Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

M-26-05 Rescinded prior federal software security memorandums for On Jan. 23 2026

Public Sector Action
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

OMB issued M-26-05 on Jan. 23, 2026, rescinding prior federal software security memorandums and removing the expectation that agencies require SBOMs and software self-attestations. The change affects federal procurement and shifts assurance decisions back toward agency-specific judgment, even though agencies may still choose to request the artifacts. It matters because the rollback could weaken baseline visibility into software supply-chain risk and create more inconsistent requirements for vendors.

Related Happenings

CISA adds four actively exploited flaws to KEV with FCEB deadlines

Public Sector Action
First: 13.02.2026 10:34 Last: 13.02.2026 10:34 Sources 1

About this happening: CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...

Open Happening

CISA end-of-support edge device decommissioning mandate (BOD 26-02)

Advisory/Mitigation
First: 06.02.2026 10:41 Last: 06.02.2026 10:41 Sources 1

About this happening: CISA's **BOD 26-02** now forces **U.S. federal agencies** to inventory, decommission, and replace **end-of-support edge devices** that no longer receive security updates. The dire...

Open Happening

US National Security Agency (NSA) / Zero Trust Implementation Guidelines (ZIGs) Released Phase One and Phase Two guidance for zero trust maturity for Published on 2026-02-02 152

Public Sector Action
First: 02.02.2026 18:05 Last: 02.02.2026 18:05 Sources 1

About this happening: The **US National Security Agency (NSA)** released **Zero Trust Implementation Guidelines (ZIGs)** to help organizations move toward **target-level zero trust maturity**. The guid...

Open Happening

Ivanti security patch release for CVE-2026-1281

Security Patch Release
First: 30.01.2026 06:43 Last: 30.01.2026 06:43 Sources 1

About this happening: **Ivanti** released **security updates** for **Ivanti Endpoint Manager Mobile (EPMM)** after disclosure of **two critical zero-day flaws** that can enable **unauthenticated remote...

Latest development: 13.02.2026 00:05

Reported on Feb. 12, 2026, attacks tied to Ivanti Endpoint Manager Mobile (EPMM) had struck the European Commission and agencies of the Dutch and Finnish governments after Ivanti disclosed CVE-2026-1281 and CVE-2026-1340 on Jan. 29. The European Commission said its central infrastructure managing mobile devices was hit on Jan. 30, with staff names and mobile numbers compromised, while Valtori said an attack of the same nature affected around 50,000 people associated with Finland's central government and leaked names, email addresses, phone numbers, and other device details.

Open Happening

Ivanti Endpoint Manager Mobile (EPMM) actively exploited code injection flaws (multiple vulnerabilities)

Vulnerability
First: 30.01.2026 06:43 Last: 30.01.2026 06:43 Sources 1

About this happening: **Ivanti Endpoint Manager Mobile (EPMM)** is affected by **two critical code-injection flaws** — **CVE-2026-1281** and **CVE-2026-1340** — that enable **unauthenticated remote cod...

Latest development: 08.04.2026 21:15

CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch agencies to patch Ivanti Endpoint Manager Mobile (EPMM) systems by Saturday midnight, April 11, under Binding Operational Directive (BOD) 22-01. CISA also urged defenders in the private sector to prioritize patches for the critical code-injection flaw affecting Internet-exposed, unpatched EPMM appliances.

Open Happening

Timeline

  1. 30.01.2026 00:25 2 articles · 3mo ago

    OMB M-26-05 rescinds SBOM and attestation mandates

    Legal Policy Action Update

    OMB Director Russell Vought issues M-26-05 and rescinds M-22-18 and M-23-16, ending the federal mandate for software bills of material (SBOMs) and self-attestations tied to NIST secure development guidance. Federal agencies may still choose to require SBOMs and letters of attestation, but the previous requirement and expectation to collect them are withdrawn.

    Show sources
    Open in new tab
  2. 30.01.2026 00:25 1 articles · 3mo ago

    Security leaders debate the rollback's impact

    Initial Disclosure

    Security leaders debate whether removing the SBOM and attestation requirements will improve agency flexibility or weaken software supply-chain security. Some argue that procurement should focus on mission risk and operational impact, while others warn that the change will reduce verification, encourage inconsistent vendor demands, and fragment the baseline around SSDF-aligned practices.

    Show sources
    Open in new tab