White House Scraps 'Burdensome' Software Security Rules
6 56An anonymous reader quotes a report from SecurityWeek: The White House has announced that software security guidance issued during the Biden administration has been rescinded due to "unproven and burdensome" requirements that prioritized administrative compliance over meaningful security investments. The US Office of Management and Budget (OMB) has issued Memorandum M-26-05 (PDF), officially revoking the previous administration's 2022 policy, 'Enhancing the Security of the Software Supply Chain through Secure Software Development Practices' (M-22-18), as well as the follow-up enhancements announced in 2023 (M-23-16).
The new guidance shifts responsibility to individual agency heads to develop tailored security policies for both software and hardware based on their specific mission needs and risk assessments. "Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency's network," reads the memo sent by the OMB to departments and agencies. "There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment," the OMB added.
While agencies are no longer strictly required to do so, they may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18.
6 comments
Major Meltdown Or Epic Explosion (Score: 5, Interesting)
by SlashbotAgent ( 6477336 ) on Friday January 30, 2026 @07:07PM (#65960158)
After reading about the latest hot AI agent platform, and it's complete lack of guardrails or security, I see this as step into a massive disaster.
I guess I'm getting old. I'm deeply disturbed by our immediate tech future.
Re:Major Meltdown Or Epic Explosion (Score: 5, Interesting)
by rta ( 559125 ) on Friday January 30, 2026 @08:14PM (#65960246)
Well, XKCD dependency (https://www.explainxkcd.com/wiki/index.php/2347:_Dependency ) came out 5+ years ago and was already true for 10 years before that in all SaaS. And even in home rolled systems of banks, fintech and other mainstream and "sober" services, though idk about defense specifically.
And some aspects of things have gotten better, but there's still no way, afaik, for anyone to REALLY certify something like even a Linux distribution except in the sense of 'yeah we'll try to fix it when the CVEs inevitably get filed'. In practice what the original legislation required is not currently feasible, though various parts of the ecosystem have been moving in that direction slowly over the decades in some ways (signed debs and rpms, for example) but in the other direction in other ways: CI/CD. weekly (or daily) releases of libraries. Move away from semantic versioning and into linear sequential versioning...
yeah the ecosystem has proved pretty resilient overall in practice all things considered... but if you really think about how the sausage is made... idk how anyone sleeps at night.
Its definately not coming from security ppl. (Score: 5, Interesting)
by sg_oneill ( 159032 ) on Friday January 30, 2026 @08:38PM (#65960270)
The thing with security is that its hard, and its annoying, and it grates on bosses who want to "move fast and break things".
Proper institutional IT security is less about keeping on top of the latest way to manipulate a malloc() to generate a buffer overflow, although thats ALSO important, and more about the procedures and practices in an organization. You got virus checkers and software solutions to handle the technical stuff, the hard part is to convince the damn receptionist to stop buying from spam mails, because THATS where most of the damage comes from.
And in an organization with thousands of people, thats going to mean procedures procedures and more procedures. You need regular audits to quantify what the risks are, what the vunerabilities are, and what is to be done to patch up those holes. You need training to teach people not to open unverified atttachments. You need up to date inventories on computers as well as a regulated and planned approach to keeping up to date with software patches, and making sure all of your software is licensed (The whole thing falls apart when ted from marketing is using a pirated version of photoshop). All of this is a lot of work, and its all essential if you dont want the chinese running rampage through your network.
But so many bosses I've had , have hated this stuff. Its not how they operated when the company was 5 guys in an industrial unit. Well, Mo' Money, Mo' Problems, what works for 5 guys will not work for 500 guys because everythings exponentially more complex now, and so are the stakes. And heres the thing, when you got a government stuffed with startup-guy posers who think they know how to run a business, they'll start thinking government departments with 20,000 employees should be run like a 5 guy start-up where the weekly payroll is paid off the bosses credit card.
You saw the height of this hubris with DOGE when they actually thought they could get 6-7 guys working for a couple of months to replace giant mainframe systems that had literal decades worth of code cruft. Yeah no, big-boy world doesnt work like that.
And you can't do security by just keeping Norton up to date, not when China is literally hiring hundreds of top tier hackers to break in and steal anything not nailed down.
Re:Major Meltdown Or Epic Explosion (Score: 5, Insightful)
by arglebargle_xiv ( 2212710 ) on Saturday January 31, 2026 @03:01AM (#65960570)
It's not a massive disaster, it's an absolute windfall. Assuming your first name is Xi or Vladimir that is.
It was too hard for Putin to read Trumps email. (Score: 5, Insightful)
by MikeDataLink ( 536925 ) on Friday January 30, 2026 @07:21PM (#65960176)
So they had to remove the firewall and complex passwords. Haha
Tortured logic. (Score: 5, Interesting)
by fuzzyfuzzyfungus ( 1223518 ) on Friday January 30, 2026 @07:40PM (#65960198)
The reasoning is honestly just baffling. Apparently the old requirements "diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware." by requiring that people keep track of what software they were actually using.
Aside from the...curious...idea that knowing what your attack surface looks like is a diversion from developing assurance requirements; the claim that the old policy about SBOMs is being revoked for not focusing on insecure hardware is odd both on the obvious point that basically anything with a sensible scope only focuses on certain issues and leaves other issues to be handled by other things and the only slightly less obvious issue that most 'insecure hardware', unless you've qualified for a really classy covert implant or have high sensitivity TEMPEST issues or something, is not actually hardware problems; but firmware problems; which are just software problems that aren't as visible; exactly the sort of thing that SBOMs help you keep an eye on.
Not like anyone expected better; but this is exceptionally poor work.