EO 14028
The 2021 Executive Order that introduced SBOM mandates, zero-trust architecture targets, and software vendor attestation requirements.
All federal agencies, plus any software producer selling into the federal government.
Continuous evidence pipeline available; audit support included for all customers.
What EO 14028 actually requires.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Software vendors selling to the federal government must self-attest to SSDF (NIST 800-218) compliance.
SBOMs for every release artifact, formatted per NTIA minimum elements.
Federal agencies must adopt zero-trust architecture per OMB M-22-09.
Multi-factor authentication and encryption for data at rest and in transit, with phasing per M-22-09.
Endpoint Detection and Response on federal endpoints (M-22-01).
Pre-mapped controls. Continuous evidence.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Self-attestation form pre-populated from SSDF telemetry.
SBOM auto-generation in CycloneDX, SPDX, and NTIA-compliant formats with VEX.
Zero-trust reference architecture for hosted Safeguard deployments documented on the trust center.
Artifacts your auditor accepts.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
CISA SSDF attestation form — pre-filled, exported as signed PDF.
Per-release SBOM with VEX annotations.
Mapping table: EO 14028 sections → controls → Safeguard telemetry.
One evidence base. Many regulators.
These frameworks share substantial control overlap with EO 14028. Customers running one assessment typically satisfy the others with the same evidence base.
NIST SP 800-218 (SSDF)
North America
The Secure Software Development Framework that backs EO 14028, the CISA attestation form, and most modern software supply-chain mandates.
NIST SP 800-161 (Rev 2)
North America
Supply Chain Risk Management practices for federal systems — the foundation for SBOM and software provenance requirements.
FedRAMP HIGH
North America
Federal cloud authorisation for systems handling High-impact CUI and mission data.
Ready for EO 14028?
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.