The Open Source Software Security Initiative (OS3I) recently released a report, Securing the Open Source Software Ecosystem, which details current member priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the most important parts of the report. OS3I includes both federal departments and agencies working together to provide policy solutions to secure and defend ecosystems. The new initiative is part of the overall National Cyber Security Strategy.
After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security of open source software. Prior to the incident, the administration and government as a whole did not have a significant focus on open source security. The delay in responding to the establishment of the Cybersecurity Review Board has also raised concerns.
The National Cybersecurity Strategy, released in March 2023, outlined the federal government’s commitment to open source and created OS3I. Over the past year, President Biden’s National Cybersecurity Strategy and the Office of the National Cyber Director have focused on improving the security of open source software, along with data security and privacy.
In August 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the White House Office of the National Cybersecurity Director (ONCD) issued a request for information on OS3I. They received over 100 responses from the open source software community, including non-profit open source software organizations, individuals, industry, academia, and research organizations. Most of the answers were about security.
After reviewing the responses, facilitators entered the entry into OS3I. These are the four key areas of focus according to the report.
1. Consolidating the federal government’s voice on open source software security.
Open source affects everyone involved in technology even in the smallest way, which mostly includes all individuals, companies and organizations. One of the main goals of OS3I is to create alignment and partnerships across sectors to improve open source security. By inviting members from agencies, industry and academia, as well as soliciting broad feedback, OS3I has developed through the same collaborative approach that it hopes will continue to grow.
What is open source software?
2. Establishing a strategic approach for the safe use of open source software by the federal government and efforts to ensure a broader ecosystem.
Because all 16 critical infrastructure sectors use open source software as their foundation, the vulnerabilities cause widespread problems ranging from public safety to economic security. OS3I uses CISA’s Open-Source Software Security Roadmap as a guide for risk management following its four goals. The itinerary includes:
- Establishing CISA’s role by building relationships with open source software communities
- Understanding the prevalence of open source software
- Reducing risk to the federal government
- Strengthening the open source software ecosystem.
3. Advancing President Biden’s Invest in America agenda by encouraging long-term, sustainable security investments in the open source software ecosystem.
Improving the security of open source software requires resources, time and money. Through OS3I, the federal government is pledging its commitment to invest resources in open source software security efforts.
4. Engaging and building trust in the open source software community.
OS3I will also focus on engaging the open source software community, which is critical to creating the collaborative partnerships needed to improve security. OS3I plans to do this by:
- Encouraging the proliferation of memory-safe programming languages
- Promoting sustainable development and use of open source software
- Strengthening the security of package managers and other centralized infrastructure
- Identifying new focus areas for prioritization
What’s next for OS3I
Following the publication of the report, OSC3I will continue its work in collaboration with the open source software community to build the ecosystem needed to reduce cybersecurity risks. One of the key ways the board will work toward the goal is to evaluate RFI input and continually prioritize open source cybersecurity. By continuing to collaborate with the federal government, the open source software community, civil society, and private stakeholders, OSC3I will continue its goal of reducing cybersecurity risks.