Executive Order 14028 on Improving the Nation's Cybersecurity was signed in May 2021, and by late 2023 enough calendar has passed to judge what it actually moved versus what it merely announced. The honest answer is uneven. Some provisions — SBOM delivery, secure development attestation, zero-trust architecture guidance — have genuinely changed how federal software suppliers operate. Others — log retention standards, endpoint detection mandates — have been implemented in spirit but not in measurable practice. The directive is aging into operational enforcement territory now, which is typically where the real posture shifts happen. This post is a two-year checkpoint for security leaders whose companies either sell to the federal government directly or whose enterprise customers inherit federal contractual pass-through.
What has actually changed in federal procurement?
Two concrete changes have operational teeth. First, OMB Memo M-22-18 (September 2022) required federal agencies to obtain NIST SSDF attestation from software producers, and CISA's attestation form (introduced in 2023) made this a specific document software vendors file. Vendors selling into federal are now filling out and signing a document that says, essentially, "we follow the secure development framework and we warrant that our builds do these specific things." This is not nothing. It has forced many vendors to document processes they ran informally before.
Second, SBOM delivery is becoming a contractual expectation in new federal procurements, especially from DoD and civilian agencies with larger tech spend. The format is not always specified — SPDX and CycloneDX are both accepted — and the delivery mechanism varies, but vendors increasingly need to produce SBOMs on demand.
What stalled or moved slowly?
Three things, all in different parts of the order.
Endpoint detection and response mandates for federal agencies moved, but agency adoption has been uneven; CISA's visibility into federal endpoint posture is better than two years ago but still has large gaps. This is partly a budget issue and partly a legacy-infrastructure issue.
Log retention and centralization requirements have been implemented in policy but the actual shared logging infrastructure (modelled as CISA-accessible telemetry) has not fully materialized at scale. Agencies individually comply; federated querying is still limited.
Critical software definition remains narrower in practice than the order's spirit intended. The category has not been expanded meaningfully since the initial July 2021 definition.
How much did the EO change the commercial market?
More than expected, indirectly. The mechanics are familiar: federal requirements become enterprise requirements by contractual pass-through. A vendor that sells to both federal and large enterprise customers ends up making SBOMs, attestations, and signing infrastructure available to both, because the cost of maintaining two parallel pipelines is higher than the cost of making the federal pipeline visible to all customers. By late 2023, many enterprise procurement questionnaires now ask about SSDF conformance and SBOM availability even though the asking organization has no federal footprint at all.
The indirect commercial effect is probably larger than the direct federal effect at this point.
What did SBOM delivery actually look like in practice?
The honest summary: lots of SBOMs, variable quality, limited downstream consumption. Vendors are generating and delivering SBOMs, typically as part of release artifacts, but the federal receivers of those SBOMs are not yet systematically ingesting them into analysis pipelines. SBOMs land in artifact stores and often sit there. This is a near-term problem; the capability to consume SBOMs at scale has been lagging the capability to produce them, and agencies that have invested in SBOM ingest are finding the downstream work (dedup, CVE correlation, reachability inference) is where most of the value comes from. Generating SBOMs is the first 20%.
Expect the next year to see more investment in SBOM consumption infrastructure and more specific quality expectations on SBOMs delivered — component-level versioning completeness, transitive dependency depth, license fields populated.
What enforcement is coming in year three?
Three developments worth tracking:
- Binding operational directives with specific technical targets. CISA has been moving from guidance to binding operational directives for federal civilian agencies, and the pattern suggests more of these are coming with tighter timelines.
- Federal contract clause standardization. The FAR (Federal Acquisition Regulation) rulemaking process tied to cybersecurity supply chain is slow but moving. When rules codify, the attestation form becomes a binding contract clause rather than an administrative artifact.
- Software transparency beyond SBOM. Provenance attestations (SLSA-style), signing verification, and vulnerability disclosure policy requirements are all under discussion as possible additions to the baseline.
What should suppliers prioritize in year three?
Three moves that consistently pay back for vendors planning for year three:
- Industrialize the attestation process. If each release requires a human to fill in an SSDF attestation, you have a scaling problem coming. Make the attestation a build artifact generated from verifiable pipeline evidence.
- Increase SBOM quality beyond conformance. Transitive depth, consistent versioning, license accuracy. The agencies that start consuming SBOMs seriously will reward suppliers whose SBOMs are usable.
- Sign everything. Artifact signing, provenance attestations, VEX documents. The direction of travel is clear; every federal-adjacent supplier will be signing all release artifacts by the end of year four. Start now while the tooling choices are still portable.
How does this compare internationally?
The EU's Cyber Resilience Act (published 2022, enforcement phased through 2027) parallels many of EO 14028's provisions with a different regulatory structure — product-level obligations rather than procurement-level. Japan, Singapore, and Australia have all introduced federal-supplier equivalents on different cadences. The international picture is converging on a common set of expectations (SBOM, secure development attestation, vulnerability disclosure), which is good news for suppliers because the compliance work ports reasonably well across jurisdictions.
How Safeguard Helps
Safeguard's platform generates the artifacts federal programs and enterprise pass-through contracts increasingly require — SBOMs in SPDX and CycloneDX, SLSA provenance, SSDF-aligned evidence, VEX documents — as a byproduct of the normal build and policy workflow. The platform's attestation layer exports CISA attestation form evidence directly, so the SSDF filing is backed by machine-verifiable pipeline data rather than a narrative. Griffin AI summarizes posture against EO 14028 provisions and surfaces gaps before an audit does. For vendors selling into federal or federal-adjacent markets, Safeguard provides the compliance-as-output posture that makes EO 14028 conformance a platform property rather than a documentation project.