Trump’s Cybersecurity EO Removes Key Software Assurance Provisions

Listen to this Post

Featured Image
The recent Cybersecurity Executive Order (EO) under the Trump administration has eliminated critical software assurance measures established by Biden’s previous EO. Key changes include:

  • No mandatory attestations for federal software suppliers following NIST’s Secure Software Development Framework (SSDF).
  • No CISA-run repository for Software Attestations & Artifacts (RSAA) or validation program.
  • No new FAR clauses enforcing attestation compliance.
  • No DOJ escalation for false attestations.
  • SBOM (Software Bill of Materials) requirements are now agency-specific rather than centralized.

Despite these changes, SBOMs remain part of federal policy, and agencies can still enforce them under EO 14028 and existing OMB/DoD guidelines.

You Should Know:

1. Understanding SBOMs

An SBOM is a formal record containing details of software components, licenses, and dependencies. It helps track vulnerabilities in supply chains.

Commands & Tools for SBOM Generation:

  • Linux (Syft, SPDX-Tools)
    Install Syft for SBOM generation 
    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin 
    syft scan docker:nginx -o spdx-json > sbom.json 
    
  • Windows (Microsoft SBOM Tool)
    Generate SBOM using Microsoft's tool 
    ./sbom-tool generate -b ./build -bc ./source -pn MyProject -pv 1.0 -ps MyOrg -nsb https://example.com 
    

2. Secure Software Development Framework (SSDF) Compliance

NIST’s SSDF outlines best practices for secure software development.

Key Steps for Compliance:

  • Static Application Security Testing (SAST)
    Run Semgrep for SAST 
    semgrep --config auto . 
    
  • Dynamic Analysis (DAST)
    OWASP ZAP for DAST 
    docker run -v $(pwd):/zap/wrk -t owasp/zap2docker-stable zap-baseline.py -t https://example.com 
    

3. Validating Attestations

Since the centralized attestation repository is gone, agencies must independently verify compliance.

Automated Verification Script (Python Example)

import requests 
import json

def verify_attestation(url): 
response = requests.get(url) 
if response.status_code == 200: 
data = json.loads(response.text) 
if data.get("ssdf_compliant") == True: 
print("Valid Attestation") 
else: 
print("Invalid Attestation") 
else: 
print("Verification Failed")

verify_attestation("https://vendor-attestation.example.com") 

What Undercode Say:

The removal of centralized SBOM and attestation requirements weakens federal cybersecurity oversight. However, agencies can still enforce SBOM policies. Developers and vendors should continue using SBOM tools (Syft, SPDX) and follow SSDF guidelines (SAST/DAST checks). Expect increased scrutiny from DoD and CISA despite policy changes.

Prediction:

  • DoD will enforce SBOMs independently under FY25-26 modernization plans.
  • More agencies will adopt internal SBOM mandates despite lack of centralized policy.
  • Vulnerability exploits may rise due to weaker attestation enforcement.

Expected Output:

  • SBOM generation (syft, Microsoft SBOM Tool)
  • SAST/DAST scans (semgrep, OWASP ZAP)
  • Automated attestation validation (Python script)
  • Continued SSDF compliance checks

Relevant URLs:

IT/Security Reporter URL:

Reported By: Wysopal Trumps – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram