US-Seal

EO Resource Center

Executive Order Deadlines

Full Timeline of Key Milestones Under the Cybersecurity Executive Order

Dates are projected based on deadlines in the EO

June 11, 2021

expired

Sections 4 & 7

4(b): Commerce/NIST identify existing or create standards, tools, and best practices for complying with new software development requirements.

Go To Section 4

7(c): DHS/CISA provide OMB recommendations on options for implementing a government-wide EDR system.

Go To Section 7

June 26, 2021

expired

Sections 4 & 7

4(g): Government cybersecurity leaders publish a definition for “critical software” that addresses topics such as level of privilege or access required, integration and dependencies, and potential for harm if compromised.
Read NIST Definition of Critical Software

Go To Section 4

7(g): NSA submits recommendations for improving detection of cyber incidents affecting National Security Systems, including EDR approaches and how they will operate.

Go To Section 7

July 11, 2021

expired

Sections 3

3(b): Agencies share updated plans for adoption and use of cloud technology and implementation plans for zero trust architecture.
3(c-iii): DHS/CISA issue a cloud service governance framework for FCEB agencies.
3(c-i)
: Agencies provide progress reports about multifactor authentication and data encryption; new reports are required every 60 days until full adoption is achieved.

3(f): GSA/OMB/Agencies start modernizing FedRAMP by establishing training, improving communication, incorporating automation, digitizing and streamlining documentation, and identifying relevant compliance frameworks and mapping them onto requirements.

Go To Section 3

July 11, 2021

expired

Sections 4 & 7

4(f): Commerce, in coordination with others, publishes minimum elements for a Software Bill of Materials (SBOM)
Read The SBOM Guidance

4(i): Commerce/NIST/DHS/CISA/OMB publish guidance outlining security measures for critical software, covering least privilege, network segmentation, and proper configuration.
Read The New Security Measures

4(r): Commerce/NIST/DoD/NSA release guidelines for minimum standards for vendors’ testing of software source code, including manual and automated testing.
Read The New Guidelines

Go To Section 4

7(j-i): DoD/DHS establish procedures for immediate sharing of incident response orders, emergency directives, and binding operational directives about their information networks.

Go To Section 7

July 26, 2021

expired

Sections 4 & 7

4(h): DHS/CISA/Commerce/NIST identify and make available to agencies a list of software categories and products in use or in the acquisition process that meet definition of critical software.
Browse The List

Go To Section 4

7(j-i): Agencies establish or update their Memoranda of Agreement (MOA) for the CDM Program to ensure object-level data are available and accessible to CISA.

Go To Section 7

Aug. 10, 2021

expired

Section 3

4(c-ii): OMB/DHS/CISA/GSA/FedRAMP release a Federal cloud security strategy and guidance for agencies, to include guidance to help agencies move closer to zero trust.
Read the Zero Trust Maturity Model

Read the OBM draft memo Moving the U.S. Government Towards Zero Trust Cybersecurity Principles

4(c-ii): DHS/CISA/OMB/GSA/FedRAMP issue cloud security technical reference architecture documentation with recommendations on cloud migration and data protection for FCEB agencies.
Read the Cloud Security TRA

3(c-iv): Agencies provide reports to DHS/CISA/OMB evaluating types and sensitivity of their unclassified data, including prioritization and appropriate processing and storage.

3(6): DHS/CISA/AG/FBI/GSA/FedRAMP establish framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology.

Go To Section 3

Aug. 10, 2021

expired

Section 4 & 5

4(j): OMB takes appropriate steps to require agencies comply with new guidance outlining security measures for critical software.
Read the OMB memo Protecting Critical Software Through Enhanced Security Measures

Go To Section 4

7(h): DoD/ODNI/CNSS establish policies that effectuate NSA’s recommendations for improving detection of cyber incidents affecting National Security Systems.

7(i): CISA reports to OMB/APNSA on how authorities granted to conduct threat hunting on FCEB networks without agency authorization are being implemented and makes recommendations for ensuring mission-critical systems are not disrupted.

Go To Section 7

Aug. 24, 2021

expired

Section 4 & 5

8(c): OMB/Commerce/DHS formulate policies for agencies to establish logging, log retention, and log management requirements.
Read the OMB memo Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents

Go To Section 8

Sept. 9, 2021

expired

Section 6 & 7

6(b): Government cybersecurity leaders release standardized FCEB playbook for planning/conducting cybersecurity vulnerability and incident response activities, incorporating all appropriate NIST standards.
Read the Cybersecurity Incident & Vulnerability Response Playbooks

Go To Section 7

7(d): OMB/DHS issue requirements for FCEB agencies to adopt the federal government-wide EDR approaches to engage in cyber hunt, detection, and response activities.
Read the OMB memo Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response

Go To Section 7

Nov. 8, 2021

expired

Section 3 & 4

3(d): Agencies adopt multifactor authentication and encryption for data at rest and in transit; those unable to comply, provide a written rationale to DHS/CISA/OMB/APNSA.

Go To Section 3

4(c): Based on consultations, NIST publishes preliminary guidelines for enhancing software supply chain security.

Read the Secure Software Development Framework

Read the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Read the Defending Against Software Supply Chain Attacks

Go To Section 4

Feb. 6, 2022
Sections 4

4(e): Commerce/NIST/Agencies issue guidance including standards, procedures, or criteria that enhance the security of the software supply chain.

4(t): Commerce/NIST/Agencies release IoT cybersecurity criteria for a consumer labeling program that helps inform about security of products.

4(u): Commerce/NIST/Agencies identify secure software development practices or criteria for a consumer software labeling program.

Go To Section 4

March 8, 2022
Sections 4

4(k): OMB takes appropriate steps to require that agencies comply with secure software guidelines with respect to software procured after May 12, 2021.

Go To Section 4

May 7, 2022
Sections 4

4(d): NIST publishes additional guidelines for software supply chain security, including procedures for periodic review and updates.

Go To Section 4

May 12, 2022
Sections 4

4(n): DHS/DoD/AG/OMB recommend contract language to FAR Council requiring suppliers of software available for purchase by agencies to comply with critical software security requirements.

4(w): NIST reviews the effectiveness of Section 4’s pilot programs, determines improvements that can be made, and submits a report to APNSA.

4(x): Commerce/Agencies provide the President with a progress report and outline additional steps needed to secure the software supply chain.

Go To Section 4

Download & Print

There is power in strong partnerships.

Learn more about our best-in-class solutions for Executive Order Requirements.