The Director of the United States’ Office of Management and Budget has announced that, as of January 23, a memorandum introduced during the Biden administration that requires government agencies to invest in secure software has been officially rescinded.
“0MB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-22-18), imposed unproven and burdensome software accounting processes that prioritised compliance over genuine security investments,” Russell T. Vought, the OMB’s Director, said in a memorandum addressed to the heads of executive departments and agencies.
“This policy diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware. Accordingly, 0MB Memoranda M-22-18 and M-23-16, a companion policy, are hereby rescinded.”
Vought said that government agencies will continue to maintain accurate inventories of software and hardware while also developing policies that “match their risk determinations and mission needs”. Agencies may also refer to resources developed under M-22-18 on an opt-in basis, but, essentially, each agency is now responsible for its own software security posture.
“Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency's network. There is no universal, one-size-fits-all method of achieving that result,” Vought said.
“Each agency should validate provider security utilising secure development principles and based on a comprehensive risk assessment.”
Vought’s reference to “unproven and burdensome software accounting processes” is a direct quote from a White House fact sheet published in June 2025.
Patrick Münch, CSO and Co-Founder of vulnerability management firm Mondoo, called the OMB’s move a “step backward at precisely the wrong moment”.
"The original directive used federal purchasing power to establish baseline security expectations across vendors. Recent attacks like Shai-Hulud show we've entered a new era. Software supply chain attacks are no longer passive traps but active, self-propagating threats targeting developer identity and CI/CD pipelines,” Münch told Cyber Daily.
“Eliminating a unified attestation standard degrades federal entities' security posture just as adversaries are scaling theirs, and means that even more focus should be placed on pervasive vulnerability management and the automated monitoring of code and the infrastructure it runs on.
“Even if government entities are no longer looking for attestations of trustworthiness from their software vendors, they should still verify their deployments and code."
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.