How will OMB’s M-26-05 rescission of the “Common Form” secure software attestation change software procurement requirements for federal contractors? 2026

According to GSA guidelines, contractors must now expect agency-specific attestation requirements that vary by risk, contract value, and data sensitivity. GSA’s restatement of acquisition priorities signals that agencies will incorporate the rescission of OMB M-26-05 into solicitations and task orders beginning immediately; contractors should watch GSA schedule amendments and agency acquisition letters. This paragraph explains practical impacts: solicitations may reference CISA’s Secure Software Development Attestation Form but will no longer accept a single common-form attestation across agencies, meaning software vendors must map security evidence to each agency’s risk model, maintain SBOMs, vulnerability disclosure policies, and evidence of secure development practices. Vendors should plan for multiple attestation workflows—some agencies will accept CISA’s form, others will request supplemental evidence or an agency-specific questionnaire tied to contract value or Controlled Unclassified Information. The change increases procurement friction for small firms that previously relied on one attestation; it also gives agencies discretion to align attestations with FedRAMP, CMMC, and other program requirements, raising the bar for cross-agency reuse of prior attestations.

Per FAR 19.502, small businesses can pursue set-asides and simplified procurements while meeting new agency attestation demands, but they must align submissions with each agency’s risk-based requirements. The FAR remains the baseline for small business eligibility and rules for teaming and subcontracting, yet procurement officers will now evaluate software security evidence as part of source selection and responsibility determinations. Small vendors should update SAM.gov registrations, include security artifacts in proposals, and use FAR clause language where applicable to demonstrate compliance. Contractors competing for set-aside or 8(a) awards should partner with certified integrators and plan budgets for additional security tasks—training, third-party assessment, or SBOM generation—to remain competitive. Per this model, compliance tasks tied to proposals can range from $25,000 for basic attestations to over $150,000 for formal third-party assessments or CMMC readiness, depending on contract scope and agency risk posture.

The SBA reports that 78% of small vendors rely on GSA schedules or agency IDIQs for federal revenue, meaning the rescission’s agency-level discretion affects most small software sellers. Under OMB M-25-21, agencies will continue to emphasize risk management and supply chain security in procurement, and OMB’s pivot in M-26-05 directs agencies to tailor attestations rather than use a single form. DoD's CMMC framework requires evidence of maturity for certain defense contracts, and agencies integrating CMMC or FedRAMP requirements may demand higher assurance than CISA’s baseline form. Small vendors selling to DoD, DHS, or VA should expect contracting officers to request CMMC mapping or FedRAMP authorization evidence where applicable. Practically, this means vendors must maintain modular evidence packages—SBOMs, test results, vulnerability management metrics, and developer training logs—that can be assembled to meet specific agency questionnaires without redoing full assessments each time.

According to GSA guidelines, the M-26-05 rescission responds to industry feedback and concerns about a one-size-fits-all attestation that was administratively heavy and technically inflexible. The Common Form originally aimed to standardize attestations across agencies, but OMB concluded that agencies need discretion to scale attestation requirements to program risk. This shift aligns with broader federal cyber policy: Under OMB M-25-21, agencies will incorporate risk management practices into acquisition decisions, and CISA continues to offer a template attestation that agencies may adopt or augment. The practical result: solicitations issued after Feb 19, 2026 may include either a pointer to CISA’s Secure Software Development Attestation Form or an agency-specific questionnaire tied to data sensitivity and contract dollar thresholds. Vendors must therefore maintain evidence not just for a generic attestation but for multiple potential request vectors—contractor responsibility determinations, source selection technical evaluations, and post-award compliance audits. For small companies that previously relied on a single attestation to sell across agencies, this means updating internal policies, investing in SBOM tools, and documenting development lifecycles to satisfy differing agency expectations.

Per FAR 19.502, small businesses can continue to benefit from set-asides and socioeconomic programs like 8(a), HUBZone, and SDVOSB while responding to these new attestation expectations, but must add security evidence to their proposals. DoD's CMMC framework requires certified Maturity Levels for covered contracts, and contracting officers will map agency-specific attestations to CMMC, FedRAMP, or other authorization programs where applicable. Agencies such as DHS and VA frequently integrate FedRAMP or specialized security requirements into procurement for cloud services, so cloud vendors must preserve authorization packages alongside any attestation. The SBA and GSA both recommend early engagement with procurement officials and including security evidence in the technical volume of proposals to avoid responsibility findings or exclusion. Vendors should also anticipate technical questions during source selection; robust documentation—vulnerability remediation timelines, SBOM provenance, SCA tool outputs—reduces negotiation risk and shortens post-award compliance periods.

According to GSA guidelines, agencies will implement the rescission by inserting agency-specific attestation language into solicitations and contracts; contracting officers will define thresholds by dollar amount, data sensitivity, and criticality. Typical implementation paths include: (1) adopting CISA’s Secure Software Development Attestation Form as-is for low-risk purchases, (2) requiring the CISA form plus supplemental evidence for moderate-risk purchases, or (3) demanding full third-party assessments (CMMC, FedRAMP, or equivalent) for high-risk procurements. Agencies will likely tie these requirements to clause applicability in FAR and agency supplements; small vendors must watch updates to FAR clauses and agency FAR supplements. For practical planning, vendors should track agency acquisition forecasts and amend their proposal templates to include modular evidence packages—SBOMs, SCA reports, test suites, and developer training records—to meet whichever path an agency selects. This modular approach reduces duplicate work and lowers the cost to respond across multiple agencies.

Per FAR 52.209-5 and FAR 9.104-1, contracting officers must ensure offerors are responsible and capable of performing; that standard will now consider software security attestations as part of responsibility and past performance evaluations. DoD's CMMC requirements will continue to apply for covered defense contracts, and FedRAMP remains the standard for cloud services, so vendors should maintain authorization artifacts in parallel with attestation evidence. Agencies may also demand ongoing post-award reporting—vulnerability remediation SLAs, periodic SBOM updates, or continuous monitoring evidence—so vendors should build automated pipelines for evidence generation. Investing in tooling for SBOM generation, SCA, and vulnerability tracking reduces manual overhead and timelines: plan 60–120 days to instrument CI/CD pipelines and produce audit-ready artifacts for competitive bids.