OMB rescinds ‘burdensome’ Biden-era secure software memo
The Trump administration is rescinding a Biden-era memo that was intended to help agencies buy secure software, with the current Office of Management and Budget saying it relied on “unproven and burdensome” processes.
A former Biden administration official said the move is “the first major policy step back that I have seen in the administration on a cybersecurity front.”
At issue is the 2022 OMB memo titled “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” M-22-18. The administration rescinded the memo Friday.
That memo led to the creation of a common “Secure Software Development Attestation Form” for government agencies that contractors had to use to vouch that their software adheres to a set of security practices. Agencies couldn’t buy from software vendors that couldn’t attest to the security of their products.
“Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency’s network,” OMB Director Russell Vought wrote in a brief memo Friday to agency heads. “There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment.”
Nick Leiserson, who served as assistant national cyber director for cyber policy and programs under Biden’s Office of the National Cyber Director, told CyberScoop that rescinding the 2022 memo was a step backward because the memo was meant to use government purchasing power to influence the market, and its repeal “is not good for the security of government systems and for the software that’s used throughout the whole U.S. economy.”
The memo stemmed from the first Biden administration executive order, a response to the major SolarWinds breach that led to agencies being penetrated by alleged Russian hackers, among other notable cyber incidents.
Rescinding it leaves nothing in its place, said Leiserson, now senior vice president for policy at the Institute for Security and Technology, at a time of rising exploitation of software vulnerabilities.
Friday’s decision doesn’t ban everything from the 2022 memo. Vought said agencies could use the common attestation form if they choose; agencies must “maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs”; and that agencies could adopt contract terms that require software makers to provide a list of software ingredients, known as a software bill of materials, upon request.
Lieserson disputed the idea that the 2022 memo was burdensome, based on government estimates that the common form would consume three hours and 20 minutes of paperwork. And Leiserson said rescinding it goes against the Trump administration’s goal of deconflicting a tangle of cybersecurity rules: In the place of one common form for all contractors, agency-by-agency forms will increase the regulatory burden.
The Trump administration had previously signaled a desire to roll back other cybersecurity directions for agencies from President Joe Biden.
