In a January 23, 2026, memorandum, the US Office of Management and Budget (OMB) formally rescinded the federal government’s software supply chain security mandates, ending a policy framework that has shaped agency procurement and vendor assurance practices since 2022. The decision eliminates government-wide requirements for standardized mechanisms such as secure software development attestations and software bills of materials (SBOMs) when evaluating software suppliers.
The rescinded policies, including Memoranda M-22-18 and M-23-16, were introduced in response to high-profile supply chain compromises and aimed to establish a uniform baseline for software assurance across civilian agencies. Under that framework, vendors were required to attest to secure development practices and provide SBOMs as a condition of federal procurement, embedding compliance artifacts directly into acquisition workflows.
OMB’s new guidance argues that this approach overemphasized documentation and software accounting at the expense of measurable security outcomes. According to the memo, the prior mandates imposed unproven and burdensome processes that constrained agencies’ ability to align assurance requirements with their actual threat models and mission priorities. The policies are described as diverting attention from tailored risk management while failing to address vulnerabilities introduced through hardware supply chains.
Under the revised approach, agencies retain full responsibility for securing the software and hardware permitted on their networks but are no longer required to follow a standardized set of supply chain controls. Instead, OMB directs agencies to define assurance requirements based on mission needs, operational risk, and internal assessments. Tools such as SBOMs and development attestations are positioned as optional inputs rather than mandatory controls, to be used where agencies determine they add operational value.
A notable aspect of the new guidance is its explicit elevation of hardware supply chain risk. OMB states that earlier software-focused policies neglected threats introduced by insecure or compromised hardware components. Agencies are now instructed to develop assurance processes that encompass both software and hardware assets, reflecting a broader interpretation of supply chain exposure across federal systems.
The memo provides limited empirical justification for the policy reversal, but its reasoning aligns with critiques that have circulated since M-22-18’s rollout. Industry groups previously warned that the requirements were ambiguously defined and inconsistently enforced across agencies, increasing compliance costs for vendors without clear security benefits. Security researchers have similarly questioned the effectiveness of SBOMs when treated as compliance artifacts, citing variability in quality and challenges integrating SBOM data into vulnerability management and incident response workflows.
The absence of supporting data accompanying the rescission suggests the shift is driven less by a reassessment of supply chain threat dynamics and more by a broader move away from centralized compliance mandates toward decentralized, risk-based governance. For software vendors, open-source projects, and enterprise suppliers that invested heavily in meeting federal attestation and SBOM requirements, the change introduces uncertainty around future procurement expectations.
While OMB frames the policy as enabling more effective security investment, its practical impact will depend on how individual agencies exercise their expanded discretion. Divergent interpretations of risk-based authority could reshape federal software procurement, enforcement consistency, and the long-term role of standardized assurance artifacts in enterprise and government security programs.