Federal agencies will no longer be required to solicit software attestations that they comply with NIST’s Secure Software Development Framework (SSDF).

The SBOM requirement has lead to a small cottage industry of scanning and CI tools that provide this functionality. It will be interesting to see how that all develops, but constantly changing industry standards and practices is not good for businesses.

The US used to thoughtfully and carefully roll out changes like this in the past. In our increasingly polarized political climate, software companies are increasingly whipsawed back and forth. Adding and removing requirements like this is not a zero-cost change. Compliance burdens cost money, time, and credibility to any company based here in the US.