EO 14028 Compliance Checks

Safeguard.sh automatically validates your SBOMs against Executive Order 14028 requirements, ensuring your software meets federal cybersecurity standards.

Overview

Executive Order 14028, "Improving the Nation's Cybersecurity," establishes requirements for software sold to the federal government. Safeguard.sh helps you:

Validate SBOM completeness against NTIA minimum elements
Verify secure software development practices
Generate compliance reports
Track compliance status over time

NTIA Minimum Elements

The NTIA defines minimum elements required in an SBOM:

Data Fields

Element	Description	Status
Supplier Name	Entity that creates, defines, and identifies components	Checked
Component Name	Designation assigned to a unit of software	Checked
Version	Identifier used to specify a change from previous version	Checked
Other Unique Identifiers	Other identifiers (e.g., PURL, CPE)	Checked
Dependency Relationship	Characterization of the relationship	Checked
Author of SBOM Data	Name of the entity that creates the SBOM	Checked
Timestamp	Date and time the SBOM was assembled	Checked

Automation Support

Requirement	Description	Status
Machine-Readable Format	SPDX or CycloneDX format	Validated
Automated Generation	Ability to generate without manual intervention	Supported
Automated Consumption	Ability to ingest programmatically	Supported

Compliance Dashboard

View EO 14028 compliance status in the project dashboard:

Compliance Score

Each project receives a compliance score based on:

Data Completeness - Percentage of required fields populated
Format Compliance - Valid SPDX/CycloneDX structure
Component Coverage - All components have minimum data
Update Frequency - SBOM freshness

Compliance Status

Status	Meaning
✅ Compliant	Meets all EO 14028 requirements
⚠️ Partially Compliant	Some requirements not met
❌ Non-Compliant	Missing critical requirements

Viewing Compliance Checks

Project Level

Open a project from the Projects page
Navigate to the Compliance tab
View detailed compliance status

Organization Level

Go to Dashboard
View the EO 14028 Compliance widget
See aggregate compliance across all projects

Compliance Report

Generate compliance reports for federal procurement:

Report Contents

Executive Summary - Overall compliance status
SBOM Details - Format, timestamp, author
Component Analysis - Data completeness per component
Gap Analysis - Missing or incomplete data
Remediation Steps - How to achieve compliance

Generate Report

Open project
Click Export → EO 14028 Compliance Report
Select format (PDF, HTML, JSON)
Download report

CLI Generation

safeguard compliance report --project "my-app" --version "1.0.0" --format pdf --output eo14028-report.pdf

Common Compliance Issues

Missing Supplier Names

Problem: Components lack supplier identification

Solution:

Use package URLs (PURLs) which include supplier info
Manually add supplier data for proprietary components
Contact vendors for accurate supplier information

Incomplete Version Data

Problem: Components have vague or missing versions

Solution:

Use lock files to capture exact versions
Avoid version ranges in manifests
Pin dependencies to specific versions

Missing Unique Identifiers

Problem: Components lack PURLs or CPEs

Solution:

Generate SBOMs from source with modern tools
Enrich existing SBOMs with identifier lookup
Use Safeguard.sh enrichment features

Outdated SBOMs

Problem: SBOM timestamp is stale

Solution:

Enable continuous scanning
Configure webhooks for automatic updates
Set up scheduled SBOM generation

SSDF Alignment

Safeguard.sh also tracks alignment with the Secure Software Development Framework (SSDF):

Practice	Description	Supported
PO.1	Security Requirements	Via policies
PS.1	Protect Software	Vulnerability scanning
PS.2	Secure Development Environment	Integration tracking
PW.4	Source Code Review	Via integrations
PW.6	Verify Third-Party Components	SBOM analysis
RV.1	Identify Vulnerabilities	Continuous scanning
RV.2	Assess Vulnerabilities	Risk scoring
RV.3	Remediate Vulnerabilities	AI Remediate

Attestation Letters

Generate attestation letters for federal customers:

Go to Compliance → Attestations
Select project and version
Choose attestation template
Review and sign
Export signed attestation

Best Practices

For SBOM Generation

Generate SBOMs from source code when possible
Use CycloneDX 1.5+ or SPDX 2.3+ formats
Include lock files in source repositories
Automate SBOM generation in CI/CD

For Compliance

Review compliance status weekly
Address gaps before federal delivery
Keep SBOMs updated with each release
Document compliance processes

For Reporting

Generate reports for each major release
Archive reports for audit purposes
Include compliance reports in delivery packages
Maintain compliance history

Federal Procurement

When selling to federal agencies:

Pre-Contract: Demonstrate compliance capability
Contract Award: Provide initial SBOMs
Ongoing: Supply updated SBOMs per contract terms
Audit: Provide compliance reports on request

API Access

Access compliance data programmatically:

# Get compliance status
curl -X GET https://api.safeguard.sh/v1/projects/{id}/compliance/eo14028 \
  -H "Authorization: Bearer $API_KEY"

# Generate compliance report
curl -X POST https://api.safeguard.sh/v1/projects/{id}/compliance/report \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"format": "pdf", "standard": "eo14028"}'

EO 14028 Compliance Checks

EO 14028 Compliance Checks

Overview

NTIA Minimum Elements

Data Fields

Automation Support

Compliance Dashboard

Compliance Score

Compliance Status

Viewing Compliance Checks

Project Level

Organization Level

Compliance Report

Report Contents

Generate Report

CLI Generation

Common Compliance Issues

Missing Supplier Names

Incomplete Version Data

Missing Unique Identifiers

Outdated SBOMs

SSDF Alignment

Attestation Letters

Best Practices

For SBOM Generation

For Compliance

For Reporting

Federal Procurement

API Access

Resources

Next Steps

On this page