In a significant development for the global cybersecurity landscape, the United States government has announced a major shift in how software supply chain security is managed. The White House has recently rescinded specific software security guidance that was previously issued, moving away from what were described as unproven and burdensome administrative requirements. This change marks a transition from strict, universal mandates toward a more flexible, risk-based approach to digital defence.
Understanding the Policy Change
The US Office of Management and Budget (OMB) has issued Memorandum M-26-05. This document officially revokes previous policies—specifically Memorandum M-22-18 and its 2023 update M-23-16—which focused on enhancing the security of the software supply chain through rigid administrative compliance.
The previous administration’s guidance required software providers to submit attestation forms and maintain a Software Bill of Materials (SBOM). However, the new memorandum suggests that these requirements prioritised administrative paperwork over meaningful security investments. By rescinding these mandates, the focus is now being redirected toward individual agency heads, who are now responsible for developing security policies tailored to their specific mission needs and risk assessments.
The Role of SBOM and HBOM in the New Framework
A Software Bill of Materials (SBOM) is essentially a comprehensive list of ingredients for a piece of software. It details every component, library, and dependency used, allowing organisations to identify vulnerabilities quickly when they are discovered in the supply chain.
While the mandatory requirement for an SBOM has been lifted for federal agencies, it is important to note that they have not been discarded. Agencies are still encouraged to consider using SBOMs and secure software development attestation forms as part of their broader security strategy. The shift is not a rejection of the technology itself, but rather a move away from a “one-size-fits-all” requirement that may not suit every environment.
Furthermore, the new guidance expands its focus to include hardware supply chain threats. It encourages the consideration of Hardware Bill of Materials (HBOM) frameworks. This suggests a growing recognition that sophisticated threat actors often target hardware as well as software, and that a holistic view of the supply chain is necessary for true resilience.
What This Means for Your Organisation
For current and potential clients of Vertex, this shift highlights an important principle in cybersecurity: effective security is rarely achieved through compliance alone. While government mandates provide a baseline, the most robust protections are often those that are tailored to the specific risks an organisation faces.
Consider the following strategies for your own supply chain security:
- Prioritise Risk Assessment: Rather than following a generic checklist, consider conducting thorough risk assessments to understand which parts of your software and hardware supply chain are most critical.
- Maintain Transparency: Even without a mandatory requirement, maintaining an SBOM can help enhance your security posture by providing clarity on your software dependencies.
- Evaluate Hardware Security: Consider the potential risks associated with your hardware providers and explore how HBOM frameworks might contribute to a stronger defence.
- Focus on Secure Development: Implementing secure development principles throughout the software lifecycle remains a highly effective way to mitigate risks before they reach production.
Navigating an Evolving Security Landscape
The cybersecurity environment is constantly changing, and staying informed about shifts in international policy is vital for maintaining a strong defence. The move by the White House to rescinding mandatory SBOM requirements reflects a broader trend toward empowering organisations to make informed, risk-based decisions rather than simply meeting administrative hurdles.
At Vertex, we believe that high-quality cybersecurity is about more than just ticking boxes. It is about implementing practical, effective measures that protect your data and your reputation. Our team of experts is dedicated to helping organisations navigate these complexities and develop security strategies that are both professional and practical.
If you would like to learn more about how these changes might impact your security strategy, or if you require assistance in enhancing your supply chain resilience, please contact Vertex for further information.