What's Happening?
The White House has rescinded software security guidance issued during the Biden administration, citing the requirements as 'unproven and burdensome.' The Office of Management and Budget (OMB) has issued Memorandum
M-26-05, which officially revokes the 2022 policy 'Enhancing the Security of the Software Supply Chain through Secure Software Development Practices' (M-22-18) and its 2023 enhancements (M-23-16). The new directive places the onus on individual agency heads to develop tailored security policies for software and hardware based on their specific mission needs and risk assessments. Agencies are encouraged to validate provider security using secure development principles and comprehensive risk assessments. While the use of secure software development attestation forms and Software Bills of Materials (SBOMs) is no longer mandatory, agencies may continue to utilize these resources.
Why It's Important?
This policy shift signifies a move towards more decentralized and flexible security strategies within federal agencies. By allowing agency heads to tailor security measures, the government aims to foster more effective and mission-specific security practices. This change could lead to more efficient use of resources and potentially enhance the security posture of individual agencies. However, it also places greater responsibility on agency leaders to ensure robust security measures are in place, which could lead to variability in security standards across different agencies. The decision to rescind the previous guidance reflects a broader trend of reducing administrative burdens in favor of more practical security investments.
What's Next?
Agencies will need to assess their current security frameworks and develop new policies that align with their specific needs and risk profiles. This may involve increased collaboration with cybersecurity experts and stakeholders to ensure comprehensive security strategies are implemented. The focus on hardware supply chain threats, as encouraged by the new guidance, suggests that agencies will also need to consider broader resilience measures against sophisticated threat actors. The adoption of Hardware Bill of Materials (HBOM) frameworks could become a key component of these strategies.
