{"id":182457,"date":"2026-01-28T16:17:00","date_gmt":"2026-01-28T21:17:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/28\/governments-new-approach-to-software-security-oversight-could-complicate-things-for-vendors\/"},"modified":"2026-01-28T16:45:17","modified_gmt":"2026-01-28T21:45:17","slug":"governments-new-approach-to-software-security-oversight-could-complicate-things-for-vendors","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/28\/governments-new-approach-to-software-security-oversight-could-complicate-things-for-vendors\/","title":{"rendered":"Government\u2019s new approach to software security oversight could complicate things for vendors"},"content":{"rendered":"

Government\u2019s new approach to software security oversight could complicate things for vendors<\/a><\/p>\n

https:\/\/www.cybersecuritydive.com\/news\/white-house-software-security-attestation-elimination\/810765\/<\/a><\/p>\n

Publish Date: 2026-01-28 16:17:00<\/a><\/p>\n

Source Domain: www.cybersecuritydive.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Listen to the article
\n 7 min<\/p>\n

This audio is auto-generated. Please let us know if you have feedback.<\/p>\n

The Trump administration\u2019s elimination of a security attestation requirement for federal software vendors could change how those companies demonstrate their products\u2019 security to customers in the government and beyond.
\nOn Jan. 23, the White House\u2019s Office of Management and Budget rescinded a Biden administration directive that told agencies to require their software providers to fill out a security attestation form developed by the Cybersecurity and Infrastructure Security Agency. The memo said the attestation requirement \u201cimposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments.\u201d<\/p>\n

OMB\u2019s move to scrap the attestation requirement leaves agencies to decide for themselves how much information to require from vendors about their products\u2019 security. The decision immediately prompted sharply divided reactions from the cybersecurity community, with some experts warning that the move would undermine efforts to push companies toward better security practices.
\n\u201cThe self-attestation process was a stepping stone to more secure software,\u201d said Nicholas Leiserson, who served as the assistant national cyber director for cyber policy and programs during the Biden administration. \u201cEliminating [the process] without providing a replacement mechanism is an unequivocal step backward for government cybersecurity.\u201d
\nAllan Friedman, a former senior adviser and strategist at CISA who led efforts to improve software transparency, wrote on LinkedIn that the requirements and CISA\u2019s attestation form were meant to help agencies that lacked the resources to \u201cdesign their own risk management approaches,\u201d as well as to \u201chelp vendors not have to comply with dozens of unique requirements.\u201d
\nOMB did not respond to a request for comment.
\nThe attestation mandate was part of the Biden administration\u2019s strategy to use the government\u2019s purchasing power to drive software vendors toward more security-minded development practices. CISA led that strategy through its Secure by Design campaign, which encouraged companies to assume more of the burden for the secure operation of their products. The leaders of that campaign left the government early in the Trump administration, leaving its fate uncertain.<\/p>\n

Leiserson, who is now senior vice president for policy at the Institute for Security and Technology, a nonprofit think tank, said the Biden administration designed the attestation requirement to be a \u201cbackstop\u201d to more forward-leaning initiatives like Secure by Design.
\n\u201cIt ensures that software security does not become an afterthought by making it easier to bring a claim if a vendor fails to live up to its obligations,\u201d he said.
\nThe government has been trying to get software makers to take more responsibility for their products since the 1990s, said James Lewis, a longtime cyber policy expert and former government official who is now at the Center for European Policy Analysis (CEPA). Lewis called the elimination of the attestation requirement \u201cidiocy\u201d and \u201ca step backward.\u201d
\nImperfect process
\nCritics of the attestation process said agencies implemented it haphazardly, even after CISA developed the common form for all agencies to use. \u201cSome agencies continued to follow up with additional questions or to emphasize different aspects of the requirements,\u201d said Ari Schwartz, the managing director of cybersecurity services at the law firm Venable. \u201cFor vendors with large product portfolios and multiple software versions, the process still represented a substantial paperwork effort.\u201d
\nSchwartz said some companies told him that agencies asked them to attest to the security of products that were \u201cwell past their end of life.\u201d Because of the security flaws inherent in those out-of-date products, Schwartz said, the companies couldn\u2019t meet the agencies\u2019 demands.
\nThe tech industry, which repeatedly criticized the attestation form as poorly designed, asked the Biden administration to clarify elements it considered vague or problematic.
\nGordon Bitko, executive vice president of public sector for the Information Technology Industry Council, praised the Trump administration\u2019s \u201cdecision to move away from prescriptive mandates in favor of a risk-based approach\u201d to security.
\nHenry Young, senior director of policy for the Business Software Alliance, said the attestation form \u201cproved difficult to implement consistently and diverted resources away from managing real cybersecurity risk.\u201d
\nLeiserson pushed back on those claims. \u201cThe form in question takes roughly three hours to complete,\u201d he said.
\nVendors\u2019 fear of liability for misrepresenting their products\u2019 security \u201cwas the real burden,\u201d CEPA\u2019s Lewis argued.
\nEvery agency for itself
\nWith the White House leaving it up to individual agencies to decide how to hold their software vendors accountable, the result could be a fragmented landscape of inconsistently stringent oversight.
\nSome agencies may continue using CISA\u2019s form, while others may develop their own processes that ask for more or less information from software companies. That might make things even more complicated for vendors than the mandate whose demise they celebrated.
\n\u201cIf agencies all go in different directions and adopt very different approaches,\u201d Schwartz said, \u201cthat could end up increasing the burden on companies without necessarily improving security.\u201d
\nITI\u2019s Bitko urged the White House to \u201cguard against fragmented, agency-specific requirements\u201d that could make compliance more expensive.
\nThe White House memo offered several suggestions to agencies, including referencing the National Institute of Standards and Technology\u2019s Secure Software Development Framework (SSDF) or requesting software or hardware bills of materials from vendors. On LinkedIn, Friedman called the SSDF \u201ca solid tool\u201d but said it was \u201cnot designed for compliance or measurement.\u201d<\/p>\n

Schwartz said it would be best if agencies converged on \u201cbroadly similar\u201d security expectations that they implemented through contract language. BSA\u2019s Young said the most effective approaches would base requirements on risk levels and use international standards.
\nAn ongoing White House initiative could help prevent a sprawling patchwork of requirements. The Trump administration is in the process of revising the way agencies certify technology for use, which could lead to new government-wide standards for software security.
\nOn alert for cascading security lapses
\nMost of the software that the government buys is the same commercial technology available to private businesses. If vendors\u2019 attention to security slackens without strict oversight from their government customers, the consequences could endanger all of their customers.
\nMany cybersecurity experts have argued that the government\u2019s longstanding deference toward Microsoft, one of its most important suppliers, encouraged the erosion of the company\u2019s security culture that enabled a series of major cyberattacks on Microsoft products.
\n\u201cImprovements in software security in response to market signals from the government [help] all users of that software, not just the government,\u201d Leiserson said. \u201cConversely, the removal of such incentives will leave the ecosystem more vulnerable.\u201d
\nFor now, Schwartz said, \u201cit\u2019s too early to say whether this will meaningfully change the security of the software [that] agencies use.\u201d Much will depend, he said, on how agencies \u2014\u00a0especially the biggest ones, which have the most significant software contracts \u2014\u00a0refashion their vendor oversight in response to the new White House guidance.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Government\u2019s new approach to software security oversight could complicate things for vendors https:\/\/www.cybersecuritydive.com\/news\/white-house-software-security-attestation-elimination\/810765\/ Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":182458,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/UAf_ef2aYcAFUL7Sgsk34UWkIQCp7Dwg_JDacCAKksc\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0xMDA3NDY0Mzk2LmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-182457","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182457"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=182457"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182457\/revisions"}],"predecessor-version":[{"id":182459,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182457\/revisions\/182459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/182458"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=182457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=182457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=182457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}