OMB rescinds single-form software attestation, shifting agency discretion

The Office of Management and Budget on Jan. 26 rescinded a 2022 requirement that had forced federal agencies to use a single, standardized self-attestation form to collect cybersecurity assurances from software vendors. The move ends a uniform federal tick-box approach intended to streamline vendor security disclosures and returns greater discretion to individual agencies in how they document software risk.

The 2022 policy directed agencies to adopt one common form so contracting officers, acquisition officials and cybersecurity teams could compare vendor statements across departments. OMB Director Russ Vought argued the one-size-fits-all approach did not suit the varied missions and risk profiles of federal programs, and the memo removes that mandate so agencies can tailor attestations to their needs.

Policy analysts and procurement experts say the change will produce trade-offs. Supporters of the rescission argue that specialized missions from national defense to social services require different questions and verification levels, and that a single form sometimes forced agencies to ignore meaningful nuances. Critics warn that abandoning uniform reporting could fragment the data federal officials use to assess software supply chain risk and make it harder to aggregate vendor information across government.

For software vendors, the immediate consequence is a move away from a single compliance document toward likely variation in paperwork. Some vendors welcomed the potential for more focused, mission-specific requests that avoid irrelevant requirements. Others expressed concern that agencies will create divergent attestation formats, raising compliance costs when selling to multiple departments and complicating small companies that already struggle with federal contracting rules.

The decision arrives amid broader federal efforts to tighten software supply chain security. Policymakers in recent years have pushed measures such as software bill of materials disclosure, enhanced vulnerability reporting and tighter third-party risk management. Those efforts were partly intended to create common signals across the government; removing a uniform attestation creates a risk those signals will become less comparable.

Operationally, agencies now face the task of designing or revising attestation instruments that reflect both mission requirements and established cybersecurity standards. Legal and acquisition officials will need to decide whether to integrate existing frameworks, such as guidance from the National Institute of Standards and Technology or incident-reporting expectations coordinated with the Cybersecurity and Infrastructure Security Agency, into customized forms. How agencies document vendor assertions will also affect auditors, inspectors general and congressional oversight seeking to evaluate government-wide software risk.

The policy change raises equity concerns for smaller vendors and open-source projects that have cited the burdens of inconsistent procurement paperwork as a barrier to federal sales. Advocates for transparency warned that without a common core of required attestations, comparative assessment of vendor security practices may rely more heavily on technical audits and costly third-party certifications.

OMB’s rescission signals a philosophical shift toward decentralized decision-making in procurement. Agencies will now test new approaches to gather vendor assurances, and observers say the next months will reveal whether customization improves risk-based procurement or simply replaces one set of administrative hurdles with many.