposed rule, FAR Case 2023-002, to implement section 4(n) of EO 14028. This rule will also focus on the requirements outlined in OMB M-22-18. VA intends to implement collection of the attestation letters in accordance with the OMB memorandum and once the rule is finalized; relevant VA acquisition policy may be updated to further implement the FAR rule. At this time, evidence of documentation is not required to be provided to VA until such time that notification is provided to vendors.

Important Links
  • OMB Memorandum M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
  • Federal Register - EO 14028 Improving the Nation's Cybersecurity
  • OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
  • National Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
  • OMB Memorandum M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements
  • OMB Memorandum M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response
  • OMB Memorandum M-21-31 Improving the Federal Government%u2019s Investigative and Remediation Capabilities Related to Cybersecurity Incident
  • OMB Memorandum M-21-30 Protecting Critical Software Through Enhanced Security Measures
return to top go