OMB Rescinds Biden-Era Software Security Memoranda

On January 23, 2026, the Office of Management and Budget issued Memorandum M-26-05 (the "Memorandum"), formally rescinding two Biden Administration memoranda (M-22-18 and M-23-16) that had required federal agencies to obtain secure software development attestations from software producers before deploying their products. The Memorandum eliminates the government-wide mandate, faulting the Biden Administration for having imposed "unproven and burdensome software accounting processes that prioritized compliance over genuine security investments" and for "divert[ing] agencies from developing tailored assurance requirements for software and neglect[ing] to account for threats posed by insecure hardware." The Memorandum instead directs federal agencies—at the individual agency level—to develop software and hardware assurance policies tailored to their own risk determinations and mission needs.

While responsibility shifts to individual agencies under the Memorandum, key obligations remain in place under the new framework. Most fundamentally, agency heads remain responsible for the security of hardware and software on their networks. To this end, agencies "should validate provider security utilizing secure development principles and based on a comprehensive risk assessment." To achieve this goal, agencies must continue to maintain complete inventories of both software and hardware. They must also develop software and hardware assurance policies and processes aligned with their specific risk determinations and operational needs.

The Memorandum does not discard the work of the Biden Administration on software security. Rather, work done at the direction of the now-rescinded memoranda are now treated as discretionary resources rather than requirements that apply across agencies. For example, resources developed under M-22-18—such as the Secure Software Development Attestation Form—remain available for use by agencies, but agencies are no longer required to use them. Agencies may also choose to adopt contractual terms requiring software producers to provide a current software bill of materials (SBOM) upon request. For cloud platforms specifically, the Memorandum advises agencies that adopt SBOM terms to specify that the producer must provide an SBOM of the runtime production environment upon request.

The Memorandum points agencies to the following guidance they can leverage as they build tailored programs:

• National Institute of Standards and Technology's Secure Software Development Framework in Special Publication 800-218 and related appendices (compliance with which was previously mandatory for agencies under the Biden Administration's actions);
• Cybersecurity and Infrastructure Security Agency's 2025 draft Minimum Elements for an SBOM; and
• CISA's 2023 Hardware Bill of Materials framework for supply-chain risk management.

For software and hardware providers to the federal government, the practical effect of the Memorandum is a shift from uniform requirements to a decentralized, agency-specific approach. How this will affect agency security requirements in practice remains to be seen, but contractors will now need to monitor individual agencies for agency-specific requirements, and will no longer be able to rely on a single, standardized federal framework.