The Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director (ONCD), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) are announcing a request for information (RFI) to receive input on where the government should focus areas for prioritization to secure open source software. This represents a continuation of the National Cybersecurity Strategy’s focus on open source software security and CISA’s related Secure by Design work. Members of the open source software community or those who work to secure open source software are urged to respond.
Open source software is the foundation for much of the technology that serves as a backbone of the world. CISA, ONCD, and their federal partners are on a mission to ensure that open source software is as safe, secure, and sustainable as it is open. Open source refers to software that is made freely available for anyone to access, modify, utilize and redistribute. Providing the foundation for 96% of the world’s software, open source software is a public good enabling a software ecosystem that includes the open source community, federal government, critical infrastructure, private industry and civil society to innovate, collaborate and develop at speed.
The benefits of open source software can only be fully realized when everyone – including the federal government – plays their part in supporting the ecosystem. The federal government is one of the largest users of open source software in the world, and must do its part to help secure it. This requires widescale efforts to help uplift the level of security in the open source ecosystem.
Such instances of once-in-a-generation government investment are not unprecedented. In 1956, President Eisenhower signed the Federal Aid Highway Act of 1956 into law, authorizing $25 billion to build 41,000 miles of highways over a decade. In the decades following the legislation, the investment yielded profound dividends for the United States: one report found that every $1 spent returned more than $6 in economic productivity. Further, the highway system has led to dramatic safety improvements, with the fatality rate of the highway system significantly lower than that of the average road, and nearly one-tenth of the national fatality rate in 1956.
While the scale of investment in the highway system may be different than what’s needed with digital infrastructure, the first step is understanding what kinds of investment need to be made. What might a potential digital public works program for open source software infrastructure look like? Perhaps it would include rewriting critical open-source components in memory-safe languages, ensuring that security is a core part of all software development education, or helping build sustainable governance models in open source communities. CISA and its partners are keen to hear thoughts on what areas should be prioritized for fostering greater open source software security.
Securing open source software is critical for achieving a software ecosystem that exemplifies Secure by Design principles. CISA envisions an ecosystem in which creating secure open source code and regularly assessing the security of existing open source code is the norm rather than an added burden. As part of this, software manufacturers that consume open source software should contribute back to the security of the open source software they depend upon.
CISA and ONCD will continue their work to secure the open-source software ecosystem. ONCD has established the Open Source Software Security Initiative (OS3I) interagency working group to convene key agencies involved in open source security. In the coming months, CISA will publish its open source security strategy, outlining how, in line with the National Cybersecurity Strategy, CISA is working to both secure the federal government’s usage of open source software and foster greater ecosystem security.
The Transportation Security Administration recently released its Open Architecture Roadmap to introduce widely accepted standards into screening operations.
Responses to the RFI are due by 5:00 p.m. EDT on October 9th, 2023.
