Federal Government Rescinds Software Supply Chain Mandates, Makes SBOMs Optional

The federal government is reversing its software supply chain security mandates by rescinding policies that dictated how agencies evaluated and procured software, as announced by the Office of Management and Budget (OMB) in a memorandum. Previously introduced in 2022 to counter supply chain attacks, these policies required standardized compliance measures such as secure software development attestations and software bills of materials (SBOMs). The OMB argues that the policies prioritized documentation over meaningful security outcomes and limited agencies' ability to tailor assurance practices to their specific risks. Going forward, agencies will no longer adhere to a uniform compliance framework but will instead define assurance requirements based on their mission needs and risk assessments, with SBOMs and attestations becoming optional tools. The new guidance shifts focus toward addressing hardware supply chain risks, a previously neglected area, and reflects industry and researcher critiques of the earlier mandates as burdensome and ineffective. While the OMB frames this change as a strategic shift towards more effective security investments, the impact will largely depend on how agencies leverage their discretion in implementing risk-based security measures.