The Cybersecurity and Infrastructure Security Agency (CISA) released its new Open Source Software Security Roadmap today that lays out the agency’s path forward to help ensure a secure open source software ecosystem within the Federal government.
Open source software is software that anyone can access, modify, enhance, re-use, and distribute – leading to greater collaboration and innovation among software developers. While open source software has a number of benefits, the Log4j vulnerability proved that widely used open source code can also have its downsides.
Because open source software represents a public good, the Federal government can play a role in making sure that this ecosystem is as secure as possible, CISA said.
The roadmap lays out four goals to help secure the open source software ecosystem: establish CISA’s role in supporting the security of open source software; drive visibility into open source software usage and risks; reduce risks to the Federal government; and harden the open source ecosystem.
“Open source software has fostered tremendous innovation and economic gain, including serving as the foundation for technologies used across our Federal government and every critical sector,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement. “In part due to this prevalence, we know that vulnerable or malicious open source software can introduce systemic risks to our economy and essential functions.”
“CISA is proud to serve as a partner to the open source community as we collectively take urgent steps to support open source security and ensure that all partners in this critical ecosystem invest in a secure, resilient, and innovative open source future,” Goldstein said.
The roadmap, in alignment with the Biden administration’s National Cybersecurity Strategy, provides supporting objectives to be implemented within fiscal years 2024 to 2026.
CISA outlined goals to partner with open source software communities, expand collaboration with international open source partners, and develop a framework for open source software risk prioritization.
The nation’s cyber defense agency also plans to conduct risk-informed prioritization of open source projects across the Federal government and critical infrastructure, according to the roadmap. It will also develop open source program office (OSPO) best practice guidance for Federal agencies and other entities who wish to implement OSPOs.
Lastly, the roadmap says CISA will continue to advance software bills of materials (SBOMs) within open source software supply chains and publish guidance on open source software security usage best practices.
CISA’s Open Source RFI Still Looking for Comments
The Federal government is one of the largest – if not the largest – users of open source software, and CISA wants to make sure that it is contributing back to the code that it gets so much benefit from.
The agency released a request for information (RFI) last month, in partnership with the Office of the National Cyber Director (ONCD) and other Federal agencies, seeking public comment on open source software security and memory safe programming languages.
“What we’re asking for in this RFI is for you to tell us where we should be focusing our efforts,” Jack Cable, a senior technical advisor at CISA, said at the time. “Should we, for instance, be looking at helping rewrite open source components in memory safe programming languages?”
The agency is encouraging members of the open source software community to read through the new roadmap and get involved by submitting a response to the RFI by Oct. 9.