Software De-Simplified: Trump Administration Rescinds Standardized Secure Software Development Attestation Requirements

On January 23, 2026, Office of Management and Budget (OMB) Director Russell T. Vought issued OMB Memorandum M-26-05 (Memo). The Memo rescinds prior OMB memoranda (M-22-18 and M-23-16) that required federal agencies to collect the Secure Software Development Attestation Form from entities selling software or products containing software to the U.S. government. The Trump administration previously retracted a Biden administration directive that called for formalization of the Attestation Form collection process in the Federal Acquisition Regulation (FAR). Many in industry saw this as a sign that the Trump administration disfavored the Attestation Form. Now, the Memo has gone one step further to officially terminate agencies' obligation to collect the Form from their software suppliers.

Secure Software Attestation Form Background

The Attestation Form was created by OMB and the Cybersecurity Infrastructure and Security Agency (CISA), as directed by the Biden Executive Order 14028, Improving the Nation's Cybersecurity. The Form was intended to provide a standardized approach to evaluating and securing the federal government's software supply chain in the wake of the 2020 SolarWinds cyberattack and other smaller attacks attributed to insecure software development practices by federal government software suppliers.

OMB Memorandum M-26-05

The new OMB Memo states that the Attestation Form “imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments,” “diverted agencies from developing tailored assurance requirements for software,” and “neglected to account for threats posed by insecure hardware.” The Memo instead directs agencies to develop software and hardware assurance policies tailored to their risk profiles and mission needs. Agencies are given the option to leverage the Attestation Form, require software suppliers to provide a software bill of materials (SBOM), or leverage other federal government secure-software and hardware-development guidance, such as NIST SP 800-218, at their discretion.

Key Takeaways

The Attestation Form was one of the few examples of a standardized cybersecurity requirement applicable to contractors across all federal agencies. The Memo effectively does away with this standardization, directing agencies to implement software and hardware supply chain security requirements tailored to their needs. 

Some agencies may continue to use the Attestation Form, while others may fall back on bespoke or contract-specific software supply chain requirements, meaning that contractors will need to track compliance on an agency-by-agency or contract-by-contract basis. Contractors supplying software or products containing software to the federal government should monitor updates from their agency customers regarding future software and hardware supply chain security requirements, as different agencies will likely take different approaches. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.