THE White House has announced that software security guidance issued during the Biden administration has been rescinded due to “unproven and burdensome” requirements that prioritised administrative compliance over meaningful security investments. According to the Office of Management and Budget (OMB), Memorandum M-26-05 revokes the previous administration’s 2022 policy M-22-18, together with the 2023 follow-up enhancements (M-23-16).
The new guidance shifts responsibility to individual agency heads to develop tailored security policies for both software and hardware based on their specific mission needs and risk assessments. “Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency’s network,” the memo states, adding that there is no universal, one-size-fits-all method of achieving that result.
Agencies may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18, while M-26-05 expands focus to include hardware supply chain threats via Hardware Bill of Materials (HBOM) frameworks.