The Cybersecurity and Infrastructure Security Agency (CISA) published the Open Source Software Security Roadmap today that articulates how the agency will enable the secure usage of open source software within the federal government and support a healthy, secure, and sustainable global open source software ecosystem.
The roadmap lays out four goals with supporting objectives to be implemented Fiscal Year 2024-2026:
- Goal 1: Establish CISA’s Role in Supporting the Security of Open Source Software
- Goal 2: Drive Visibility into Open Source Software Usage and Risks
- Goal 3: Reduce Risks to the Federal Government
- Goal 4: Harden the Open Source Software Ecosystem
“Open source software has fostered tremendous innovation and economic gain, including serving as the foundation for technologies used across our federal government and every critical sector,” said Eric Goldstein, Executive Assistant Director for Cybersecurity. “In part due to this prevalence, we know that vulnerable or malicious open source software can introduce systemic risks to our economy and essential functions. CISA is proud to serve as a partner to the open source community as we collectively take urgent steps to support open source security and ensure that all partners in this critical ecosystem invest in a secure, resilient, and innovative open source future.”
Open source software allows anyone to access, modify, and distribute source code, which can lead to greater collaboration and higher-quality code. By making code more readily available for reuse, open source software can help spur and fast track innovation. At the same time, open source software can be a target for supply chain attacks and latent vulnerabilities – much like in proprietary software – can have significant consequences. One study found that open source software was present in 96% of studied codebases across various sectors.
CISA announced this roadmap at the Secure Open Source Summit hosted by the Open Source Security Foundation. The agency has engaged heavily with the open source software community, including via CISA’s community-driven work on software bill of materials. In August, CISA, the White House Office of the National Cyber Director, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget released a Request for Information on open source software security.
CISA encourages members of the open source community to read CISA’s open source roadmap and get involved by submitting a response to the Request for Information on open source software security.
Access and read CISA’s new roadmap on securing Open Source Software: cisa.gov/opensource