Full Report
The Trump administration is rescinding a Biden-era memo that was intended to help agencies buy secure software, with the current Office of Management and Budget saying it relied on “unproven and burdensome” processes. A former Biden administration official said the move is “the first major policy step back that I have seen in the administration…
Analysis Summary
# Regulation/Compliance: Rescission of Secure Software Supply Chain Memo (M-22-18)
## Overview
This summary addresses the Trump administration's immediate rescission of a Biden-era Office of Management and Budget (OMB) memorandum (M-22-18) that mandated specific secure software development practices for federal agencies to enhance software supply chain security. The rescission is based on the justification that the original memo relied on "unproven and burdensome" processes.
## Key Details
- **Issuing Authority:** Office of Management and Budget (OMB)
- **Effective Date:** The date of the rescission (Friday, January 23, 2026, based on the article date of January 27, 2026). The original M-22-18 was from September 2022.
- **Jurisdiction:** U.S. Federal Executive Branch agencies.
- **Status:** Rescinded (No longer in effect).
## Requirements
### Mandatory Requirements
*As the original mandate has been rescinded, there are currently **NO** mandatory requirements established by the specific memo M-22-18.*
1. **Note:** Organizations previously under the scope of M-22-18 must monitor for subsequent guidance from OMB regarding replacement policies for software acquisition and supply chain security.
### Recommended Practices
1. **Monitor for Successor Guidance:** Organizations should actively watch for new OMB directives or legislation that may replace the requirements of the rescinded memo.
2. **Internal Review:** Review the internal processes established to meet M-22-18 requirements to determine if they still present value, even if not mandated, given the historical emphasis on secure software development.
## Affected Organizations
- **Industries:** Primarily U.S. Federal Executive Branch agencies and their associated software vendors/supply chain partners.
- **Organization Size:** Applicable to all software providers contracting with or supplying the Federal Government.
- **Geographic Scope:** United States Federal Government operations.
## Compliance Timeline
Since the mandate (M-22-18) has been rescinded:
- **[Original Timeline]:** Full compliance with M-22-18 was previously required, generally targeting capabilities to be in place by the end of Fiscal Year 2025 for new software.
- **[Current Status]:** **Immediate cessation of requirements** tied specifically to M-22-18.
## Implementation Guidance
The immediate impact of the rescission means:
### Assessment Phase
- **Risk Assessment:** Assess the current level of adherence to the former M-22-18 standards. Determine which security measures implemented under the memo should remain based on internal risk tolerance or other existing mandates (e.g., FISMA, Executive Orders).
### Implementation Phase
- **Halt Development:** Cease or pause any development efforts specifically undertaken to meet the now-rescinded "unproven and burdensome" processes laid out in M-22-18.
- **Future Planning:** Develop contingency plans for adhering to future security requirements, anticipating that OMB may issue replacements focusing on less "burdensome" methods.
### Validation Phase
- **Documentation Audit:** Audit documentation related to M-22-18 compliance to determine what needs to be archived, updated, or purged.
## Technical Requirements
*The specific technical requirements (e.g., related to Software Bills of Materials (SBOMs), vulnerability disclosure policies) outlined in M-22-18 are no longer federally mandated under this specific ruling.*
## Penalties & Enforcement
- **Fines:** Since the mandate was rescinded, enforcement and associated penalties for non-compliance with M-22-18 are **voided**.
- **Other Consequences:** Organizations that accelerated security improvements based on M-22-18 might now face internal scrutiny regarding the utilization of resources on non-mandated controls.
- **Enforcement:** No current enforcement mechanism exists for the rescinded memo.
## Related Standards
The rescinded memo was intended to align with broader secure software initiatives, likely referencing standards such as:
- **NIST:** Related frameworks like the Secure Software Development Framework (SSDF) may have been incorporated or referenced by M-22-18.
- **EO 14028:** The Executive Order on Improving the Nation's Cybersecurity, which spurred many secure software requirements.
## Resources
- **Official Documentation:** The Biden-era memo M-22-18 remains officially accessible, though its requirements are suspended: [M-22-18 Link (Defanged)]
## Practical Recommendations
1. **Assess Business Continuity:** Determine if the commercial benefits of having achieved the M-22-18 compliance standards (e.g., improved software quality, better vendor reputation) justify continuing those practices absent a direct mandate.
2. **Engage Procurement:** Agency procurement officers should immediately confirm with their legal and compliance departments the status of current and pending software acquisition contracts that cited compliance with M-22-18.
3. **Stay Informed:** Cybersecurity policy in software procurement is a volatile area; prepare for potential reinstatement or replacement mandates from the current administration or through legislation.