Sign up for our newsletter
Stay Connected
Amid developing software security considerations, the U. S. government has decided to make a decision to ensure that the software is not being able to do so. The U. S. Department of Homeland Security has recently taken a number of measures for software security. This effort began with White House Executive Order 14028 on improving the nation’s cybersecurity and was followed by two Office of Management and Budget memos, M-22-18 and M-23-16, which set deadlines and requirements for security compliance. The White House released a national cybersecurity strategy and then followed an implementation plan, many of which are already underway.
Each of those moves includes major points about how the government and its vendors can ensure the security of the parts of open-source software that make up a significant percentage of the code used in government applications. But beyond those government-level moves, two recent developments show that the government is investing in modern, proactive methods to ensure the security of open-source software.
1. La U. S. government’s first open source program office. U. S.
The Center for Medicaid and Medicare Services (CMS) recently established the first U.S. government open source program office (OSPO), where the agency is implementing a developer-minded, private-sector-styled strategy to modernize their approach to open source software. The designation of its first dedicated open source program office is an encouraging signal that the federal government recognizes the strategic value of open source and the innovation it can bring to our government agencies.
As Andrea Fletcher, CMS’s director of digital strategy, explains: “We already have a lot of fantastic open source systems. . . [And our goal is] to sell those systems and how we bring our software and code to the healthcare industry. . ecosystem. . . We’re going to expand on this over the next few years to see what it looks like for a company to have policies around incoming and outgoing code.
Questions for readers:
2. Invest in open source software chain security
The Office of the National Director of Cybersecurity recently issued a request for information on the security of open source software and secure memory programming languages, seeking ideas from the public and private sectors on how to use government resources to invest in improving the security of open source software.
A particularly attractive section of the RFI asked for ideas on incentives to protect the open-source ecosystem.
The biggest challenge to securing the open-source software ecosystem is that it is unlike any other source code chain that is so critical to the global economy, as the “vendors” are largely independent, unpaid developers (usually referred to as “majortainers”).
A recent study by Tidelift found that 60% of open-source software maintainers describe themselves as unpaid hobbyists. The explanation for why the government is focused on maintaining incentives is that unpaid hobby maintainers lack the time and motivation to implement the safe progression practices required by the government and industry.
Therefore, it is significant to see that this RFI seeks to inspire greater security of open source software, potentially paying maintainers to take it upon themselves to implement secure progression practices such as those recommended in the frameworks. NIST Secure Software Development Program.
Questions for readers:
It’s clear that many members of the U. S. government, at agencies like CISA, ONCD, CMS, NIST, and OMB, are applying modern thinking about how to manage the security risks of the open source fabric so they can continue to take advantage of massive innovations. . potential it offers.
Are you making plans to centralize how you manage your open source policies and practices like the CMS does?Are you following new cybersecurity policies and criteria that affect open source to ensure you follow the most productive security practices recommended by NIST and don’t put your government at risk?Are you proactively thinking about the volunteer vendors you rely on for the open source code you use, such as ONCD, and how you can make sure that the maintainers who create it have an incentive to stay that way in the future?
Open source can be a strong, positive force for innovation when effectively controlled, and a liability otherwise. These are the types of questions you should ask yourself to stay in line with key government projects that will help pave the way for your organization’s development. Open source success.
Help us tailor the particular content for you: