"The Office of Management and Budget (OMB) issued Memorandum M-26-05 (PDF) which officially revokes the 2022 policy known as M-22-18 and its 2023 companion policy, M-23-16. This reversal alters the governance landscape for enterprise architects and platform engineers who service federal contracts or align with federal standards. The previous directives mandated specific secure software development practices, including the widespread generation and maintenance of Software Bills of Materials (SBOMs)."
"The new memorandum from OMB Director Russell T. Vought argues that M-22-18 "imposed unproven and burdensome software accounting processes that prioritised compliance over genuine security investments." Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, notes that in rescinding M-22-18, the new memo effectively rolls back the software assurance elements described in Executive Order 14028. "Only the zero trust and SBOM topics remain as important elements of EO 14028," Mackey explains."
"The central premise of the new guidance is a decentralisation of security authority. Responsibility now rests explicitly with individual agency heads to determine the appropriate security posture for their specific environments. The OMB states there is "no universal, one-size-fits-all method" for securing government networks. For technical leads, this suggests a departure from rigid and almost checklist-based compliance toward a model that prioritises threat modelling and context."
OMB issued Memorandum M-26-05 revoking policies M-22-18 and M-23-16, removing prior software security compliance mandates. The revoked directives had required secure development practices and widespread generation and maintenance of Software Bills of Materials (SBOMs). The memorandum states those policies imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments. Authority for determining security posture now rests with individual agency heads, with no one-size-fits-all method. Agencies must validate provider security using secure development principles, comprehensive risk assessments, and context-driven threat modeling rather than checklist-driven compliance. Zero Trust and SBOMs remain relevant but insufficient alone.
Read at Developer Tech News
Unable to calculate read time
Collection
[
|
...
]