The White House Office of Management and Budget (OMB) on Jan. 23 formally rescinded two Biden-era memoranda that required federal agencies to obtain software security attestations from software producers before deploying their products.
The move withdraws OMB Memoranda M-22-18 and its companion policy M-23-16, which required federal agencies to take a range of actions to align with National Institute of Standards and Technology guidance on software security under former President Joe Biden’s May 2021 cybersecurity executive order.
In a memo to agency heads, OMB Director Russell Vought said the policies imposed “unproven and burdensome software accounting processes that prioritized compliance over genuine security investments.”
“This policy diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware. Accordingly, OMB Memoranda M-22-18 and M-23-16, a companion policy, are hereby rescinded,” Vought wrote.
In September 2022, the Biden administration issued M-22-18 as part of a broader push to strengthen software supply chain security following high-profile cyber incidents. Under that framework, the White House approved a government-wide secure software development attestation form in March 2024.
Later that month, the Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of the Repository for Software Attestation and Artifacts that software developers could use to share software attestation forms and relevant artifacts. CISA said the goal was to support agencies in procuring software built using secure development practices.
In rescinding the mandates, OMB emphasized that agencies may continue to use those tools – but will no longer be required to do so.
“Agencies shall continue to maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs,” Vought wrote.
“Agencies may choose to use the government-wide secure software development resources developed under M-22-18, such as the Secure Software Development Attestation Form,” he added. “Agencies may also choose to adopt contractual terms that require a software producer to provide a current software bill of materials (SBOM) upon request.”
OMB officials had signaled the change in advance. Nick Polk, branch director for federal cybersecurity at OMB, said last Tuesday that the administration planned “a pretty big step to remove some very burdensome compliance requirements.”
Polk added that Federal Chief Information Officer Greg Barbaccia is working every day to “move away from the over-prescriptive, compliance-based approach.”