Trump administration rescinds Biden OMB secure software memo<\/title> <meta name=\"description\" content=\"Trump administration rescinds Biden\u2019s OMB secure software memo M-22-18, ending the federal attestation form and shifting agencies to risk-based validation of software supply-chain security.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/omb-rescinds-burdensome-biden-era-secure-software-memo\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"OMB drops Biden\u2019s secure software attestation rule for federal purchases\"> <meta property=\"og:description\" content=\"Trump administration rescinds Biden\u2019s OMB secure software memo M-22-18, ending the federal attestation form and shifting agencies to risk-based validation of software supply-chain security.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/omb-rescinds-burdensome-biden-era-secure-software-memo\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-26T22:11:39+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-26T22:12:53+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1257\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:title\" content=\"OMB rescinds \u2018burdensome\u2019 Biden-era secure software memo\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1767719924g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87550\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87550\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fomb-rescinds-burdensome-biden-era-secure-software-memo%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fomb-rescinds-burdensome-biden-era-secure-software-memo%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87550 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/omb-rescinds-burdensome-biden-era-secure-software-memo\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.555679287305\">\n<div class=\"single-article__header-content\" readability=\"34.654205607477\">\n<p> Russell Vought\u2019s updated memo using a common attestation form voluntary. A critic told CyberScoop it\u2019s the \u201cfirst major policy step back\u201d on cybersecurity under Trump. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87550\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"419\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo.jpg?resize=640%2C419&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=300,196 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=768,503 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=1024,670 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=1536,1006 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=600,393 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=257,168 257w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=515,337 515w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=1031,675 1031w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-2.jpg?resize=1288,843 1288w\" sizes=\"(max-width: 1031px) 100vw, 1031px\"><figcaption> da-kuk, Getty Images <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"27.742872228089\"><body readability=\"58.720972644377\"><\/p>\n<p>The Trump administration is rescinding a Biden-era memo that was intended to help agencies buy secure software, with the current Office of Management and Budget saying it relied on \u201cunproven and burdensome\u201d processes.<\/p>\n<p>A former Biden administration official said the move is \u201cthe first major policy step back that I have seen in the administration on a cybersecurity front.\u201d<\/p>\n<p>At issue is the 2022 OMB memo titled \u201cEnhancing the Security of the Software Supply Chain through Secure Software Development Practices,\u201d <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/09\/M-22-18.pdf\">M-22-18<\/a>. The administration rescinded the memo Friday.<\/p>\n<p>That memo led to the creation of a common <a href=\"https:\/\/www.cisa.gov\/secure-software-attestation-form\">\u201cSecure Software Development Attestation Form\u201d<\/a> for government agencies that contractors had to use to vouch that their software adheres to a set of security practices. Agencies couldn\u2019t buy from software vendors that couldn\u2019t attest to the security of their products.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cEach agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency\u2019s network,\u201d OMB Director Russell Vought wrote in <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2026\/01\/M-26-05-Adopting-a-Risk-based-Approach-to-Software-and-Hardware-Security.pdf\">a brief memo<\/a> Friday to agency heads. \u201cThere is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment.\u201d<\/p>\n<p>Nick Leiserson, who served as assistant national cyber director for cyber policy and programs under Biden\u2019s Office of the National Cyber Director, told CyberScoop that rescinding the 2022 memo was a step backward because the memo was meant to use government purchasing power to influence the market, and its repeal \u201cis not good for the security of government systems and for the software that\u2019s used throughout the whole U.S. economy.\u201d<\/p>\n<p>The memo stemmed from the first Biden administration executive order, a response to the major SolarWinds breach that led to agencies being penetrated by alleged Russian hackers, among other notable cyber incidents.<\/p>\n<p>Rescinding it leaves nothing in its place, said Leiserson, now senior vice president for policy at the Institute for Security and Technology, at a time of rising exploitation of software vulnerabilities.<\/p>\n<p>Friday\u2019s decision doesn\u2019t ban everything from the 2022 memo. Vought said agencies could use the common attestation form if they choose; agencies must \u201cmaintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs\u201d; and that agencies could adopt contract terms that require software makers to provide a list of software ingredients, known as a software bill of materials, upon request.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Lieserson disputed the idea that the 2022 memo was burdensome, based on <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-04\/Self_Attestation_Common_Form_FINAL_508c.pdf\">government estimates<\/a> that the common form would consume three hours and 20 minutes of paperwork. And Leiserson said rescinding it goes against the Trump administration\u2019s goal of <a href=\"https:\/\/cyberscoop.com\/tag\/cybersecurity-harmonization\/\">deconflicting a tangle of cybersecurity rules<\/a>: In the place of one common form for all contractors, agency-by-agency forms will increase the regulatory burden.<\/p>\n<p>The Trump administration had previously signaled a desire to <a href=\"https:\/\/cyberscoop.com\/trump-administration-cybersecurity-executive-orders-policy-changes-2025\/\">roll back other cybersecurity directions<\/a> for agencies from President Joe Biden.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/omb-rescinds-burdensome-biden-era-secure-software-memo-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/omb-rescinds-burdensome-biden-era-secure-software-memo\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trump administration rescinds Biden OMB secure software memo Skip to<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2501,2178,117,4439,656,5853,1571,439,817,4257,270,1276,626],"tags":[2504,2179,119,4440,658,5854,1572,443,821,4258,276,1278,631],"class_list":["post-8298","post","type-post","status-publish","format-standard","hentry","category-contracting","category-cybersecurity-harmonization","category-government","category-institute-for-security-and-technology","category-national-cyber-director","category-nick-leiserson","category-office-of-management-and-budget","category-policy","category-regulation","category-russell-vought","category-russia","category-secure-by-design","category-solarwinds","tag-contracting","tag-cybersecurity-harmonization","tag-government","tag-institute-for-security-and-technology","tag-national-cyber-director","tag-nick-leiserson","tag-office-of-management-and-budget","tag-policy","tag-regulation","tag-russell-vought","tag-russia","tag-secure-by-design","tag-solarwinds"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/contracting\/\" rel=\"category tag\">contracting<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-harmonization\/\" rel=\"category tag\">cybersecurity harmonization<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/institute-for-security-and-technology\/\" rel=\"category tag\">Institute for Security and Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-cyber-director\/\" rel=\"category tag\">National Cyber Director<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nick-leiserson\/\" rel=\"category tag\">Nick Leiserson<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/office-of-management-and-budget\/\" rel=\"category tag\">office of management and budget<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/regulation\/\" rel=\"category tag\">regulation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russell-vought\/\" rel=\"category tag\">Russell Vought<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secure-by-design\/\" rel=\"category tag\">secure-by-design<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/solarwinds\/\" rel=\"category tag\">SolarWinds<\/a>","tag_info":"SolarWinds","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8298"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8298\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8298,"date":"2026-01-26T16:11:39","date_gmt":"2026-01-26T22:11:39","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87550"},"modified":"2026-01-26T16:11:39","modified_gmt":"2026-01-26T22:11:39","slug":"omb-rescinds-burdensome-biden-era-secure-software-memo","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/26\/omb-rescinds-burdensome-biden-era-secure-software-memo\/","title":{"rendered":"OMB rescinds \u2018burdensome\u2019 Biden-era secure software memo"},"content":{"rendered":"