Terry Gerton We’re going to talk a little bit about software bills of materials. At the end of January, OMB rescinded the mandatory SBOM requirements and replaced them with sort of a menu of choices, a risk-based approach. What does that really mean for agencies as they approach this issue in practical terms?
Jean‑Paul Bergeaux In practical terms, it takes away the compliance that they had to meet and more assigns them the responsibility to understand their risk and to assess how to manage that risk better.
Terry Gerton So a lot of times people say that well, we need more autonomy, we need more flexibility, don’t make us comply. Is that following that kind of logic or is there a risk that we insert?
Jean‑Paul Bergeaux It’s funny, you have a catch-22 for agency executives, right? If you take away the requirements, then you make them make decisions and be held accountable for those decisions. So it’s kind of a catch-22. A lot of agencies do say they want autonomy. They want to make their own decisions. But at the same time, that means they’re more responsible for those decisions, and that’s kind of what the administration is trying to do here, is to say, hey, we don’t want to tell you exactly what to do because that may not be what you should be doing. We want you to tell us, what is it that your mission requires you to do to hold these supply chain providers, the things that you’re buying, software, accountable and know what risks you have? And we want you define that and do it.
Terry Gerton So the SBOM requirement has been around for several years now. What originally prompted the rule?
Jean‑Paul Bergeaux It was a breach in 2020 that had a supply chain hit, and a very complicated and pretty ingenious supply chain hit where the software that was being provided from the provider was malicious because the bad guys had gotten inside of the organization and planted things in it. And that started a whole conversation around, how do we account for this? How do we check on whether or not our providers are protecting us from another incident like this?
Terry Gerton At the time we probably didn’t know what we didn’t know in this space and having a compliance checklist was very helpful in making sure people held to the bare minimum of security requirements.
Jean‑Paul Bergeaux I completely agree. I think having this compliance first and making people go through it, highlighting it, making a point of it was a good move. I think that was definitely something that forced agencies to acknowledge it. And now the shift — I’m actually a fan of this. I was a fan of the original compliance requirement and now I’m kind of a fan of this, hey, well, okay, we made our point. We pushed you guys to do a lot of things, and there was a lot of accounting and a lot of paperwork done, but now let’s roll that back, because we’ve made our point, and let’s have you, Mr. Agency and leadership, tell us, what do you need to be doing to correctly manage this?
Terry Gerton So now that you’re a fan, do you think the agencies have learned the necessary lessons over these past few years to actually be able to manage this well?
Jean‑Paul Bergeaux It all depends on the agency and the people involved. I think a majority have. I think the majority of the agencies have seen what they needed to, understood the challenge and understood the risks. And I think a majority of them have a good idea of what they should be doing. And the hardest part is making that decision, owning that risk. Now saying, hey, as a mission owner, do I just make it easy and say, well, I’m going to just keep complying with this and make that my risk management? Which may be the right thing, it may not. Or do they take a different approach and say well, I’m going to manage this to my mission that may look different than just a compliance of, give me a bill of materials.
Terry Gerton What do you think were the most important lessons that agency managers learned to make sure that they can now act with that autonomy and flexibility?
Jean‑Paul Bergeaux I think they learned what software providers were going to be easy to work with and get what they needed, and what were not. I think there’s been a lot of challenges with complying, especially for middle- or smaller-size software companies, and I think that’s one thing that agencies definitely learned as they tried to meet this.
Terry Gerton I’m speaking with Jean-Paul Bergeaux. He’s the federal CTO for GuidePoint Security. Well, let’s move from the past then into the present. With the rescinding of this requirement, how do you think that agencies will adapt? Will they, as you say, sort of keep using the SBOM requirement just because it’s safe and they know it works? Will they really step forward and develop some new criteria for the providers?
Jean‑Paul Bergeaux Honestly, it will come down to the personality of the executive administration of each agency. Some are headstrong, and they really feel like they know what they want to do. They’re willing to assume the risk to do different things, and they’ll take a different approach and maybe take a more flexible approach with those software providers that may not be able to manage the cost of providing an SBOM or attestation the way that they want, and they’ll look for other ways to do that. Some agencies are investing in SBOM detection software where they can just read it in and they can come up with an SBOM they feel comfortable with. Some are waiving it, depending on what that provider is providing and the value and the risk they’re willing to assume. So really, it’s going to come down to the personality of those trailblazers who are willing to take risks to find new ways to achieve the mission. They’re going to deviate from that. Those that are more on the safety side and more on the complete risk-avoidance are probably going to follow the original rule and say, I’m just going to stick to what I was told to do before and I’m not going to step out of those bounds because I can always defend that.
Terry Gerton How much more complicated does this make the universe for the software providers? Before, they had one rule, everybody followed it. It was nice and easy and straightforward. Now it’s like, who knows?
Jean‑Paul Bergeaux It’s a wild, wild west, right? I agree, it is going to be differently more challenging. I think the attestation, the SBOMs was challenging and many spent a lot of resources towards providing that. Now it’s going to be, okay, which agencies do and do not require what, and how do we navigate that? It’s completely different challenge.
Terry Gerton As the agencies move forward in this new wild, wild west, what tools should they be thinking about using to manage their software supply chain risk, especially when they’re dealing with legacy systems, maybe, or other sorts of embedded software?
Jean‑Paul Bergeaux So there are technologies coming out and out that allow a piece of software to be analyzed and, to some degree of accuracy, provide an SBOM, software bill of material of the software that’s being provided. And I think that’s one area that agencies probably want to invest in because, No. 1, they’re not going to get an SBOM from some certain-size innovation, smaller companies, and it’s going to be hard to get that. But also it would be really good to say, I’m going to double-check you and see what I get out of my software from what you say is in your software, and I want to be able to compare that. So I would say that’s the No. 1 thing I would look at is some of those providers. Now they do a great job, but the accuracy can be fluid, depending on the software and the size of it and the complexity of it can make it vary.
Terry Gerton As agencies move forward and they’re all trying their own different approaches here, I would imagine that some will learn their lessons the hard way and have to retrench a bit. Is there a forum or a venue where you would want agencies to share their lessons learned here, sort of an evolution of best practices?
Jean‑Paul Bergeaux I think that would be a great thing. And I think that somewhat exists through some of the connectivity that the agencies have to each other. In some cases, it’s up through, hey, CISA is keeping us accountable, or they’re tracking things, or there’s audits — those kinds of things are a natural flow. I know that many agency leadership stay in touch with each other and try to learn from each other, and I’m a big fan of that. I think that’s a great way for them to avoid others’ mistakes and to share their own in private. It’s hard to share your mistakes publicly. I can imagine anybody who’s in a sort of risk management and leadership position doesn’t want to get an audit that the whole public sees. I think the current both CISA and OMB, GAO-type auditing, sometimes some of that does not get displayed publicly for security reasons. Getting those two other agencies and helping them see what has gone right or wrong with different agencies is the best model, and we do a lot of that now.
Terry Gerton Just imagine that we’re five years down the road now on this flexibility journey. What do you expect the impact to be in the long run? Is software going to be less expensive because there’s lower compliance standards, or is it going to be more expensive or more reliable? What do you expect?
Jean‑Paul Bergeaux Potentially less expensive, depending on how agencies respond and how flexible agencies are. I think more likely — there’s a lot of things you could say were positive or negative with this — the most beneficial thing I would say with this is it gives flexibility to adopt software that brings innovation, that may not be able to afford providing you the attestation. So if you see something that’s going to bring you an incredible innovation, you may be willing to run your own SBOM check or have some flexibility in a waiver to say, I need this, it’s going to advance my mission, it’s going to advance my agency. Sort of like you see right now where some agencies are able to get around FedRAMP and they do their own ATO, which is what FedRAMP is, it’s an ATO. “Okay well, they’re not FedRAMPed but I will run my own ATO and I will do my own risk assessment and I’m going to adopt that software.” It’s a lot harder to do for FedRAMP because of the stringency around it, whereas this I think is very similar in that the biggest positive is the potential to adopt innovative software that just is not ready to meet the old standard.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
