On January 23, 2026, the Office of Management and Budget (OMB) issued Memorandum M-26-05 “Adopting a Risk-based Approach to Software and Hardware Security,” which rescinds a previous Biden Administration’s requirement for all federal agencies to obtain a self-attestation from software producers in the “Common Form” developed by the Cybersecurity and Infrastructure Security Agency (CISA) before using certain third-party software.  As its rationale, OMB noted that the prior memoranda diverted agencies from developing tailored assurance requirements and failed to account for threats posed by insecure hardware.  Memorandum M-26-05 signals that the federal government is moving away from a “one-size fits-all” approach to software security and will instead allow each agency to develop tailored requirements.  In creating their own assurance requirements, agencies may still require a self-attestation and/or Software Bill of Materials (SBOM) from the software vendor if the agency determines that such assurances are necessary based on the risks involved and the agency’s needs.

Background

Memorandum M-26-05 reverses the attestation requirement imposed by two memoranda: Memorandum M-22-18 “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” and companion memorandum M-23-16 “Update to Memorandum M-22-18.”  Issued in September 2022, M-22-18 aimed to strengthen the federal government’s software supply chain by requiring all agencies to obtain an attestation from software providers that the providers comply with the National Institute of Standards and Technology (NIST) guidance on software security.  “Software” was broadly defined to included firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software.  M-22-18 also required agencies to take inventory of all software subject to this requirement, and as part of this effort, gave agencies the discretion to require software offers to submit SBOMs, an inventory of components used to build a software product.  M-26-05 appears to leave this inventory-taking requirement in place, as noted further below. 

M-23-16 subsequently clarified that the attestation requirement applied to producers of the software end product used by an agency.  If a producer was not able provide the attestation for its product, an agency was required to seek OMB’s extension of the deadline for submitting the attestation to be able to continue using the product.  

In March 2024, OMB, together with CISA, released the Secure Software Development Attestation Form, or the “Common Form,” for all federal agencies to use to obtain the attestation from software producers.

Summary of Memorandum M-26-05

In issuing M-26-05, OMB Director Russell T. Vought stated that M-22-18 and M-23-16 imposed “unproven and burdensome software accounting processes that prioritized compliance over genuine security investments.”  By rescinding these memoranda, OMB now allows agencies to develop their own ways to validate software security by “utilizing secure development principles and based on a comprehensive risk assessment,” although it is unclear whether M-26-05’s own references to “software” are necessarily as broad as the definition in M-22-18, as M-26-05 does not define “software.” 

In particular, M-26-05 relieves agencies from any requirement to use the Common Form.  In place of the Common Form, M-26-05 requires each agency to adopt a “risk-based” approach to ensuring software and hardware security that is tailored to that agency’s software needs and circumstances.  

To be clear, M-26-05 does not prohibit agencies from using resources developed under M-22-18.  M-26-05 states that agencies can still choose to use the Common Form, along with the NIST secure software development standards and other NIST resources, as part of such a tailored approach.  More significantly, M-26-05 states that “an agency may choose to adopt contractual terms that require a software provider to provide a current SBOM upon request.”  

The only limitation, or clarification, that M-26-05 imposes on an agency’s discretion is if an agency requires an SBOM “for a cloud provider, agencies adopting such a contractual term should specify that the producer must provide an SBOM of the runtime production environment upon request.”  In other words, if an SBOM is required by an agency, Cloud Service Providers should be prepared to provide information for the live production environment used to provide the service, and not just information derived from test environments or software lists.  In addition, agencies are still required to continue maintaining a complete inventory of software. 

M-26-05 now answers the question that we presented in the summer of last year regarding whether software attestations would remain mandatory requirements after the Trump Administration rescinded only one out of two Biden-era cybersecurity executive orders.  That action eliminated the executive order requirements to iterate on the secure software acquisition framework developed under the Biden Administration, but left the fundamental attestation framework set forth under the non-rescinded executive order in place. 

Takeaways

The memorandum represents one of the few areas where we have seen a divergence between the Biden and Trump administrations in the area of cybersecurity.  Even with the recission of the Biden OMB memoranda, agencies may still “choose to use” the prior resources that were developed in connection with those memoranda, including the Common Form.

It remains uncertain whether, and how quickly, agencies will develop individualized processes for evaluating software providers.  Companies seeking to provide software products to the federal government should closely monitor announcements regarding agency‑specific requirements and proactively participate in agencies’ risk‑assessment activities for developing these requirements.  Additionally, companies should not take this new action as a pass on software security, particularly given lead times that can be significant in the software development process.  Along these lines, companies should ensure they are prepared to submit software inventory information upon request.  

Tags: Cybersecurity, Information Security, Information Technology, OMB, Software
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under President Trump’s AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Read more about Robert HuffmanEmail
Show more Show less
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Read more about Ryan BurnetteEmail
Show more Show less
Photo of Peter Terenzio Peter Terenzio

Peter Terenzio advises clients regarding the regulatory requirements that govern federal contractors and grantees. He focuses on helping clients navigate the Cost Accounting Standards (CAS) and the cost principles in FAR Part 31 and 2 CFR Part 200. He also routinely advises on…

Peter Terenzio advises clients regarding the regulatory requirements that govern federal contractors and grantees. He focuses on helping clients navigate the Cost Accounting Standards (CAS) and the cost principles in FAR Part 31 and 2 CFR Part 200. He also routinely advises on Other Transaction Authority (OTA) research, prototype, and production agreements.

Peter works on accounting, cost, and pricing matters, including providing day-to-day compliance advice; assisting with responses to audits and investigations and findings of potential noncompliance; and performing internal investigations of alleged violations. He also advises on other regulatory regimes, including the complicated prevailing wage rules imposed by the Davis Bacon Act (DBA) and Service Contact Act (SCA). He has particular experience with prototype OTAs issued in cutting edge fields, including quantum computing and biotechnology.

Peter also represents contractors in disputes arising under contracts and grants. He knows how to work closely with the client’s subject matter experts to prepare and submit detailed requests for equitable adjustment (REAs) to secure price or schedule relief. When contract disputes cannot be resolved amicably, he has helped clients in litigation before federal courts and the Boards of Contract Appeals.

Read more about Peter TerenzioEmail
Show more Show less
Photo of Krissy Chapman Krissy Chapman

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal…

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

Prior to joining the firm, Krissy served as a consultant in both the private and public sectors, advising clients across a range of industries, including transportation and infrastructure, life sciences and healthcare, and national security.

Read more about Krissy ChapmanEmail
Show more Show less
Photo of Akash Shah Akash Shah

Akash is an associate in the firm’s Washington, DC office and a member of the Government Contracts and Life Sciences Transactions Practice Groups.

Akash also maintains an active pro bono practice focused on civil rights and immigration matters.

Read more about Akash ShahEmail
Photo of Eunsun Cho Eunsun Cho

Eunsun Cho is an associate in the Government Contracts Practice Group. She assists clients on a range of regulatory and compliance issues.

Eunsun also maintains an active pro bono practice.

Email