Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Executive Order 14028, Improving the Nation's Cybersecurity

Improving the Nation's Cybersecurity: NIST’s Responsibilities under the May 2021 Executive Order


The President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” issued on May 12, 2021, charges multiple agencies – including NIST– with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Section 4 of the EO directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines are to include: 

  • criteria to evaluate software security,  
  • criteria to evaluate the security practices of the developers and suppliers themselves, and 
  • innovative tools or methods to demonstrate conformance with secure practices. 

The EO calls for NIST to consult with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) and then to define “critical software” by June 26, 2021.  

NIST is to publish guidance outlining security measures for critical software by July 11, 2021, after consulting with CISA and OMB. 

Also by July 11, 2021, after consulting with the NSA, NIST will publish guidelines recommending minimum standards for vendors’ testing of their software source code. 

By November 8, 2021, NIST is to publish preliminary guidelines, based on stakeholder input and existing documents for enhancing software supply chain security. 

By February 6, 2022, after consulting heads of various agencies, NIST will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.  

By May 8, 2022, NIST will publish additional guidelines, including procedures for periodically reviewing and updating guidelines. 

The EO also directs NIST to initiate two labeling programs related to the Internet of Things (IoT) and software to inform consumers about the security of their products. Those efforts have initial deadlines of February 6, 2022. Like its other assignments in the EO, NIST will rely heavily on stakeholder ideas and information in carrying out these tasks.

NIST Tasks and Timeline for EO 14028 Section 4
Also available in PDF format.