Cybersecurity as a Tool of State Power: SBOMs as the Latest Victim of Cybersecurity’s Ongoing Politicization

On January 23, the Director of the Office of Management and Budget (OMB) within the U.S. government rescinded Biden’s M-22-18 (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) and M-23-16 (companion documentation clarifying M-22-18’s scope) memorandums that mandated federal agencies to obtain self-attestations from software developers indicating compliance with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF). Claiming self-attestations to be both “unproven and burdensome” measures to ensure software security and assurance, the M-26-05 memo instead insists that agencies adopt a tailored “risk-based approach” to software and supply chain security, rendering Software Bills of Materials (SBOMs) optional, rather than a mandatory requirement.

In the short term, the memorandum revocation and curtailment of the previous SBOM mandate may not significantly impact inter- or intra-agency security. The recent repeal from Trump’s administration addresses complaints regarding the overemphasis on documentation over risk reduction in the Biden memos and the “one-size-fits-all” model adopted, prioritizing a tailor-made approach to security that may, in fact, streamline internal security processes. Further, with agencies remaining free to integrate the previous Secure Software Development Attestation Form if desired or elevate SBOMs (alongside Hardware Bills of Materials (HBOMs)) to the status of a contractual requirement with developers, overall supply chain visibility or security may not be drastically affected. Yet, when considered in conjunction with budget slashes throughout U.S. federal bodies, namely those with cybersecurity remits, and the retaliatory intent grounding recent cybersecurity “policy” decisions within and by the Trump administration, the blast radius of this recent rollback may be wider than it seems.

The removal of a mandatory requirement to produce SBOMs may lend itself to agencies taking the path of least resistance; doing only the bare minimum demanded and adversely impacting overall software security. Yet, more likely, SBOM usage across agencies is likely to continue, to some extent, in bodies with more funding or cybersecurity maturity. With the prospect of some agencies integrating SBOM requirements into some contracts and not others, SBOM deployment will become fragmented, playing into the very problem that M-26-05 claimed to be solving: an over-reliance on documentation and processes, rather than risk reduction. But instead, software developers will be forced to sink more resources and time into interpreting and complying with various different contractual requirements, rather than bolstering software security and Development Operations (DevOps) processes. The subsequent inconsistency across federal agencies also risks the fragmentation of SBOM deployment as a discipline as a whole, impeding the market positioning of U.S.-based SBOM vendors, especially given the criticality of the government market to their sales. Beyond individual vendors, watering down Biden’s SBOM mandate to a voluntary component within the software procurement process is counter-intuitive when considered in conjunction with other regions’ approaches. Following the initiative of the United States regarding mandatory SBOMs, they are now a legislative requirement under Europe’s Cyber Resilience Act (CRA), meaning that vendors operating in both markets will have to produce SBOMs regardless. However, by rendering SBOMs non-mandatory in the government sector, vendors operating only or primarily in the United States are likely to be less focused on improving and enhancing their existing SBOM functionalities, capping innovation in the U.S. market and forgoing the region’s lead in this space to Europe.

The recent decision from the OMB is part of a wider trend emanating from the Trump administration, as previously seen in the deep cuts made into U.S. cybersecurity and defense bodies, including the Cybersecurity & Infrastructure Security Agency (CISA) and the U.S. Agency for International Development (USAID), and the use of executive orders for abrupt agency personnel changes in CISA, the National Security Agency (NSA), and U.S. Cyber Command. While cybersecurity is generally considered a bipartisan imperative, some politicization is inevitable. Cybersecurity is a core part of the fabric of state national security and sits directly within the purview of the executive, meaning it is inherently embroiled within political policy to an extent. However, the motivation driving cyber policy decisions appears retaliatory in nature, indicated by the accompaniment of personnel dismissals with public statements regarding loyalty to President Trump. Further, the recent revocation appears to disregard accepted best practices from cryptographic experts regarding SBOMs and software attestation, not only in the United States, but across Europe and in tightly controlled cryptographic markets like China. Thus, once seen as part of a pattern of decisions from the Trump administration, the recent revocation of Biden’s software security memos also appears to be weaponizing executive powers to level political criticism at the former Biden administration. Once framed as reprisals, against “disloyal” personnel and former administrations, these budget cuts, personnel changes, and memorandum revocations separate the Trump administration’s cyber “policies” from the bounds of traditional policymaking, excessively politicizing cybersecurity in a manner that threatens the United States’ national security. The consequences here are potentially dire.

The government’s weakening of existing cyber defense policies and institutions has already prompted an escalation in attacks from Iran, Russia, and China in the form of cyber intrusions and probing of government systems, supply chain penetration, and information warfare. Artificial Intelligence (AI) only serves to compound this threat, lowering skill and cost thresholds for malicious actors engaging in such attacks, while simultaneously bolstering the efficiency of phishing attacks and vulnerability discovery. Also, appearing to act based on retaliatory motivations, rather than a bipartisan desire to secure the nation’s cyber defenses further corrodes institutional trust in the administration, with this corrosion playing into the hands of AI-enabled disinformation campaigns and information warfare from other nations.  Overall, the revocation of Biden-era guidance pertaining to SBOMs jeopardizes, in the best-case scenario, federal processes regarding supply chain visibility and impedes market growth for SBOM providers. Yet, in the worst-case scenario, it risks the further politicization of security tooling, beyond mere policy decisions, and subsequent destabilization of the United States’ critical infrastructure in the face of escalating cyberthreats from state actors as cyber operations become steadfastly cemented in national military arsenals. For SBOM vendors and those in the digital trust space, continuing to push for SBOM implementation where possible will be key to combating the potential fragmentation introduced by the government’s latest memo, as well as drawing and learning from other regions in terms of standardizing SBOM formats and deployment.