US Executive Order 14028
How CVEium CIS supports compliance with US EO 14028/14144 and NIST SSDF requirements.
US Executive Order 14028 ("Improving the Nation's Cybersecurity") and its successor EO 14144 establish software supply chain security requirements for vendors selling to the US federal government.
Key requirements
SBOM mandate
Federal vendors must provide SBOMs for their software products. CVEium CIS supports this through:
- Upload and management of CycloneDX and SPDX SBOMs
- SBOM download API for automated retrieval by federal customers
- Component-level detail including PURLs, versions, licenses, and suppliers
NIST SP 800-218 (SSDF)
The Secure Software Development Framework defines practices for secure software development. Federal vendors must attest to following these practices.
CVEium CIS helps demonstrate compliance with several SSDF practice areas:
| SSDF Practice | Description | CVEium CIS support |
|---|---|---|
| PO.1 | Define security requirements | SLA policy configuration |
| PO.3 | Implement supporting tooling | Automated CVE scanning, VEX generation |
| PS.1 | Protect software from tampering | SBOM integrity hashing, VEX digital signatures |
| PS.2 | Provide software integrity verification | Content hashes on all published disclosures |
| PW.4 | Reuse secure software components | SBOM component tracking |
| PW.7 | Review code for vulnerabilities | Automated vulnerability matching |
| PW.9 | Test for vulnerabilities | CVE scanning against 300K+ vulnerability corpus |
| RV.1 | Identify vulnerabilities | Automated CVE matching with KEV flagging |
| RV.2 | Assess vulnerability impact | Disposition workflow with justification |
| RV.3 | Remediate vulnerabilities | SLA tracking, VEX publication |
CISA BOD 22-01 (KEV)
Binding Operational Directive 22-01 requires federal agencies to remediate Known Exploited Vulnerabilities within strict timelines. CVEium CIS supports this by:
- Flagging KEV vulnerabilities with a prominent red badge
- Sorting KEV vulnerabilities to the top of the triage list
- Tracking KEV counts in triage statistics
- Including KEV status in email notifications and compliance reports
NIST SSDF attestation in compliance reports
The compliance attestation report generated by CVEium includes a dedicated NIST SSDF section. This section presents a checklist of SSDF practices with evidence of how your organization addresses each one through CVEium CIS.
This report can be shared with federal customers and procurement officers as supporting evidence for your SSDF attestation.
Generating evidence
To generate compliance evidence for a release:
- Navigate to the release page
- Click Compliance Report in the overview section
- The report opens in a new tab as a print-ready HTML page
- Use your browser's print function to save as PDF
See Attestation Reports for details on report contents and interpretation.