Standards, Regulations & Compliance
Analysts Raise Concerns Over Federal Assurance Standards Following Policy Reversal
Cybersecurity analysts express concern over the White House’s recent decision to retract software attestation requirements established during the Biden administration, citing widespread disillusionment with compliance-focused security measures. They warn, however, that without replacement protocols, federal agencies could face inconsistent security safeguards.
The Office of Management and Budget (OMB) has revoked two critical directives mandating that agencies secure software security attestations from vendors before product deployment. This reversal marks a significant setback in the previous administration’s efforts to ensure a secure software supply chain. The rescinded policies included OMB Memorandum 22-18 and its companion, M-23-16, which directed agencies to enforce self-attestation compliance aligned with National Institute of Standards and Technology (NIST) guidance under a 2021 cybersecurity executive order.
In a new memo, OMB Director Russell Vought labeled the previous policies as “unproven and burdensome,” critiquing their focus on compliance documentation rather than substantive risk mitigation. He stated that the earlier mandate diverted agencies from creating customized assurance criteria pertinent to their unique security challenges.
The original requirements aimed to operationalize federal cybersecurity initiatives in the wake of the SolarWinds supply chain incident, urging agencies to demand secure software development attestations, along with software bills of materials, before utilizing commercial products. These measures mandated that software developers confirm alignment with NIST’s Secure Software Development Framework, which promotes security enhancements through practices like threat modeling and vulnerability assessment.
Industry response to this rollback has been diverse. Some experts argue that the compliance-centric stance lessened its efficacy, evolving into a mere administrative task with limited security benefits. Nonetheless, others caution that eliminating baseline requirements could lead to fragmented security assurance throughout federal agencies.
Kevin Greene, chief cybersecurity technologist for public sector at BeyondTrust, described the memorandum’s implications as a reactionary shift that misplaces liability on software producers while neglecting established best practices known to enhance software quality and security. He remarked that this development could undermine the long-term integrity of software security initiatives, rendering them uncertain for providers.
While the OMB’s updated guidelines do not eliminate the use of attestations or related documentation, they make it optional rather than mandatory. Agencies are now instructed to maintain software and hardware inventories and devise assurance requirements that correspond with their specific risk assessments.
Tim Mackey, head of software supply chain risk strategy at Black Duck, noted that the withdrawal of these guidelines effectively removes crucial software assurance tenets tied to previous executive directives, leaving only zero-trust frameworks and software bills of materials as the remaining pillars of its software security foundation. Self-attestations have inherent limitations, and while aligned with the Secure Software Development Framework, they should reflect a broader need for improved cybersecurity practices.
Conversely, some experts view the shift toward a risk-based decision-making approach favorably. David Brumley, chief AI and science officer at Bugcrowd, argued that blanket policies often lead to “compliance-by-paperwork” rather than substantive validation, asserting that proactive security testing yields more reliable assurance.