Office of Acquisition and Logistics (OAL)
Notice regarding Executive Order 14028, Improving the Nation's Cybersecurity
This notification is being provided to alert software contractors (including producers and resellers) to read and understand Executive Order (EO) 14028, Improving the Nation's Cybersecurity (issued May 12, 2021) requiring agencies to enhance cybersecurity and software supply chain integrity. Further, as defined in the Software Security Guidance Under Executive Order (EO) 14028 Section 4e, these requirements apply to all software acquired and/or used by VA, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software, as well as products containing software). On September 14, 2022, Office of Management and Budget (OMB) released Memorandum M-22-18 to instruct Federal agencies to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. This includes new software purchases, software renewals and major version changes for software developed or modified after the issuance date of M-22-18.
The FAR Council has opened a proposed rule, FAR Case 2023-002, to implement section 4(n) of EO 14028. This rule will also focus on the requirements outlined in OMB M-22-18. VA intends to implement collection of the attestation letters in accordance with the OMB memorandum and once the rule is finalized; relevant VA acquisition policy may be updated to further implement the FAR rule. At this time, evidence of documentation is not required to be provided to VA until such time that notification is provided to vendors.
- OMB Memorandum M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
- Federal Register - EO 14028 Improving the Nation's Cybersecurity
- OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
- National Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
- OMB Memorandum M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements
- OMB Memorandum M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response
- OMB Memorandum M-21-31 Improving the Federal Government%u2019s Investigative and Remediation Capabilities Related to Cybersecurity Incident
- OMB Memorandum M-21-30 Protecting Critical Software Through Enhanced Security Measures