Software Supply Chain Security: SBOM Requirements and Federal Contractor Obligations in 2026

Federal software supply chain security requirements are entering a new phase. OMB Memorandum M-26-05, issued January 2026, rescinded the centralized attestation mandates established under M-22-18 and M-23-16, replacing them with a risk-based, agency-discretionary model. The technical standards have not weakened — CISA published updated SBOM minimum elements in August 2025, and NIST released a draft revision of the Secure Software Development Framework in December 2025 — but the compliance pathway is now decentralized. Defense and civilian contractors must track requirements on an agency-by-agency and contract-by-contract basis, with DoD and the Army already enforcing their own SBOM mandates independent of the rescinded OMB memoranda.

The Policy Landscape: From Centralized Mandate to Agency Discretion

Executive Order 14028, signed in May 2021, established the federal government's foundational software supply chain security requirements. The order directed agencies to obtain Software Bills of Materials from software suppliers, tasked NIST with developing secure development guidance, and required OMB to issue implementation memoranda establishing compliance timelines.

OMB responded with M-22-18 (September 2022) and M-23-16 (June 2023), which required federal agencies to collect secure software development attestations from all software producers and established CISA's Common Form as the standardized mechanism. Software producers had to certify that their development practices aligned with the NIST Secure Software Development Framework, with CEOs or designated officials signing attestations carrying potential False Claims Act liability.

That centralized framework ended on January 23, 2026. OMB M-26-05, titled "Adopting a Risk-based Approach to Software and Hardware Security," rescinded both M-22-18 and M-23-16 in their entirety. The memorandum characterized the prior mandates as imposing "unproven and burdensome software accounting processes that prioritized compliance over genuine security investments" and "diverted agencies from developing tailored assurance requirements."

The practical impact is significant: there is no longer a single federal standard for software supply chain security compliance. Individual agencies retain discretion to require SBOMs, attestations, or both based on their own risk assessments. The CISA Common Form attestation requirement is no longer mandatory, though agencies may still choose to use it. The scope has also expanded to include hardware security, which the prior memoranda did not address.

For contractors, this shift increases complexity rather than reducing burden. Organizations selling to multiple agencies must now monitor varying requirements across each customer relationship rather than implementing a single compliance program satisfying uniform federal mandates.

CISA 2025 SBOM Minimum Elements: The Technical Standard Remains

While the enforcement mechanism has decentralized, the technical standards continue to mature. CISA published updated minimum elements for SBOMs in August 2025, representing the first major revision since the original 2021 NTIA baseline. These updated elements will likely serve as the reference standard when agencies choose to require SBOMs in their procurements.

The 2025 update adds four new mandatory data fields. Component Hash requires cryptographic fingerprints for each software component, enabling integrity verification and precise vulnerability correlation. License information is now a required field rather than optional. Tool Name identifies the SBOM generation tool used, and Generation Context documents how, when, and by whom the SBOM was created.

Existing elements received clarification and refinement. The terminology shifted from "Supplier" to "Software Producer" to reduce ambiguity in complex supply chains. Access Controls was removed as a standalone element, with those considerations folded into Distribution and Delivery requirements. Coverage, Accommodation of Updates, and Known Unknowns elements received updated guidance addressing real-world implementation challenges identified since the 2021 baseline.

CISA continues to endorse SPDX and CycloneDX as the accepted machine-readable SBOM formats. SWID is now discouraged as deprecated. Organizations should implement tooling capable of generating both SPDX and CycloneDX formats, as agency preferences vary. Automated generation integrated into build pipelines remains the recommended approach, ensuring accuracy without manual component enumeration.

The minimum elements represent a floor that agencies may exceed based on mission requirements. Defense and intelligence community procurements may require transitive dependency enumeration, vulnerability correlation data, provenance verification for open-source components, and additional metadata beyond the baseline elements.

NIST SSDF v1.2: Evolving Secure Development Practices

NIST released an initial public draft of SP 800-218 Revision 1 (SSDF v1.2) in December 2025, with the comment period closing January 30, 2026. While M-26-05 rescinded the mandatory attestation requirement, the SSDF remains the authoritative framework that agencies reference when establishing secure development expectations in contracts.

The SSDF organizes secure development practices into four groups. Prepare the Organization (PO) addresses security requirements, roles, secure environments, and training. Protect the Software (PS) covers source code protection, build integrity, and artifact security. Produce Well-Secured Software (PW) encompasses design review, security testing, code analysis, and vulnerability remediation. Respond to Vulnerabilities (RV) establishes monitoring, triage, remediation, and disclosure requirements.

The v1.2 draft introduces two new practices. PO.6 establishes requirements for continuous security improvement, moving beyond point-in-time compliance toward ongoing capability maturation. PS.4 addresses security that survives real-world updates and rollouts, recognizing that deployment and patching processes themselves represent attack surfaces.

The revision emphasizes continuous controls with provable evidence, shifting from attestation of process existence toward demonstration of process effectiveness. This evolution aligns with the broader industry movement toward evidence-based security assurance rather than checkbox compliance.

Organizations currently implementing SSDF v1.1 practices can prepare for v1.2 without major disruption. The new practices extend rather than replace existing requirements. However, the emphasis on continuous evidence generation may require tooling and process investments that attestation-focused compliance programs did not address.

DoD and Agency-Specific Requirements: Where Enforcement Lives

With the centralized OMB mandate rescinded, enforcement authority for software supply chain security now resides primarily at the agency level. Several agencies have established their own requirements that operate independently of the rescinded memoranda.

The U.S. Army issued a policy in February 2025 through the Assistant Secretary for Acquisition, Logistics, and Technology requiring SBOMs for new software contracts. Vendors must provide a new or updated SBOM with each software release. This represents one of the most concrete agency-level SBOM mandates and remains in effect regardless of M-26-05.

The CMMC Final Rule (DFARS Case 2019-D041), published September 2025 and effective November 2025, implements the Cybersecurity Maturity Model Certification program in phases. Phase 1 (November 2025 through November 2026) introduces Level 1 and Level 2 requirements in select solicitations. Phase 2 (November 2026 through November 2027) expands C3PAO assessment requirements. While CMMC addresses broader cybersecurity maturity rather than SBOM specifically, the supply chain security controls within NIST SP 800-171 create overlapping obligations for software-producing contractors.

The FY2026 NDAA Section 1513 directs DoD to develop a framework for cybersecurity and physical security standards for AI and machine learning technologies, amending DFARS accordingly and drawing on the NIST SP 800 series. This signals continued expansion of supply chain security requirements into emerging technology domains.

DoD's Software Modernization Strategy emphasizes software supply chain risk management as a core capability. Defense contractors developing software-intensive systems should expect SBOM requirements to appear in new contracts and anticipate modifications to existing agreements, driven by program office risk assessments rather than centralized mandates.

Civilian agencies with high-risk environments, including DHS for critical infrastructure and HHS for healthcare systems, are expected to maintain or establish their own SBOM requirements. Contractors should review solicitation Sections C, L, and M for supply chain security requirements and engage contracting officers early to understand evaluation criteria.

False Claims Act Exposure Persists

Although the mandatory attestation form requirement was rescinded, False Claims Act exposure for software supply chain security representations remains relevant. The DOJ Civil Cyber-Fraud Initiative, established in 2021, continues to pursue enforcement actions against contractors making materially false cybersecurity representations in federal procurements.

When agencies exercise their discretion under M-26-05 to require attestations or supply chain security certifications, those representations carry the same legal weight as the previously mandated Common Form. Contractors making claims about SBOM completeness, secure development practices, or vulnerability management in proposals or contract deliverables must ensure those claims are accurate and supportable.

Organizations should maintain documentation demonstrating the factual basis for any supply chain security representations made in proposals, attestations, or contract deliverables. The decentralization of requirements does not reduce liability; it increases the importance of understanding what each agency and contract specifically requires.

Organizational Readiness in a Decentralized Environment

The shift from centralized mandates to agency discretion requires organizations to adapt their compliance strategies. Rather than implementing a single program satisfying uniform requirements, contractors must build flexible capabilities that can be tailored to varying agency expectations.

Conduct a customer-by-customer assessment identifying which agencies and contracts currently include or are likely to include supply chain security requirements. Prioritize readiness efforts based on contract value, recompete timelines, and agency enforcement posture. The Army, DoD program offices, and agencies handling critical infrastructure represent the highest-probability environments for near-term SBOM requirements.

Implement SBOM generation tooling integrated into build and release pipelines regardless of current contract requirements. The technical capability to produce accurate, machine-readable SBOMs represents a competitive differentiator in source selection even where not yet mandatory. Select tooling supporting both SPDX and CycloneDX formats and validate output against CISA's 2025 minimum elements.

Evaluate current development practices against SSDF v1.1 requirements and monitor the v1.2 finalization timeline. Common gap areas include formalized vulnerability disclosure programs, automated composition analysis for third-party components, build integrity verification, and documented security testing procedures. Organizations that maintained compliance programs under the now-rescinded M-22-18 and M-23-16 should preserve those capabilities rather than dismantling them.

Establish monitoring processes for agency-specific requirements. Subscribe to agency acquisition forecasts, review draft solicitations for supply chain security language, and engage with industry groups tracking implementation across agencies. The decentralized model means requirements will emerge through individual procurements rather than government-wide policy announcements.

Organizations that invested in SBOM capabilities and secure development practices under the Biden-era mandates retain a competitive advantage. The technical requirements have not weakened; individual agencies — particularly within DoD and critical infrastructure sectors — continue to require or strongly prefer suppliers demonstrating software supply chain transparency. Those deferring investment face competitive disadvantage as supply chain security transitions from centralized compliance to a core evaluation factor in agency procurement decisions.