In a memo issued by the White House's Office of Management and Budget (OMB), the previous administration's software security regulations are being rolled back. This includes using software bills of material (SBOMs) to help ensure secure software development practices, in accordance with NIST guidelines and recommendations. However, experts in security disagree about what that actually means.

OMB Director Russell Vought issued M-26-05 on January 23, rescinding two memorandums signed in 2022 and 2023 (M-22-18 and M-23-16, respectively). The most important of the two, the former mandated that federal agencies request a self-attestation from commercial software manufacturers attesting to the fact that contracted software complies with NIST secure development guidelines (and recommended the use of SBOMs in certain cases).

Instead of using a general checklist, security decisions are now specifically linked to mission risk, the threat environment, and operational impact. That aligns far better with zero-trust principles, modern risk management, and how adversaries actually operate.Related: Browser Security Advances Are Undermined by AI Agents NetRise According to CEO Tom Pace, the new rules give agencies the freedom to concentrate their attention on high-impact systems and vital infrastructure "without forcing low-risk or commodity software through the same process." ## Secure Software Rollbacks: The Potential Long-Term Impact for Organizations One would hope that the new memorandum would mean a move away from granular documentation and toward more thoughtful, case-by-case thinking.

In an ideal world, agencies would then actively participate in determining whether software is secure, raising standards for all vendors. Williams, on the other hand, believes that is not the most likely result. He states, "I anticipate that most vendors will do the bare minimum and that procurement will have no way to verify [the security of software an organization is buying]."