CISA Sets a Roadmap to Drive Open Source Software Security

The Cybersecurity and Infrastructure Security Agency (CISA) recently published their Open Source Software Security Roadmap to express how the agency will enable the secure usage of open source software (OSS) within the federal government and support a global open source software ecosystem that is healthy, secure and sustainable.

The new roadmap fulfills an element (4.1.2) of the National Cybersecurity Strategy Implementation Plan, to “Promote open-source software security and the adoption of memory safe programming languages” through the Open Source Software Security Initiative (OS3I).

Federal Concerns and Goals Around OSS

CISA identified two broad concerns around OSS vulnerabilities and attacks: cascading effects of vulnerabilities within OSS, and attacks on OSS repositories in the supply-chain leading to the compromise of downstream software.

The roadmap lays out four goals with supporting objectives to be implemented in fiscal years (FY) 2024 through 2026:  

1. Establish CISA’s Role in Supporting the Security of Open Source Software – This involves identifying and reducing risks to the federal government and critical infrastructure and contributing to the security of the broader OSS ecosystem. Objectives include partnering with OSS communities; encouraging collective action from centralized OSS entities; expanding engagement and collaboration with international partners; and establishing and organizing CISA’s OSS work.
2. Drive Visibility into Open Source Software Usage and Risks – This involves identifying the OSS that is most used to support critical functions across the federal government and critical infrastructure. Objectives include understanding OSS prevalence; developing a framework for OSS risk prioritization; conducting risk-informed prioritization of OSS projects in the federal government and critical infrastructure; and understanding threats to critical OSS dependencies.
3. Reduce Risks to the Federal Government – This involves securing the federal government’s usage of OSS and establishing processes to manage federal OSS usage and contribution to the ecosystem. Objectives include evaluating solutions to aid in secure OSS usage; developing OSS program office guidance for federal agencies; and driving prioritization of federal actions in OSS security.
4. Harden the Open Source Software Ecosystem – This involves focusing on OSS components identified in Goal 2 as being particularly critical for the federal government and critical infrastructure. Objectives include advancing software bill of materials (SBOM) within OSS supply chains; fostering security education for OSS developers; publishing guidance on OSS security usage best practices; and fostering OSS vulnerability disclosure and response.

Contractor Implications and Opportunities

The new OSS roadmap aligns to strategic objectives within the White House’s National Cybersecurity Strategy (NCS), including federal efforts to reduce the technical vulnerabilities of the Internet and wider digital ecosystem, and to promote secure software development practices, (including holding software producers responsible for the security of their products.) A June 2023 memo from the Office of Management and Budget (OMB) directed agencies to demonstrate how their FY 2025 budget submissions will support key elements of the NCS, including ensuring software producers attest to conformity with federal secure software development practices.

Industry partners within the OSS community will likely find collaboration and support opportunities at various points along the roadmap implementation path. For example, CISA and other federal agencies may look for outside support to establish and organize their internal OSS development work, to identify where an agency is using OSS to support critical functions and critical infrastructure, or to implement OSS management and security processes.

Solutions providers with OSS expertise may find opportunities to offer security guidance, best practices and OSS secure development education and training for federal OSS developers. Vulnerability disclosure and response solutions providers would do well to ensure that their tools accommodate OSS libraries and any nuances that come with this type of software.

OSS developers and suppliers should stay attuned to the ongoing developments surrounding federal software bill of materials (SBOM) requirements as one of CISA’s objectives is to advance SBOMs within OSS supply chains.