""Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency's network," reads the memo sent by the OMB to departments and agencies. "There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment," the OMB added."
"The White House has announced that software security guidance issued during the Biden administration has been rescinded due to "unproven and burdensome" requirements that prioritized administrative compliance over meaningful security investments. The US Office of Management and Budget (OMB) has issued Memorandum M-26-05, officially revoking the previous administration's 2022 policy, 'Enhancing the Security of the Software Supply Chain through Secure Software Development Practices' (M-22-18), as well as the follow-up enhancements announced in 2023 (M-23-16)."
The Office of Management and Budget issued Memorandum M-26-05 rescinding the 2022 secure software development policy (M-22-18) and its 2023 enhancements (M-23-16). The previous requirements were described as "unproven and burdensome" and as prioritizing administrative compliance over substantive security investments. The new guidance places primary responsibility on individual agency heads to develop tailored security policies for software and hardware driven by mission needs and comprehensive risk assessments. Agencies should validate provider security using secure development principles but may continue to use attestation forms, Software Bills of Materials (SBOMs), and related resources. The guidance also expands focus to hardware supply chain threats and encourages Hardware Bill of Materials (HBOM) frameworks to increase resilience against sophisticated adversaries.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]