Executive Order 14028 — What Federal Agencies Are Actually Required to Do and Where Most Are Falling Short
Executive Order 14028 on Improving the Nation’s Cybersecurity created specific, binding requirements for federal agencies — Zero Trust architecture, SBOM requirements, cloud security standards, and incident reporting mandates. Two years in, compliance is uneven and many agencies are further behind than they realize. Here is what is actually required and where the gaps tend to be.
Key takeaways
- EO 14028 is a program obligation, not a single deployment
- Ownership and measurable outcomes are where programs succeed
- Integrate mandates into procurement and ongoing operations
EO 14028 requirements are not just technical tasks — they are program-level obligations that demand governance, sequencing, and evidence. Organizations often treat these mandates like one-off projects, which leads to incomplete enforcement.
The most common gaps appear where teams lack clear ownership and measurable outcomes. For example, Zero Trust initiatives fail when identity signals and enforcement policies aren’t built as durable systems. Similarly, cloud and SBOM requirements fail when they’re not integrated into procurement, operations, and ongoing monitoring.
A workable strategy is to establish a program cadence: define requirements, map them to existing control frameworks, instrument evidence, and track progress against measurable risk reduction.