THE White House’s Office of Management and Budget has issued a memorandum rolling back software security requirements from the Biden era, including the rules around software bills of materials (SBOMs) and related attestations. On 23 January, OMB Director Russell Vought issued M-26-05, which rescinds two earlier memos (M-22-18 and M-23-16) that required agencies to requisition self-attestations and SBOMs from software producers.
M-26-05 removes the mandate, with Vought stating the prior approach imposed unproven and burdensome processes and diverted agencies from addressing genuine security concerns. Agencies may still use SBOMs and attestations if they choose, but the formal expectation to do so is gone, and agencies are still expected to maintain inventories and tailor assurances to their needs.
Security and industry figures have described the rollback as a potential disaster for transparency, while others emphasise the need for a risk-based, outcome-focused approach aligned with SSDF. The long-term impact will depend on how agencies implement this flexibility, with some warning that fragmentation could undermine security improvements. According to OMB, agencies will be responsible for security outcomes, not a universal compliance checklist.