OMB Memo Rescinds Mandatory Software Security Vetting

The Office of Management and Budget has rescinded two directives that required federal agencies to track and document the security requirements of commercial software and hardware they purchase.

The rescinded memos – M-22-18 and M-23-16 – required software and hardware vendors to provide agencies with detailed information about their products’ security features. OMB said the policies “imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments.”

Although the policies are rescinded, OMB said agencies will continue to maintain comprehensive software and hardware inventories, as well as hardware assurance policies aligned with their risk levels and mission needs.

New Directive Creates More Flexibility

Agencies may continue using governmentwide secure software development resources created under M-22-18. They also retain the option to request that software vendors provide a current software bill of materials (SBOM).

The rescinded Biden administration directives were issued in response to a cybersecurity incident in which hackers breached a software provider’s supply chain, forcing federal agencies to remove or pause use of the compromised software, Jean-Paul Deregeaux, federal CTO at GuidePoint Security, told GovCIO Media & Research in an interview.

Deregeaux said OMB later determined the requirements created unnecessary burdens by forcing agencies to require software providers to formally verify security practices. Some vendors opted out of doing business with the federal government to avoid the added cost and complexity, he said.

“This restricted federal agencies’ access to new and innovative software that was not SaaS [software as a service] hosted. Federal agencies were already missing new and innovative SaaS software due to FedRAMP requirements,” Deregeaux said.

The new memo introduces flexibility into federal software acquisition security, giving agencies greater autonomy in commercial off-the-shelf software procurement, Joel Krooswyk, former federal CTO at GitLab, told GovCIO Media & Research.

Krooswyk said emerging AI-native applications are changing what compliance and reporting requirements may look like. Rescinding the directives clears the way for new software development approaches and could accelerate AI adoption across agencies, he added.

More Options Means More Responsibility

From a cybersecurity perspective, the memo is a course correction, not a security roll back, Tim Amerson, GuidePoint Security’s federal field CISO, told GovCIO Media & Research. He noted that the rescinded directives were well-intentioned because they tried to increase visibility into software supply chain risks through standardized methods such as attestations and SBOMs. However, in practice, the effort was often optimized for documentation over risk reduction.

The new memo shifts focus back to agency accountability for outcomes, giving CIOs more flexibility with acquisitions, but only if they accept the risk.

“Security decisions are now explicitly tied to mission risk, the threat environment, and operational impact, rather than to a universal checklist. … The safety railings are gone. Leadership now has to make defensible, risk-based decisions and be able to explain them to inspectors, auditors and Congress,” Amerson said.

With SBOMs now optional, Amerson expects agencies to follow three patterns:

• High-risk, high impact systems: These will still require SBOMs, hardware BOMs, attestations and third-party assessments, but they will be used intentionally and selectively for mission-critical systems.
• Lower-risk or well understood environments: Agencies will rely on established vendor trust models, existing contracts, FedRAMP artifacts and historical performance rather than requiring new paperwork.
• Mature organizations: These will integrate SBOMs and similar artifacts into continuous risk telemetry, not procurement checklists.

“This memo restores professional judgement to cybersecurity leadership. It rewards agencies that understand their investments, their missions and their adversaries, and it pressures others to grow up fast,” Amerson said.