Compliance with US Government Executive Order 14028
Dear customers and partners,
We are proud to announce compliance with US Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” This milestone underscores our unwavering commitment to enhance the security and resilience of our products and also our support for partners servicing the US Government.
We have implemented several key initiatives to align with the directives of EO 14028, including standards, procedures, and criteria for the following:
- Maintain a secure software development environment, including actions such as:
- Using a separate build environment
- Auditing trust relationships
- Using multi-factor, risk-based authentication and conditional access to a source repository
- Encrypting critical data
- Monitoring operations and alerts and responding to cyber incidents
- Providing artifacts to the US federal government agencies that demonstrate conformance to the above processes when requested
- Regularly run automated tools to check for:
- Maintaining trusted source code supply chains, thereby ensuring the integrity of the code
- Knowing and remediating known potential vulnerabilities in the codebase
- Providing evidence of running the automated tools to the US federal government agencies when requested
- Maintain and regularly audit accurate and up-to-date data and provenance (i.e., origin) of internal and 3rd party software code and components.
- Implemented a vulnerability disclosure program that includes reporting and disclosure processes.
- Attest to conformity with secure software development practices with Secure Software Attestations.
- Ensure, to the extent practicable, the integrity and provenance of open-source software used within any portion of our products.
- Establish internal processes to generate Software Attestations and other artifacts, such as SBOMs, for Fiery products sold to the US Federal Government, and upload to CISA’s Repository for Software Attestations and Artifacts (RSAA).
Frequently Asked Questions (FAQs)
What is the EO 14028?
EO 14028 is an executive order from the President of the United States issued in 2021. EO 14028 responds to the growing number of cyber attacks against US Government agencies and critical infrastructure. It is meant to help the U.S. Government and the private sector work together to better protect themselves from these threats. One important aspect of the EO 14028 is that it establishes a framework to improve the Security of the Software Supply Chain.
Why is the EO 14028 important to Fiery?
Fiery partners actively sell products and services to the US Government and require all Fiery software to comply with this Executive Order
What Fiery products are impacted by EO 14028?
All Fiery software applications developed after September 14, 2022
When will US Government agencies start enforcing EO 14028 compliance?
From June 11, 2024
“Agencies shall collect attestation letters not posted publicly by software providers for “critical software” within 3 months after approval of common form.” Common form was approved on 3/11/2024
How the EO 14028 handles updates to existing software versions?
Existing software that is modified by major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, or the software version number goes from 2.5 to 3.0 after September 14, 2022; are impacted and must comply with this Executive Order. Fiery software follows a three-digit versioning schema, Major.Minor.Patch, applied incrementally. e.g., v1.0.2; where 1 is the Major version, 0 is the Minor version and 2 is to designate patches or security updates. For EO 14028 compliance purposes, Fiery software only considers the major version. Minor software updates (e.g CWS 7.1.0) and patches (e.g. CWS 7.1.1) are out of the scope of this Executive Order.
How the EO 14028 handles Software-as-a-Service (SAS) products?
Software to whose code the producer delivers continuous changes (such as software-as-a-service products or other products using continuous delivery/continuous deployment) are impacted and must comply with this Executive Order.
Are there any other requirements beside Secure Software Attestations needed to demonstrate compliance?
Upon request by any US government agency, we can demonstrate conformance to secure software development practices (SSDP) and provide corresponding supporting artifacts such as the Software Bill of Materials (SBOM) for the product.
Will Fiery Secure Software Attestations include third party software bundled with the Fiery DFE? For example, Adobe SW or Microsoft SW.
No. It is the third party software manufacturer responsibility to provide attestation for their products.
How about open source software included with Fiery DFEs?
Third party open source software included with Fiery DFEs are out of the scope of this regulation.
For more information about our cybersecurity initiatives, please visit our website at https://www.fiery.com/security/