Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director (ONCD), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) are announcing a request for information (RFI) to receive your input on where the government should focus areas for prioritization to secure open source software. This represents a continuation of the National Cybersecurity Strategy’s focus on open source software security and CISA’s related Secure by Design work. If you are a member of the open source software community or work to secure open source software, we want to hear from you.
Open source software is the foundation for much of the technology that serves as a backbone of our world. CISA, ONCD, and our federal partners are on a mission to ensure that open source software is as safe, secure, and sustainable as it is open. Open source refers to software that is made freely available for anyone to access, modify, utilize and redistribute. Providing the foundation for 96% of the world’s software, open source software is a public good enabling a software ecosystem that includes the open source community, federal government, critical infrastructure, private industry and civil society to innovate, collaborate and develop at speed.
We can only fully realize the benefits of open source software when everyone – including the federal government – plays their part in supporting the ecosystem. The federal government is one of the largest users of open source software in the world, and we must do our part to help secure it. This requires widescale efforts to help uplift the level of security in the open source ecosystem.
Such instances of once-in-a-generation government investment are not unprecedented. In 1956, President Eisenhower signed the Federal Aid Highway Act of 1956 into law, authorizing $25 billion to build 41,000 miles of highways over a decade. In the decades following the legislation, the investment yielded profound dividends for the United States: one report found that every $1 spent returned more than $6 in economic productivity. Further, the highway system has led to dramatic safety improvements, with the fatality rate of the highway system significantly lower than that of the average road, and nearly one-tenth of the national fatality rate in 1956.
While the scale of investment in the highway system may be different than what’s needed with our digital infrastructure, the first step is understanding what kinds of investment need to be made. What might a potential digital public works program for open source software infrastructure look like? Perhaps it would include rewriting critical open-source components in memory-safe languages, ensuring that security is a core part of all software development education, or helping build sustainable governance models in open source communities. We want to hear from you around what areas should be prioritized for fostering greater open source software security.
Securing open source software is critical for achieving a software ecosystem that exemplifies Secure by Design principles. We envision an ecosystem in which creating secure open source code and regularly assessing the security of existing open source code is the norm rather than an added burden. As part of this, software manufacturers that consume open source software should contribute back to the security of the open source software they depend upon.
CISA and ONCD will continue our work to secure the open-source software ecosystem. ONCD has established the Open Source Software Security Initiative (OS3I) interagency working group to convene key agencies involved in open source security. In the coming months, CISA will publish our open source security strategy, outlining how, in line with the National Cybersecurity Strategy, CISA is working to both secure the federal government’s usage of open source software and foster greater ecosystem security.
We look forward to receiving your input to help shape government’s efforts in open-source software security and resilience. The RFI can be found here, and responses are due by 5:00 p.m. EDT on October 9th, 2023.