The Impact of Executive Order 14028 on FedRAMP

Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains. 

To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust approach to security and stricter requirements for authorization processes and baseline requirements. 

This article will discuss how some aspects of this executive order are impacting or will impact, FedRAMP Authorization for cloud service offerings. 

What Is Executive Order 14028?

EO 14028 introduced stricter requirements for government agencies, emphasizing data protection by requiring these agencies and their partners to adopt zero-trust infrastructure. 

While there are some specific details included in 14208 around implementation and expectations (which we’ve written about previously), the overarching goal is to align the government and its supply chain such that it may better resist threats presented by attackers, specifically Advanced Persistent Threats (APTs). 

What Is Zero-Trust Security?

“Zero trust” is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and must verify anything—everything trying to connect to its systems before granting access.

The zero trust model follows several fundamental principles to ensure the network’s security. 

These principles include:

• Verify Explicitly: Always authenticate and authorize based on all available data points, such as user identity, location, device health, service or workload, data classification, and anomalies.
• Least Privilege Access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection in the network.
• Always Assume Breach: Instead of assuming everything inside the network is safe, zero trust assumes a breach has already happened. Minimize the potential damage (blast radius) from breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness.
• Network Segmentation: Network segmentation is a key aspect of zero trust. By breaking the network into smaller parts, you can reduce the attack surface and limit the potential damage of a breach.
• Zero User Trust: Zero trust systems don’t automatically trust users based on their network location. Instead, trust is established through continual verification and validation of the user’s identity and their device’s security posture.
• Automation and Orchestration: Implementing automated security policies and threat responses is a key part of a zero-trust model. This includes automating verifying user and device identities and coordinating responses to detected threats.
• Threat Intelligence and Analytics: Regularly collect and analyze data about emerging threats. Use this information to update and improve security policies and protocols continually.

These principles work together to provide a holistic approach to network security, ensuring that every access request is fully authenticated, authorized, and encrypted before it’s granted.

The Impact on FedRAMP

According to the FedRAMP website, a critical document for implementing this order is Memorandum 21-31 (M-21-31). This document guides taking existing security standards and tools and modernizing them into a zero-trust framework. 

However, this doesn’t translate into a needed action for CSOs already meeting their FedRAMP Authorization. What it means is that these CSOs, when working with an agency with zero-trust requirements, must meet those requirements per that agency’s RFP. 

These are particularly important as it relates to a few specific controls in NIST SP 800-53 (Revision 5):

• AC-4 (Information Flow Enforcement): As data potentially moves between an agency with zero-trust requirements and a FedRAMP-Authorized CSP, the provider must have controls in place that prevent encrypted information from bypassing control mechanisms through decryption, connection termination, or blocking data flows. 
• AU-11 (Audit Record Retention): CSPs should retain audit controls such that after-the-fact investigations into incidents may occur or FOIA requests are required by law. 
• SI-4 (System Monitoring): CSPs must be able to provide the system monitoring and identification processes outlined in NIST 800-53 to support zero-support systems–namely, the requirement that zero-trust architectures have monitoring for all system events. 

What Are Key Components of a Zero-Trust Architecture?

With the requirements mentioned earlier for zero-trust systems, an organization can begin to map standard controls into its FedRAMP Authorization plan. 

Some of the common controls, processes, and procedures for a comprehensive zero-trust system include:

• Identity and Access Management (IAM): Every individual and device trying to access resources in the cloud should be verified and authenticated. This usually involves multi-factor authentication (MFA) and stringent access controls.
• Principle of Least Privilege (PoLP): This involves ensuring that users only have access to the resources and information needed to perform their job functions. This limits the potential exposure of sensitive information and resources.
• Physical and Logical Network and Cloud: Cloud environments should be divided into secure and manageable segments. If an attacker compromises one part of the system, micro-segmentation prevents them from easily moving laterally to other parts of the system.
  
• Encryption: All data, both in transit and at rest, should be encrypted. This ensures that even if an attacker gets hold of the data, they cannot read or use it without the correct decryption keys.
• Continuous Monitoring and Analytics: It’s crucial to monitor and log all network activities and use analytics to identify abnormal or suspicious behavior. This is often achieved through security information and event management (SIEM) systems and other threat detection tools.
  
• Automated Security Policies: Using AI and machine learning, cloud service providers can enforce security policies across their entire cloud environment. This can include automatically blocking or limiting access if suspicious behavior is detected.
• API Security: Since cloud services often expose APIs for integration with other services, securing these APIs is crucial in a zero-trust model. This includes authenticating and authorizing API calls and protecting against attacks like DDoS.
• Endpoint Security: All devices connecting to the network, including personal and IoT devices, must be secured. This can involve mobile device management (MDM) or endpoint detection and response (EDR) solutions.
  

By implementing these strategies, a cloud service provider can integrate zero-trust architecture into their product offering, providing a more secure and trustworthy service for their users.

Integrate Zero Trust Principles Into Your FedRAMP Authorization with Lazarus Alliance

If your cloud offering is facing specific needs and challenges based on this executive order or the demands of your sponsoring agency, then you’ll need a partner to ensure you meet those requirements. That partner is Lazarus Alliance.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→