Who is Impacted by the Executive Order on Cybersecurity?

  /  ICS Security   /  Who is Impacted by the Executive Order on Cybersecurity?

Who is Impacted by the Executive Order on Cybersecurity?

On Wednesday, May 12, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity. Who will be affected by EO #14028?

Executive Orders can have the effect of law, ordering federal entities to take specific actions. They can also require certain terms to be included in federal contracts. And this is where the rubber hits the road in this EO for both the IT and OT industries.

The impact of US government contracts on the IT industry is pretty obvious; we all know that the US Government buys a lot of IT technology and services, and that gives them clout. Clauses seen in government IT contracts tend to show up in corporate IT contracts fairly quickly.

But what about OT contracts — will this EO influence those? We tend to think of OT deployments in terms of the private sector, but the US Defence department buys a lot of ICS equipment to keep the water flowing and the lights on at its military bases around the world. Ships and planes use OT products. And government bodies like the US Army Corp of Engineers and the Tennessee Valley Authority buy lots of OT. So the US Federal government is a significant purchaser of OT products for both civilian and defence projects.

Cybersecurity Impacts Outside of the Government

This OT “procurement power” will significantly impact behavior outside the government. First if supplier X agrees to provide SBOMs to the US government, finding a reason to refuse to provide SBOMs to its large commercial clients will be a struggle. This will ripple far beyond the US. We’ve become aware of sovereign oil companies in the Middle East who are now looking to duplicate the requirements for the Software Supply Chain for all OT purchases they make in the next year.

The second reason to expect that the EO will impact companies who don’t have direct sales to the US government is the EO’s focus on the software supply chain. The supply chain is called a chain for a reason. Even if you don’t sell directly to the federal government, what if one of your customers does, and they use your product as part of a larger solution? If the Feds cancel their contract for non-compliance, you can say goodbye to that customer.

Read the full post from aDolus (and an additional 3 posts unpacking the EO) for more important takeaways.

Be sure to check out the accompanying EO Fact Sheet from the White House and the helpful EO Timeline from aDolus.


Learn from global ICS cybersecurity subject matter experts as they share insights on topics like Cybersecurity for Manufacturing, Energy and Infrastructure Industries and The Role of AI in ICS Cybersecurity at IIoT World’s Cybersecurity Day on October 6, 2021. The first 500 tickets are free, so register today.