October is officially Cybersecurity Awareness Month in the United States but September was a good month for it, too. The Open Source Security Foundation (OpenSFF) held a two day Secure Open Source Software (SOSS) summit in Washington, DC where officials from US government agencies including the National Security Council (NSC), Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) met with open source software nonprofit groups and industry leaders from Microsoft, Apple, Amazon, Google, JPMorgan Chase, and many other global corporations, to discuss the challenges of keeping open source software (OSS) secure.
The silver lining of high profile open source vulnerabilities like Log4j has been increased attention from both the US government and private sectors. The SOSS Summit aimed to facilitate greater collaboration and communication between government and industry and the US government continues to signal that software supply chain security is a top priority.
On day one of the summit CISA announced their Open Source Software Security Roadmap. This roadmap outlines the US government’s four goals and objectives for meeting these goals for 2024-2026:
While these goals and objectives don’t announce any plans for particular regulation, CISA has begun to describe open source software as a “public good”. Further, CISA has announced an objective to identify and promote policies to advance cybersecurity and to “drive prioritization of federal actions that promote security and resilience within the OSS ecosystem” along with ONCD’s Open Source Software Security Initiative (OS3I), an interagency working group.
The Biden Administration recognizes that OSS is “supporting every single critical infrastructure sector and every National Critical Function”. Let’s get into a brief summary of CISA’s goals for OSS.
Attending the SOSS Summit was a great way for CISA to kick off this goal. CISA lays out their objectives for this goal to include partnering with OSS communities, encouraging collective action from centralized OSS entities, expanding engagement with international partners, and establishing CISA’s own OSS work.
Knowing you have a problem is usually the first step to addressing it. To meet their second goal, CISA aims to understand OSS software prevalence, develop a framework for OSS risk prioritization and then apply it to repositories identified as in use by the federal government, and understand threats to critical OSS dependencies.
Securing the federal government is obviously CISA’s main concern but they recognize that what’s good for Uncle Sam is good for everyone. To reach this goal they intend to assist federal agencies in starting open source program offices, drive prioritization of federal actions in OSS security, and evaluate the feasibility and efficacy of providing federal agencies with security tools.
Everybody’s talking about software bills of materials (SBOMs) these days and for good reason. The US government already requires them from vendors and corporations are demanding them, too. CISA’s plan for meeting their final goal includes continuing to advance SBOMs within the OSS supply chain, foster security education for open source developers, publish best practice guides for secure incorporation of OSS, and foster vulnerability disclosure and response.
At first blush these goals and objectives for the next two years may sound like some slow-moving paper pushing, but the US government taking a keen interest in the OSS community is a big deal. The US government recognizes that open source software is ubiquitous and important for driving technological advancement. While nothing is on the desk waiting to be signed just yet, we do expect serious regulation will be coming at some point in the near future. CISA’s roadmap will likely mean more resources for OSS projects, many of which are side projects and not stewarded by well-funded entities, and it will definitely mean more (and hopefully better) SBOMs.