1. Home
  2. |Insights
  3. |Software De-Simplified: Trump Administration Rescinds Standardized Secure Software Development Attestation Requirements

Software De-Simplified: Trump Administration Rescinds Standardized Secure Software Development Attestation Requirements

Client Alert | 2 min read | 01.29.26

On January 23, 2026, Office of Management and Budget (OMB) Director Russell T. Vought issued OMB Memorandum M-26-05 (Memo). The Memo rescinds prior OMB memoranda (M-22-18 and M-23-16) that required federal agencies to collect the Secure Software Development Attestation Form from entities selling software or products containing software to the U.S. government. The Trump administration previously retracted a Biden administration directive that called for formalization of the Attestation Form collection process in the Federal Acquisition Regulation (FAR). Many in industry saw this as a sign that the Trump administration disfavored the Attestation Form. Now, the Memo has gone one step further to officially terminate agencies’ obligation to collect the Form from their software suppliers.

Secure Software Attestation Form Background

The Attestation Form was created by OMB and the Cybersecurity Infrastructure and Security Agency (CISA), as directed by the Biden Executive Order 14028, Improving the Nation’s Cybersecurity. The Form was intended to provide a standardized approach to evaluating and securing the federal government’s software supply chain in the wake of the 2020 SolarWinds cyberattack and other smaller attacks attributed to insecure software development practices by federal government software suppliers.  

OMB Memorandum M-26-05

The new OMB Memo states that the Attestation Form “imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments,” “diverted agencies from developing tailored assurance requirements for software,” and “neglected to account for threats posed by insecure hardware.” The Memo instead directs agencies to develop software and hardware assurance policies tailored to their risk profiles and mission needs. Agencies are given the option to leverage the Attestation Form, require software suppliers to provide a software bill of materials (SBOM), or leverage other federal government secure-software and hardware-development guidance, such as NIST SP 800-218, at their discretion.   

Key Takeaways

The Attestation Form was one of the few examples of a standardized cybersecurity requirement applicable to contractors across all federal agencies. The Memo effectively does away with this standardization, directing agencies to implement software and hardware supply chain security requirements tailored to their needs. 

Some agencies may continue to use the Attestation Form, while others may fall back on bespoke or contract-specific software supply chain requirements, meaning that contractors will need to track compliance on an agency-by-agency or contract-by-contract basis. Contractors supplying software or products containing software to the federal government should monitor updates from their agency customers regarding future software and hardware supply chain security requirements, as different agencies will likely take different approaches. 

Contacts

Insights

Client Alert | 2 min read | 07.15.26

CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations

As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights....