The White House Office of Management and Budget (OMB) has rescinded a set of software security mandates from the previous administration, citing them as burdensome and ineffective. On , the OMB issued Memorandum M-26-05, which revokes earlier policies and shifts the federal government’s cybersecurity focus to include hardware supply chain threats.
The new directive, Memorandum M-26-05, officially cancels two prior policies: M-22-18 from 2022 and its 2023 update, M-23-16. These mandates required federal agencies to obtain a self-attestation form from software producers, guaranteeing that their products met secure development guidelines established by the National Institute of Standards and Technology (NIST). The policies were a response to major cyber incidents, such as the SolarWinds intrusion, and emphasized the use of a Software Bill of Materials (SBOM) to inventory software components.
According to the new memo from OMB Director Russell Vought, the rescinded policies imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments.
The memo further states that the previous approach diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware.
The new guidance gives individual agency heads the responsibility to develop their own security policies based on specific risk assessments.
The most significant change in the new policy is the expanded focus on hardware security. While the previous mandates centered on software attestation and SBOMs, M-26-05 encourages agencies to adopt a more holistic, risk-based approach that includes the physical components of their technology infrastructure. The memo specifically encourages the use of Hardware Bill of Materials (HBOM) frameworks to increase resilience against sophisticated threats.
An HBOM is a list of every physical component used to build a product, providing information on the origin and configuration of parts. This allows organizations to assess supply chain risks, such as compromised components or reliance on untrusted manufacturers. The Cybersecurity and Infrastructure Security Agency (CISA) has been developing an HBOM framework to create a standardized way for vendors to communicate component information to purchasers.
The White House stated its rationale for the policy reversal was to move away from a one-size-fits-all compliance model. The OMB memo argues that the rigid attestation forms and SBOM requirements did not necessarily lead to better security outcomes and created significant administrative overhead for both agencies and software vendors. The new approach is intended to empower federal agencies to make their own risk-based decisions tailored to their unique operational environments. By rescinding the mandates, the administration aims to redirect resources from paperwork to what it considers more meaningful and customized cybersecurity investments.
While the new memorandum is effective immediately, it is not yet clear how quickly federal agencies will develop and implement their own tailored security assurance policies for software and hardware. The specific budgetary implications of this shift from centralized compliance to decentralized risk management have not been detailed. Furthermore, the memo does not specify deadlines or reporting requirements for agencies to demonstrate compliance with the new risk-based approach.
Federal agencies are no longer required to use the standardized attestation form or demand SBOMs but may continue to use these tools if they align with their risk assessments. Agencies must now develop and implement their own processes for validating the security of both software and hardware from providers. This change will likely alter the compliance landscape for technology vendors selling to the U.S. government, who may face varying requirements depending on the agency they work with.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates