The Trump administration is taking a step back on governmentwide software security requirements and setting up an industry consortium to develop guidance around the implementation of secure software development practices.
President Donald Trump’s new cybersecurity executive order maintained Biden-era requirements for government contractors to sign off on a self-attestation software security compliance. The security standards are based on the National Institute of Standards and Technology’s Secure Software Development Framework.
But Trump’s order stripped a section from Biden’s January cyber EO that directed the development of new Federal Acquisition Regulations that would have required software vendors to submit proof that they comply with the NIST framework.
In a fact sheet, the White House said Trump was taking steps to address “problematic and distracting issues” in Biden’s January order, including “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
Instead of new contract requirements, Trump directed NIST to set up an industry consortium by Aug. 1. The consortium will help NIST develop guidance that “demonstrates the implementation of secure software development, security, and operations practices” in the SSDF.
In a blog, lawyers with WilmerHale wrote the change “appears intended to put industry more in the lead in developing software validation practices rather than the federal government.”
Peter Jackson, counsel in Los Angeles law firm Greenberg Glusker, said Trump’s EO “severs the effort to force developers to show that the software they provide to the government has security and integrity.”
“While developers will still certify under a souped-up standard, some software will still be delivered with the kinds of low-hanging flaws and errors the attestation process might have caught,” Jackson said in an emailed statement.
Software security framework still new to many
The Biden administration’s first cybersecurity executive order — which Trump didn’t change — initiated the push to establish governmentwide software security standards in the wake of the 2020 SolarWinds cyber attack.
In 2022, the Office of Management and Budget directed agencies to require a self-attestation from vendors before buying their software. The Department of Homeland Security finalized the attestation requirements in 2024.
By January of this year, Biden administration officials said self-attestations would not be enough. Officials wanted proof, referred to in software parlance as “artifacts,” that federal vendors were following the NIST software security guidelines.
“Let’s actually bring transparency and accountability in these software supply chains by having companies show us proof that they tested their software, they’ve addressed vulnerabilities,” then-Deputy National Security Advisor Anne Neuberger told reporters at the time.
The goal was also to “raise the bar,” Neuberger added, for the benefit of other critical sectors like education and healthcare.
But according to officials in industry, the process for implementing and complying with the NIST software security framework is still relatively new. They say that might be one reason why the Trump administration cut the directive for new governmentwide requirements.
Nathan Jones, vice president of public sector at software security firm Sonar, said software security maturity varies across industries.
“We certainly interact with a lot of mature organizations that are far along in highly regulated spaces,” Jones said in an interview. “They have robust and secure development life cycles, and they were, in some cases, starting to operationalize the SSDF. But there are also a lot of other folks who are not.”
Agencies like the Cybersecurity and Infrastructure Security Agency have been leading efforts to “operationalize” concepts like the Software Bills of Material (SBOM). A SBOM is an inventory of “ingredients” that make up software components. Some agencies have moved toward requiring vendors to submit SBOMs so they can better understand any dependencies or vulnerabilities in their products.
Another industry official, who was not authorized to speak publicly, said the process for generating an SBOM and sharing it with a customer, like a federal agency, is relatively well understood.
What’s less clear, the official continued, is how federal contracting officers and authorizing officials would evaluate and share software artifacts like SBOMs as part of the procurement process.
“Until we figure out that part of it, the collection of those artifacts and how we will share information across government, grabbing all the artifacts is of limited value and utility from a cybersecurity perspective,” the industry official said.
Update to software framework coming
Industry is closely watching the formation of the NIST consortium directed in Trump’s new executive order. Trump also directed NIST to publish a preliminary update to the SSDF by Dec. 1. The update would include “practices, procedures, controls and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself,” the EO states.
David London, managing director at the Chertoff Group, wrote in a blog that the Trump administration’s updates “would ideally address anticipated challenges with storing, processing and actioning industry-submitted data to CISA’s Repository for Software Attestation and Artifacts (RSAA).”
London added that the Trump administration is evaluating “other mechanisms” for the government to buy secure software, such as the Defense Department’s Software Fast Track, or SWFT, initiative.
Jones also pointed to cybersecurity requirements that are moving forward, such as DoD’s Cybersecurity Maturity Model Certification, under the Trump administration.
“I think this administration, like others, focuses on cyber. That hasn’t changed,” Jones said. “I think the question is the ‘how.’ What do they think is the best way to get to a better cyber posture? There’s no debate that there’s a large population of industry players as well as government software producers that need to get better at security.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
