Synced 16 Jun 2026 15:24 UTC Account
← Home
US Executive Order 14028 · federal software supply chain

SBOM & vulnerability evidence for federal software

Sell software to US agencies and you must attest to secure development and provide a machine-readable SBOM with managed vulnerabilities (EO 14028 · NIST SSDF · NTIA SBOM elements). IsItPatched gives you the inputs — known and actively-exploited component CVEs, the minimum safe version, end-of-life risk, and exportable VEX/risk evidence.

Scan your SBOM → Monitor your components Export EO 14028 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for the federal supply chain

Software producers

Anyone selling software to US federal agencies. Produce the SBOM vulnerability analysis and remediation evidence the attestation expects.

Agencies & procurement

Assess the SBOMs vendors hand you — known CVEs, exploited status and the safe version to require.

Subcontractors & suppliers

Flow-down requirements reach you too. Show prime contractors a clean component inventory and vulnerability status.

EO 14028 software provisions → what IsItPatched gives you

Machine-readable SBOM (NTIA elements)

Drop in a CycloneDX or SPDX SBOM for a per-component verdict — commercial, open-source and off-the-shelf — and export a CycloneDX VEX.

Scan an SBOM →

Vulnerability management & disclosure

IsItPatched flags actively-exploited (CISA KEV) and high-EPSS CVEs and the minimum safe version — a defensible, risk-based "fix these first" process with exportable evidence.

See actively-exploited CVEs →

End-of-life / unsupported components

The framework expects components to be supported and maintained. End-of-life tracking flags those that can no longer be patched.

End-of-life calendar →

Attestation evidence

Export a software risk register (CSV / PDF) and VEX — a record of the vulnerability-management practices behind your self-attestation.

Open your dashboard →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — evidence of risk-based vulnerability management

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: EO 14028 and the NIST Secure Software Development Framework are broad — secure build environments, provenance and build integrity, developer training, and a formal self-attestation. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the SBOM and vulnerability-management/disclosure portion specifically. It is not legal advice, not the attestation itself, and not a guarantee of acceptance. Confirm your obligations with your compliance team. Disclaimer.

Executive Order 14028 — frequently asked

What is Executive Order 14028?

EO 14028 ("Improving the Nation's Cybersecurity", May 2021) overhauled US federal software-supply-chain security. Its software provisions — implemented via NIST's Secure Software Development Framework (SP 800-218), the NTIA minimum SBOM elements, and OMB memos M-22-18 / M-23-16 — require software producers selling to federal agencies to attest to secure development practices and, increasingly, to provide a machine-readable SBOM and manage known vulnerabilities.

How does IsItPatched help with EO 14028?

Bring your CycloneDX or SPDX SBOM and IsItPatched gives you the component vulnerability picture the framework expects you to manage: which components have known CVEs, which are actively exploited (CISA KEV) so you can prioritise, the minimum safe version, end-of-life components, and an exportable VEX and risk register. It produces the SBOM-and-vulnerability evidence that supports the attestation — the part most generic tools handle weakly.

Does IsItPatched make us EO 14028 / SSDF compliant?

No. The Secure Software Development Framework is broad — secure build environments, provenance and build integrity, developer training, and a formal self-attestation. IsItPatched helps with the SBOM and vulnerability-management/disclosure portion specifically. It is informational, built on public data — not legal advice and not the attestation itself.

Selling into other regulated markets? See all our compliance editions →