The Office of Management and Budget has issued a memorandum directing federal agencies to adopt a risk-based approach to software and hardware security by implementing secure development principles and comprehensive risk assessments.
As federal guidance on software and hardware security continues to evolve, stakeholders across government and industry are closely watching how these changes may shape future priorities. To connect with peers and stay engaged in broader cybersecurity discussions, register now for the Potomac Officers Club’s 2026 Cyber Summit on May 21.
Table of Contents
Why Did OMB Rescind the Previous Software Security Policies?
In a memo published Friday, OMB Director Russell Vought ordered the rescission of two prior OMB policies, stating that they prioritized compliance over security and imposed burdensome software accounting requirements.
OMB Memorandum M-22-18, introduced by the previous administration in September 2022, sought to strengthen the software supply chain through secure software development practices. However, Vought said the policy “diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware.”
OMB also rescinded a companion policy, Memorandum M-23-16, issued in June 2023. That memo reaffirmed secure software development practices and extended deadlines for agencies to collect security attestations from software providers.
What Software & Hardware Security Actions Does the OMB Memo Require?
According to the latest OMB guidance, agencies should continue to maintain complete inventories of their software and hardware and develop assurance policies and processes that align with their risk determinations and mission needs.
Agencies may choose to use the Secure Software Development Attestation Form and other governmentwide resources established under M-22-18.
The memo also allows agencies to incorporate contractual terms requiring software producers to provide a current software bill of materials upon request.
Related Articles
Miranda Coleman announced on LinkedIn Monday that she has been appointed acting program executive officer for the U.S. Army Program Executive Office Enterprise. Join Army and industry leaders at the Potomac Officers Club’s 2026 Army Summit on June 18 to examine post-transformation priorities, contracting changes and progress toward the Army’s 2030 goals. Save your seat now! Who Is Miranda Coleman? Miranda Coleman is an experienced acquisition and technology leader who has held senior roles at Army PEO Enterprise. Prior to her promotion, she held the acting deputy program executive officer role, spearheading four O-6–led project management offices aligned with the Army’s
The U.S. Army retired the Standard Procurement System for the Army, or SPS-A, in mid-December to further advance the implementation of a single, enterprisewide platform designed to streamline contract development, management and execution in support of the service branch’s mission. As the Army continues to modernize enterprise systems and processes, efforts such as the transition to ACWS highlight the scale and complexity of the change underway. Broader discussions on Army priorities and initiatives will take place at the Potomac Officers Club’s 2026 Army Summit. Save your spot at this must-attend event! What Does ACWS Stand For? ACWS stands for the
The National Institute of Standards and Technology has released an initial preliminary draft of Special Publication 800-82 Revision 4, launching a public comment period as part of its effort to update federal guidance on operational technology, or OT, cybersecurity. Get your tickets to the Potomac Officers Club’s 2026 Cyber Summit on May 21 to hear government and industry leaders address evolving cyber threats. Why Is NIST Revising Special Publication 800-82? The agency intends to update Special Publication 800-82, or the Guide to Operational Technology (OT) Security, to reflect lessons learned, ensure consistency with related NIST guidance and account for the evolving