OMB Rescinds the “Common Form” Secure Software Attestation Requirement

The Office of Management and Budget’s latest memorandum marks a decisive pivot in federal software‑supply‑chain policy. Earlier memoranda—M‑22‑18 and M‑23‑16—required every agency to collect a standardized self‑attestation using CISA’s Common Form and, in many cases, a Software Bill of Materials (SBOM). Those directives were criticized for imposing a compliance‑heavy process that often eclipsed actual risk mitigation. By rescinding the blanket requirement, OMB signals a broader governmental shift toward risk‑based governance, aligning procurement practices with the nuanced threat landscape of both software and hardware components.

Under M‑26‑05, each agency must conduct its own risk assessment and define security requirements that reflect its mission‑critical workloads. While the memorandum retains the obligation to maintain a comprehensive software inventory, it introduces a more flexible framework for SBOM requests—particularly for cloud service providers, which must now furnish SBOMs that describe the live production environment rather than just test builds. This nuance acknowledges the growing reliance on cloud‑native services and the need for real‑time visibility into runtime dependencies. Agencies can still elect to use the Common Form or NIST Secure Software Development guidelines, but they are no longer compelled to do so, fostering a market where security controls are tied to actual risk rather than paperwork.

For vendors targeting federal contracts, the policy change translates into both opportunity and uncertainty. Companies must stay alert to divergent agency‑specific security clauses, proactively engage in risk‑assessment dialogues, and be prepared to deliver detailed inventory data and production‑environment SBOMs on demand. The move also encourages investment in adaptable compliance tooling that can satisfy a spectrum of agency requirements without extensive re‑engineering. As the federal government continues to refine its cyber‑risk posture, firms that embed robust, risk‑aligned security practices into their development lifecycles will be best positioned to win contracts and maintain long‑term relationships with government customers.