On January 23, 2026, the Office of Management and Budget published Memorandum M-26-05 and rescinded the Common Form attestation requirement that had anchored federal software supply chain compliance for three years. Memoranda M-22-18 and M-23-16 are gone. The Cybersecurity and Infrastructure Security Agency Common Form is no longer the federal standard. In their place is a one-line instruction: agencies will adopt a risk-based approach tailored to their mission.
Tailored is the word that broke every contractor’s roadmap. A federal contractor who built an 18-month attestation pipeline around the Common Form now answers four different questions from four different contracting officers, and the law firms producing client alerts stop at the rescission rather than tell the contractor what to do next. The first 90 days post-rescission have produced a pattern, and the pattern has structure.
This article gives you the post-rescission SBOM federal contractor playbook. The four agency archetypes that emerged in the first quarter, the Software Bill of Materials artifact each one is now asking for, the single Secure Software Development Framework narrative that satisfies the discretionary range, and the contracting-pipeline brief you owe your board next month.
Bottom Line Up Front. OMB Memorandum M-26-05 rescinded the Common Form attestation on January 23, 2026 and pushed software-supply-chain decisions to individual agencies. Federal contractors built 18-month roadmaps around the Common Form, and they are now answering four different questions from four different contracting officers. This article gives you the post-rescission SBOM federal contractor playbook: the four agency archetypes that have emerged in the first 90 days, the SBOM artifact each one is asking for, and the single SDLC narrative that satisfies all four. It is written for the CISO who has to brief the board on how the rescission affected the contracting pipeline.
What OMB M-26-05 Actually Changed (and What It Did Not)
The headline is the rescission of M-22-18 and M-23-16, the two memoranda that established the Common Form attestation as the federal standard for secure software development. M-22-18 (September 14, 2022) established the attestation requirement; M-23-16 (June 9, 2023) extended the compliance deadlines and clarified scope. The memoranda required producers of software used by federal agencies to self-attest that the software was developed in conformance with NIST Special Publication 800-218 v1.1 (February 2022) (the Secure Software Development Framework, or SSDF) using a CISA-developed Common Form (see CISA Binding Operational Directives). M-26-05 says agencies are no longer required to use that form.
The memorandum is unambiguous about three things, and contractors are misreading the rescission because they are missing the unambiguous parts. First, agencies still must maintain a complete inventory of software, which means software inventory is still mandatory at the federal customer end. Second, agencies may still adopt the Common Form as part of a tailored approach, which means the Common Form has not been deprecated; it has been demoted from a uniform requirement to one of several acceptable artifacts. Third, NIST Special Publication 800-218 and the broader Secure Software Development Framework remain the cited reference standard, which means the underlying SSDF practices have not changed.
What did change is the attestation modality. Producers no longer have a single federal form to fill out. Agencies now choose what attestation they want, in what format, with what evidence. M-26-05 is explicit that this choice is risk-based: an agency procuring an unclassified workflow tool may accept a brief vendor representation, while an agency procuring high-impact infrastructure may demand a Software Bill of Materials of the runtime production environment plus a third-party assessment. The discretionary range is wide, and contractors operating across multiple agencies sit in the middle of the range, not at one end of it.
The Four Agency Archetypes Emerging in the First 90 Days
The first 90 days of agency interpretation produced four distinct archetypes. They are not formal categories in the memorandum; they are the patterns visible in solicitation language, contracting-officer questions, and bid-protest filings between February and April 2026. A federal contractor selling across multiple agencies should expect to encounter all four within a single contracting cycle.
| Archetype | Agency Posture | Primary Artifact Demanded | Verification Modality |
|---|---|---|---|
| Continuity | Continues using the CISA Common Form unchanged | Common Form attestation | Producer self-attestation |
| SBOM-Forward | Replaces attestation with runtime SBOM and asset inventory | SBOM in CycloneDX or SPDX format, refreshed quarterly | SBOM submitted upon request; agency-side parsing |
| Tailored-Risk | Tiers requirements by impact level (FIPS 199 Low, Moderate, High) | SSDF practice narrative for Low; SBOM plus third-party assessment for High | Producer self-attestation at Low; assessor-validated at High |
| Quiet-Pause | Stops asking until OMB issues sub-guidance or the agency CISO publishes a directive | None demanded; software inventory continues at the agency end | None at procurement; agency relies on existing inventory and ATO controls |
The Continuity archetype is the largest by volume and the easiest for contractors. Agencies that built internal workflows around the Common Form between 2023 and 2025 are reluctant to retire the workflow before they replace it. The Common Form is still acceptable, the contracting officers know how to read it, and there is no pressure to change. A contractor whose Common Form posture was current on January 22, 2026 can continue using it for Continuity agencies through at least the end of fiscal year 2026.
The SBOM-Forward archetype is the most operationally consequential. Agencies in this archetype have read M-26-05 as permission to demand the artifact they always wanted: a runtime production-environment Software Bill of Materials. M-26-05 specifically permits this for cloud providers; SBOM-Forward agencies extend it to all software. The SBOM must be machine-readable in CycloneDX or SPDX format, must reflect the runtime environment rather than the source repository, and must be refreshed at agency-defined intervals. A contractor whose SBOM tooling produces a build-time inventory rather than a runtime one will fail this archetype’s evidence test even if the SBOM passes a tooling validation.
The Tailored-Risk archetype is the most defensible against bid protest, the most aligned with the explicit text of M-26-05, and therefore the archetype most agencies will converge on by the end of fiscal year 2026. The agency tiers software-procurement requirements by FIPS 199 categorization. Low-impact procurements accept a producer self-attestation against the SSDF practices most relevant to the use case. Moderate-impact procurements demand the same plus an SBOM. High-impact procurements demand the SBOM, a third-party assessment of SSDF practice maturity, and continuous-monitoring telemetry. The Tailored-Risk archetype is what M-26-05’s “risk-based approach” language was written to authorize.
The Quiet-Pause archetype is the smallest by volume but the most dangerous to misread. Agencies in this category have stopped asking for new attestations because they are waiting for OMB to issue sub-guidance, the agency Chief Information Security Officer to publish a directive, or the next fiscal year’s budget cycle. The contractor mistake is to interpret the silence as a policy of acceptance. The Quiet-Pause is provisional. When the agency CISO publishes the directive, the contractor will be expected to comply within the timeline the directive sets. Contractors selling to Quiet-Pause agencies should monitor the agency’s CISO Council publications and CIO Office press releases monthly.
SBOM Artifact Per Agency Archetype
The SBOM is now the central artifact in three of the four archetypes. The same contractor will produce different SBOMs for different agencies, even though the underlying software is the same, because the archetypes ask for different things. Engineering one SBOM pipeline that satisfies all three production archetypes is the cost-efficient design. Producing four parallel SBOM pipelines is the failure mode this article is written to prevent.
Continuity Agencies: Common Form Plus a Latent SBOM
Continuity agencies do not formally require an SBOM. The Common Form does not include SBOM fields. A contractor selling to Continuity agencies should still maintain a current SBOM in the production environment, because Continuity agencies are likely to migrate to Tailored-Risk during fiscal year 2027 and the latent SBOM becomes the contractor’s transition artifact. Producing the SBOM but not submitting it is the right posture.
SBOM-Forward Agencies: Runtime SBOM, Quarterly Refresh, Machine-Readable Format
SBOM-Forward agencies want the runtime SBOM, not the source-repository SBOM. The distinction matters because a runtime SBOM reflects what is actually deployed (including transitive dependencies pulled at install time), while a source-repository SBOM reflects what the developer intended. The two diverge for any non-trivial codebase. The SBOM-Forward agency is checking the deployed reality. CycloneDX 1.5 and SPDX 2.3 are the two acceptable formats; SPDX is more common in open-source ecosystems, CycloneDX is more common in enterprise security tooling. A contractor without an opinion on which to standardize on should default to CycloneDX because it carries vulnerability data natively and reduces the agency-side parsing cost.
Tailored-Risk Agencies: SBOM Tied to FIPS 199 Categorization
Tailored-Risk agencies use the SBOM as one of three artifacts, not the only one. The SBOM is required at FIPS 199 Moderate and High; it is not required at Low. The Moderate-impact SBOM is functionally equivalent to the SBOM-Forward runtime artifact. The High-impact SBOM is augmented by a continuous-monitoring requirement: the contractor must notify the agency within an agency-defined window when a component in the SBOM is associated with a CISA Known Exploited Vulnerability. The notification window is converging on 72 hours across the four largest civilian agencies, though the formal directives are not yet published.
Quiet-Pause Agencies: No Submission, Full Inventory
Quiet-Pause agencies will not request the SBOM today. They will request it the day after their CISO publishes the directive. The contractor’s posture is to maintain the SBOM at the SBOM-Forward standard so that the day-of-directive request takes 24 hours to satisfy rather than 24 weeks.
The Single SDLC Narrative That Satisfies the Discretionary Range
A contractor selling to all four archetypes does not need four narratives. A single Secure Software Development Framework narrative anchored to NIST SP 800-218 covers the full discretionary range if it is structured correctly. The mistake is treating the SDLC narrative as marketing copy. The narrative is an evidence document, and it has to be written so a contracting officer at any of the four archetypes can locate the answer to the question their agency is asking.
The narrative has four parts. Each part maps to an SSDF practice group from SP 800-218. Each part identifies the artifact that demonstrates the practice, the cadence at which the artifact is produced, and the personnel responsible for production. The narrative is not the artifact itself; it is the index to the artifacts.
Part one is Prepare the Organization (PO practices). The narrative names the secure-development policy, the training cadence, the developer onboarding checklist, and the supply-chain risk-management approach. The artifacts cited are policy documents, training records, and the most recent supply-chain risk assessment. A Continuity agency reading this part is satisfied because the Common Form asked for the same information; an SBOM-Forward agency reading this part is satisfied because the supply-chain assessment establishes the basis for the SBOM tooling choices.
Part two is Protect the Software (PS practices). The narrative names the source-code protection mechanisms, the code-signing approach, and the integrity-verification process. The artifacts cited are the code-signing certificate inventory, the source-code repository access logs, and the build-pipeline configuration. The Tailored-Risk High-impact agency reading this part is satisfied because the build-pipeline configuration is auditable evidence of the SSDF PS practices.
Part three is Produce Well-Secured Software (PW practices). This is the part the SBOM lives in. The narrative names the threat-modeling cadence, the static and dynamic analysis tooling, the vulnerability-management process, and the SBOM generation toolchain. The artifacts cited are threat models, scan reports, vulnerability-remediation records, and the most recent SBOM. The narrative also names the format (CycloneDX or SPDX), the cadence (quarterly or per-build), and the runtime-versus-source posture. The SBOM-Forward agency reading this part finds the SBOM directly. The Tailored-Risk agency reading this part finds the SBOM plus the vulnerability-management cadence that supports the 72-hour Known Exploited Vulnerability notification.
Part four is Respond to Vulnerabilities (RV practices). The narrative names the vulnerability-disclosure policy, the patch-deployment cadence, and the customer-notification process. The artifacts cited are the disclosure policy, the patch-cadence metrics for the past 12 months, and the customer-notification template. The Tailored-Risk High-impact agency reading this part is satisfied because the patch cadence and the notification template demonstrate the contractor can meet a 72-hour notification window.
The four-part narrative is roughly 2,500 to 3,500 words written, plus citations to the artifacts. A contractor that produces this narrative once and refreshes it quarterly will satisfy the questions from all four archetypes without producing a new document each time the contracting officer asks.
What Contractors Should Do in the Next 60 Days
The first action is the contracting-pipeline audit. Pull the active solicitations and active contracts that include software-development scope. Categorize each agency customer into one of the four archetypes based on the language in the most recent contracting-officer correspondence. The output is a one-page table that gives the board the answer to the question the rescission produced: which contracts are at risk, which are stable, and which are pending agency clarification.
The second action is the SBOM tooling decision. If the existing SBOM tooling produces a build-time inventory rather than a runtime inventory, the tooling needs to be replaced or augmented. CycloneDX is the operationally recommended default for agencies in the SBOM-Forward and Tailored-Risk archetypes, though SPDX is acceptable. The decision should be made and documented; a contractor whose SBOM format varies by customer is producing more SBOMs than it needs to.
The third action is the SDLC narrative draft. The four-part narrative described above is the document that scales across the discretionary range. Producing it once is more efficient than answering four different agency questionnaires. The narrative is also the artifact a future agency contracting officer will request when an unforeseen archetype appears.
The fourth action is the Quiet-Pause monitoring. Identify the agencies in the contracting pipeline that have not asked about post-rescission attestation. Add the agency CISO Council and CIO Office publications to a monthly review cadence. Quiet-Pause agencies will produce directives, and the directives will set the contractor’s compliance timeline.
The fifth action is the board brief. The board does not need the four archetypes. The board needs the answer to three questions: how many active contracts are at risk, what is the cost to remediate, and what is the contractor’s posture for fiscal year 2027. The one-page table from action one is the input. The SBOM tooling decision and the SDLC narrative are the cost line items. The fiscal year 2027 posture is the alignment to Tailored-Risk, because Tailored-Risk is the archetype most agencies will converge on.
Frequently Asked Questions
Is the Common Form deprecated?
No. The Common Form is no longer required. Agencies may continue to use it as part of a tailored approach. The Continuity archetype is built around continued Common Form use. A contractor whose Common Form posture was current on January 22, 2026 can continue using it with Continuity agencies through fiscal year 2026 with no change.
Do I still need an SBOM if my customer is in the Continuity archetype?
Operationally, yes. Continuity agencies are the most likely to migrate to Tailored-Risk during fiscal year 2027, and the latent SBOM becomes the migration artifact. The recommended posture is to maintain the runtime SBOM at the SBOM-Forward standard but not submit it unless requested.
CycloneDX or SPDX?
CycloneDX is the operationally recommended default because it carries vulnerability data natively, reduces agency-side parsing cost, and is more common in enterprise security tooling. SPDX is acceptable and remains common in open-source ecosystems. The decision matters less than the consistency of the choice.
What is the notification window for Known Exploited Vulnerabilities?
It is converging on 72 hours among the four largest civilian agencies in the Tailored-Risk High-impact tier. The formal directives are not yet published. Contractors should design the vulnerability-management process to support a 72-hour notification window even before the directive lands.
What if my agency customer issues no guidance at all?
The agency is in the Quiet-Pause archetype. Maintain the SBOM at the SBOM-Forward standard, monitor the agency’s CISO Council and CIO Office publications monthly, and be prepared to comply within the timeline the directive sets when it is published.
Does this affect FedRAMP authorization?
FedRAMP authorization is governed by FedRAMP, not by M-26-05 directly. FedRAMP has its own SBOM requirements that operate within the FedRAMP authorization process. M-26-05 affects software procurement outside the FedRAMP boundary. Contractors with FedRAMP-authorized products and non-FedRAMP product lines need to track the requirements separately.
The verdict. M-26-05 is not a deregulation. It is a reallocation of decision authority from OMB to individual agencies, and the four archetypes are the predictable distribution of that authority across the federal customer base. The contractors who treat the rescission as a permission slip will be the ones who are surprised when the Tailored-Risk and SBOM-Forward agencies converge during fiscal year 2027. The contractors who use the next 60 days to produce the four-part SDLC narrative, decide their SBOM format, and audit the contracting pipeline will be the ones whose post-rescission posture is durable. The Common Form was a uniform standard. What replaces it is a uniform discipline; the discipline is the SBOM, the SDLC narrative, and the agency-archetype map.
