The White House has announced that software security guidance issued during the Biden administration has been rescinded due to “unproven and burdensome” requirements that prioritized administrative compliance over meaningful security investments.
The US Office of Management and Budget (OMB) has issued Memorandum M-26-05, officially revoking the previous administration’s 2022 policy, ‘Enhancing the Security of the Software Supply Chain through Secure Software Development Practices’ (M-22-18), as well as the follow-up enhancements announced in 2023 (M-23-16).
The new guidance shifts responsibility to individual agency heads to develop tailored security policies for both software and hardware based on their specific mission needs and risk assessments.
“Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency’s network,” reads the memo sent by the OMB to departments and agencies.
“There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment,” the OMB added.
While agencies are no longer strictly required to do so, they may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18.
It’s worth noting that the US government and its allies recently released new guidance on the advantages of widespread SBOM adoption.
M-26-05 also expands agency focus to include hardware supply chain threats, encouraging the use of Hardware Bill of Materials (HBOM) frameworks to ensure broader resilience against sophisticated threat actors.
Related: UK Government Unveils New Cyber Action Plan
Related: New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
Related: Cybersecurity Firms React to China’s Reported Software Ban
