Notice regarding Executive Order 14028, Improving the Nation's Cybersecurity

This notification is being provided to alert software contractors (including producers and resellers) to read and understand Executive Order (EO) 14028, Improving the Nation's Cybersecurity (issued May 12, 2021) requiring agencies to enhance cybersecurity and software supply chain integrity. Further, as defined in the Software Security Guidance Under Executive Order (EO) 14028 Section 4e, these requirements apply to all software acquired and/or used by VA, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software, as well as products containing software). On September 14, 2022, Office of Management and Budget (OMB) released Memorandum M-22-18 to instruct Federal agencies to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. This includes new software purchases, software renewals and major version changes for software developed or modified

after the issuance date of M-22-18. The FAR Council has opened a proposed rule, FAR Case 2023-002, to implement section 4(n) of EO 14028. This rule will also focus on the requirements outlined in OMB M-22-18. VA intends to implement collection of the attestation letters in accordance with the OMB memorandum and once the rule is finalized; relevant VA acquisition policy may be updated to further implement the FAR rule. At this time, evidence of documentation is not required to be provided to VA until such time that notification is provided to vendors. OMB Memorandum M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development PracticesFederal Register - EO 14028 Improving the Nation's CybersecurityOMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity PrinciplesNational Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community SystemsOMB Memorandum M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management RequirementsOMB Memorandum M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and ResponseOMB Memorandum M-21-31 Improving the Federal Government%u2019s Investigative and Remediation Capabilities Related to Cybersecurity IncidentOMB Memorandum M-21-30 Protecting Critical Software Through Enhanced Security Measures