The Trump administration is rescinding a Biden-era memo that was intended to help agencies buy secure software, with the current Office of Management and Budget saying it relied on “unproven and burdensome” processes.

A former Biden administration official said the move is “the first major policy step back that I have seen in the administration on a cybersecurity front.”

At issue is the 2022 OMB memo titled “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” M-22-18. The administration rescinded the memo Friday.

That memo led to the creation of a common “Secure Software Development Attestation Form” for government agencies that contractors had to use to vouch that their software adheres to a set of security practices. Agencies couldn’t buy from software vendors that couldn’t attest to the security of their products.

“Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency’s network,” OMB Director Russell Vought wrote in a brief memo Friday to agency heads. “There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment.”

Nick Leiserson, who served as assistant national cyber director for cyber policy and programs under Biden’s Office of the National Cyber Director, told CyberScoop that rescinding the 2022 memo was a step backward because the memo was meant to use government purchasing power to influence the market, and its repeal “is not good for the security of government systems and for the software that’s used throughout the whole U.S. economy.”

The memo stemmed from the first Biden administration executive order, a response to the major SolarWinds breach that led to agencies being penetrated by alleged Russian hackers, among other notable cyber incidents.

Rescinding it leaves nothing in its place, said Leiserson, now senior vice president for policy at the Institute for Security and Technology, at a time of rising exploitation of software vulnerabilities.

Friday’s decision doesn’t ban everything from the 2022 memo. Vought said agencies could use the common attestation form if they choose; agencies must “maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs”; and that agencies could adopt contract terms that require software makers to provide a list of software ingredients, known as a software bill of materials, upon request.

Lieserson disputed the idea that the 2022 memo was burdensome, based on government estimates that the common form would consume three hours and 20 minutes of paperwork. And Leiserson said rescinding it goes against the Trump administration’s goal of deconflicting a tangle of cybersecurity rules: In the place of one common form for all contractors, agency-by-agency forms will increase the regulatory burden.

The Trump administration had previously signaled a desire to roll back other cybersecurity directions for agencies from President Joe Biden.

The post OMB rescinds ‘burdensome’ Biden-era secure software memo appeared first on CyberScoop.

Opexus admits it missed key red flags when it hired twins Muneeb and Sohaib Akhter, as it failed to learn about crimes the brothers pleaded guilty to in 2015, including wire fraud and conspiring to hack into the State Department — offenses committed while they were contractors for federal agencies. The federal government contractor nonetheless maintains it conducted seven-year background checks before hiring the brothers in 2023 and 2024.

Opexus fired them in February, minutes before they allegedly stole and destroyed government data in retaliation. The background checks were “consistent with prevailing government and industry standards with additional requirements for more sensitive work. That said, we fully acknowledge that additional diligence should have been applied,” a spokesperson for Opexus told CyberScoop. 

Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Dec. 3 for allegedly committing a series of insider attack crimes during a weeklong window in February that ultimately compromised data from multiple federal agencies, including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission. 

Opexus said it decided to terminate the twins’ employment upon learning of their prior criminal history, but it did not explain how it became aware of their previous crimes nor what prompted a deeper look into their past. The brothers’ previous crimes were widely reported at the time, including details that are readily available via search engine queries on their respective names.

The Washington-based company, which provides services and hosts data for more than 45 federal agencies, admits it made multiple mistakes in the hiring and termination of Muneeb and Sohaib Akhter.

“As with the onboarding, the terminations were not handled in an appropriate manner,” the company spokesperson said. 

“While these individuals passed background checks at the time, this incident made clear that our screening protocols needed to be even more robust,” the spokesperson added. “We have since enhanced our vetting processes and implemented additional safeguards designed to strengthen the protection of the systems and information we manage.”

Muneeb Akhter allegedly accessed Opexus’ computer network five minutes after he was fired. Within an hour, he allegedly deleted approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment. 

Muneeb Akhter also that evening allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people.

Opexus said it later addressed errors it made, which failed to ensure the twins could no longer access company computers and systems under its care immediately upon their termination. The spokesperson said the company took “appropriate corrective actions and reinforced training across the human resources function to ensure strict adherence to our standard operating procedures going forward.”

The company said it took other measures in response to these insider attacks that are designed to prevent similar outcomes.

“The individuals responsible for hiring the twins are no longer employed by Opexus, and we have since strengthened our screening protocols across the organization,” the spokesperson said. “These enhancements include expanding our standard background check to 10 years, along with additional safeguards that are now embedded into our standard hiring process.”

Opexus also said it supported customers impacted by the internal breach by helping them restore data and providing resources and subject matter expertise for their internal reviews. “The security of our customers’ information is our No. 1 priority, and we remain committed to continuous improvement in our hiring, compliance and internal controls,” the spokesperson said. 

The company said it’s grateful for law enforcement’s actions on this matter, adding that it appreciates that Muneeb and Sohaib Akhter are being held accountable for their alleged crimes. 

Sohaib Akhter faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records. 

Muneeb Akhter is charged with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges.

The post Opexus claims background checks missed red flags on twins accused of insider breach appeared first on CyberScoop.