Building a SBOM That Supports EO 14028 & EO 14144 Compliance

In late 2020, hackers infiltrated SolarWinds—a company that produces network, systems, and information technology management software for public and private sector organizations. The resulting trojan went on to infect thousands of government entities and private companies as it was introduced into other software applications through version updates. Microsoft President Brad Smith called it "the largest and most sophisticated attack the world has ever seen.”

In response to the SolarWinds’ breach and similar large-scale cyberattacks, President Joe Biden issued Executive Order (EO) 14028 in May 2021 to strengthen the Unted States’ cybersecurity protocols. He added a second order, EO 14144, in January 2025 to add further details around compliance requirements and the standards software companies should follow.

Because these executive orders continue to stand in the current administration, it’s important for software developers, especially those with government contracts, to understand the standards they set forth. In this article, we’ll look more closely at these orders, the important security concerns they raise, and how developers can create a secure software bill of materials (SBOM) that complies with the most stringent federal standards. 

Understanding Executive Orders 14028 and 14144

Let’s begin by looking at the details of these orders and the objectives they were designed to achieve.

EO 14028 Summary and Objectives

Entitled "Improving the Nation's Cybersecurity," EO 14028 mandates higher, zero trust, security standards across federal software supply chains and sets recommended security benchmarks for all software development. Key points include:

• The need for federal software vendors to adopt practices to ensure a Secure Software Development Life Cycle (SDLC).
• The requirement for software vendors to provide an SBOM, ensuring supply chain transparency and traceability in software components.
• Enhanced use of tools like static and dynamic code analysis to identify vulnerabilities early in the development process.

EO 14028 was designed to meet these five key objectives:

1. Protect EO-critical software and EO-critical software platforms from unauthorized access and usage.
2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms.
3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.
4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.
5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.

Source: National Institute of Standards and Technology (NIST) white paper. 

Executive Order 14144 Summary and Requirements 

Executive Order 14144 Reinforces and expands the scope of federal cybersecurity set by its predecessor by adding provisions to:

• Use AI to forward cybersecurity measures.
• Transition to quantum-resistant cryptography.
• Expand the Cyber Trust Mark program for consumer safety.
• Mandate machine-readable SBOMs for software sold to federal agencies.
• Require attestations that link SBOMs to secure software development lifecycle (SSDLC) practices.
• Integrate with centralized Cybersecurity and Infrastructure Security Agency (CISA) repositories.
• Implement real-time vulnerability disclosure and notification mechanisms.
• Recognize the vital role of private companies in defending national cybersecurity.

These mandates outline specific steps to address the objectives set forth in EO 14028, including infrastructure, systems, and consumer protections. They emphasize operational continuity in addition to upfront security measures.

Why These Executive Orders Matter

While they primarily target federal contractors and software vendors, these mandates set a standard for software security that any organization, regardless of the industry, would benefit from adhering to. Following these guidelines demonstrates a commitment to cybersecurity that will:

• Establish Trust with Customers and Partners: The SolarWinds breach illustrated how costly vulnerabilities can become. Following federal standards shows a desire to protect yourself and your partnerships.
• Reduce Software Vulnerabilities: By mandating better coding practices, vulnerability scanning, and regular audits, you’ll minimize exploitable weaknesses in your software products.
• Strengthen the Software Supply Chain: The inclusion of secure SBOMs provides visibility into software components, making it easier to detect and address flaws or risks in the supply chain.
• Enhance Incident Response: By requiring faster reporting of vulnerabilities, organizations that depend on each other enable more effective and timely responses to cyberattacks.

The Role of SBOMs in Secure Software Development Life Cycle

A software bill of materials details all the components, libraries, and dependencies used in a software product. Whether you’re using commercial software, open-source code, or proprietary systems, an SBOM provides visibility into what’s under the hood. It identifies vulnerable dependencies, supports secure updates, and enables third-party verification for regulatory compliance. 
How do you create a comprehensive and fully traceable SBOM that protects your organization, especially when partnering with federal entities? You need the proper core capabilities.

10 Core SBOM Capabilities for Federal Compliance

1. Component Identification: Automatically capture open-source, third-party, and proprietary components.
2. Version Control & Traceability: Tie each requirement and component to a specific commit, branch, or release artifact and provide full version history for each dependency.
3. Metadata & Integrity Verification: Include licensing, origins, and known vulnerabilities with tamper-proof and machine-readable output. Verify integrity with cryptographic hashes.
4. Change Tracking & Auditability: Create audit trails for changes to component lists and align with secure development attestation.
5. Integration with CI/CD: Generate SBOMs automatically at build time and distribute via APIs to customers, auditors, and CISA portals.
6. Reporting and Attestation Support: Embed secure software development life cycle (SSDLC) proof artifacts and export in formats suitable for submission to CISA or federal agencies.
7. Real-Time Updates: Maintain a “living” SBOM that reflects all changes to components or dependencies.
8. Vulnerability Monitoring: Monitor SBOM entries against common vulnerabilities and exposures (CVE) databases in real time and automate alerts and mitigation workflows.
9. Scalability: Ensure your SBOM can handle growing project complexities and additional contributors without breaking down.
10. Integration with Secure SDLC Tools: An effective SBOM should integrate seamlessly with vulnerability scanning, static analysis, requirements management and other secure development tools.

Repercussions of Non-Compliance with EO 14028 and EO 14144

Legal and Financial

Failure to comply with Executive Orders 14144 and 14028 could result in significant business costs and legal consequences, including:

• Suspension or Termination of Federal Contracts: Non-compliant vendors can have their existing contracts with federal agencies immediately suspended or terminated.
• Legal and Financial Penalties: Violations can trigger legal actions leading to substantial financial penalties.
• Reputational Damage: Transparency failures or breaches traced to unvetted dependencies can significantly erode customer and stakeholder trust for both government and private sector clients.
• Increased Scrutiny: Agencies like CISA and The Office of Management and Budget (OMB) may introduce penalties or blacklist non-compliant vendors from future procurement cycles

Who Is Responsible for Executive Order Compliance?

Compliance responsibility typically lies on the shoulders of several departments within a software vendor, including:

• CISOs and Security Architects who oversee compliance strategies and attestations.
• Engineering and DevOps Leaders who ensure SBOMs are generated and integrated via CI/CD.
• Product and Compliance Managers who coordinate documentation, customer disclosures, and regulatory reporting.

Executive Accountability

Senior executives—including the CEO—may bear the ultimate responsibility. Many federal contracts require top-level certifications from executives who could be held accountable under laws like the False Claims Act if the organization knowingly misrepresents its compliance. Beyond legal risk, CEOs may face reputational damage and scrutiny from stakeholders following incidents tied to SBOM security failures or SSDLC deficiencies.

The severity of these repercussions highlights the importance for each person in the organization to understand their role, be up to date on best practices, and use the proper tools to meet compliance. 

How Perforce Empowers EO-Ready SBOMs

To comply with EOs 14028 and 14144 and guarantee a secure SDLC, you must automate, standardize, and centralize your software security documentation and response processes. This ensures transparency and accountability throughout your software supply chain and provides CISA with the attestations and artifacts necessary to prove compliance. 

Perforce offers secure and scalable tools to make SBOM creation and management efficient and fully traceable. Our platforms provide a single, searchable source of truth that links all software components to their relevant metadata, making it easy for teams and regulatory agencies to verify compliance requirements.

Perforce P4 Data Management 

Track every component, author, and commit through every iteration of your software development cycle with data management from Perforce P4. Our platform supports full traceability from source code to binaries, so you have a complete record of your product through every phase of development, across multiple teams and users. It is a scalable platform that excels in large projects with thousands of components and branches. 

Perforce ALM

With Application Lifecycle Management (ALM) from Perforce, you can link SBOM data to requirements, QA, approvals, and release workflows. With comprehensive requirements, testing, and issue management modules, you can automate compliance workflows for documentation and attestation.

Go Beyond Compliance: Secure Your Development Cycle with Perforce

The benefits of meeting EOs 14028 and 14144 go well beyond compliance. Following these high benchmarks means you align your company with software development best practices and mitigate SBOM vulnerabilities that could hinder your product’s release or cost you valuable time and business. By focusing on Secure SDLC practices, you’ll build a more resilient and secure software supply chain that increases trust with your customers. 

Learn how the Perforce suite of tools supports your developers by: 

• Boosting resilience against attack
• Demonstrating accountability through traceability
• Reducing test and resolutions times
• Enhancing collaboration

To learn about scalable version control that easily adapts to complex projects, Watch a Demo of Perforce P4.

To streamline your requirements management, testing and tracking, Watch a Demo of Perforce ALM.