The Software Bill of Materials Mandate Is Here — Just Not the One Everyone Expected

The Software Bill of Materials story that most federal contractors prepared for in 2025 is not the story that landed in 2026. The Office of Management and Budget rescinded the uniform secure-software attestation requirement on January 23, 2026 — replacing the one-size-fits-all CISA Common Form with a risk-based approach in which each federal agency develops its own SBOM and software-attestation requirements.

The headline read the rescission as a deregulatory move. The contracting reality is the opposite. The SBOM mandate is now distributed across every awarding agency rather than centralized at OMB — which means the contractor's SBOM and attestation obligation depends on which agency, which contract vehicle, and which scope of work the contractor is executing.

OMB Memorandum M-26-05 replaced the Biden-administration Memorandum M-22-18. The CISA Common Form attestation that federal agencies had been required to obtain from software producers is no longer mandatory. Agencies may still use the Common Form. Agencies may also develop their own risk-based approach. Agencies may still require an SBOM.

A contractor running on DoD task orders is going to see one SBOM expectation. A contractor running on civilian agency vehicles is going to see another. A contractor delivering software for cleared-environment use is going to see a third — driven by NIST SP 800-218 and the Secure Software Development Framework references that the cleared community has not relaxed.

DOJ's Civil Cyber-Fraud Initiative remains active. Settlements under cybersecurity-related FCA cases continue to land. The OMB rescission does not insulate a contractor from FCA exposure. If a contract requires an SBOM or a secure-software attestation, and the contractor delivers one without the actual underlying secure-development practices in place, the FCA exposure is the same as it was under the prior Common Form posture.

CMMC Phase 2 enforcement still begins November 10, 2026. Contractors delivering software in support of DoD requirements still have to satisfy the CMMC Level 2 control inventory. The OMB rescission does not relieve the CMMC posture.

The contractor's cyber insurance underwriter used to be able to ask one question — "Are you compliant with the CISA Common Form attestation requirement?" — and use the answer to score the SBOM exposure. The 2026 underwriting question is more granular — which agencies, which contract vehicles, which task orders, which software components, which attestation requirements does your portfolio carry?

PFTN's govcon approach treats the SBOM file the way the contracting officer treats it. Strategic Discovery starts with the contract vehicle inventory, the agency mix, the software-development practices, and the supplier flow-down posture. Risk Assessment quantifies the agency-by-agency requirement set and the FCA exposure inside cybersecurity representations the contractor has already made. Solution Design pairs the cyber tower with practice management liability and the surety program.

The SBOM mandate is here. It just is not the one everyone expected. The shift starts with one conversation — and preferably before the next contract modification lands.

— Ryan Mefford, President & Risk Advisor