CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure

The agency’s roadmap outlines a plan for prioritizing where open source software makes infrastructure potentially vulnerable.

The US Cybersecurity and Infrastructure Security Agency released four priorities for securing open source software ecosystems on Tuesday, September 12. Specifically, the roadmap will be used to develop a framework to prioritize risk. This framework will then guide the federal government and critical infrastructure organizations in choosing which open source security projects to launch first.

Jump to:

What is the CISA’s roadmap?

The CISA’s roadmap sets up steps toward the following:

1. Establish CISA’s role in supporting the security of open source software.
2. Understand the prevalence of key open source dependencies.
3. Reduce risks to the federal government.
4. Harden the broader open source software ecosystem.

The full roadmap can be found in a PDF linked in CISA’s blog post. The roadmap will result in a process by which CISA can continually monitor open source software security risks. CISA also plans to create a guide to best practices in open source security for government entities and critical infrastructure organizations, according to the roadmap.

“We envision a world in which every critical OSS (open source software) project is not only secure but sustainable and resilient, supported by a healthy, diverse and vibrant community. In this world, OSS developers are empowered to make their software as secure as possible,” CISA wrote.

Why did CISA write a new roadmap?

The new roadmap is part of the federal National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan. The roadmap is significant because it provides next steps for how CISA might work with companies and nonprofit groups using and developing open source software.

SEE: Explore our picks for the 8 best open source project management software in 2023. (TechRepublic) 

CISA notes that open source software can lead to great innovation; however, CISA said, vulnerabilities like the widespread Log4shell vulnerability in 2021 mean open source software can introduce insidious flaws in widely-used code. In addition, supply chain attacks can make open source software vulnerable.

Connection to the Securing Open Source Software Act of 2023

CISA’s roadmap contains groundwork for possible application of the actions detailed in the Securing Open Source Software Act of 2023. This is a bill introduced in Congress in September 2022; it highlights the importance of the open source community to the tech industry and calls for CISA to work more directly with the open source community in matters of national security. The Securing Open Source Software Act was introduced to Congress in March 2023 and has not yet passed in the House of Representatives.

The alternative to a federal act is for organizations to vet their own transitive dependencies. Transitive dependencies are the links free or open source software has to other open source code. These could be locked down using a method such as a software bill of materials.

3 objectives of the Secure Open Source Software Summit 2023

The open source security roadmap is one of many documents currently circulating in the U.S. federal realm related to aligning the open source community with high-stakes security needs. Representatives from CISA attended the Secure Open Source Software Summit 2023 to discuss open source security standards with other government agencies and members of the industry on September 13. They addressed possible open source security concerns in critical infrastructure, public health and safety, economic stability or national security.

The meeting resulted in the creation of three objectives for the next year:

1. Providing security education to open source software maintainers, contributors and consumers.
2. Securing open source software repositories.
3. Enabling cross-industry open source software incident response capabilities.

The effects of open source vulnerabilities on corporate assets

“While government agencies have made progress in addressing open source security, it is evident that further action is needed to enhance the protection of critical infrastructure and corporate assets,” said Mike Walters, vice president of vulnerability and threat research and co-founder of patch management software company Action1, in an email to TechRepublic.

“The risks that organizations face from open source vulnerabilities are significant and can have devastating consequences,” Walters said. “By investing in comprehensive security measures, fostering collaboration and enforcing secure practices, we can build a resilient ecosystem that encourages innovation while protecting against potential threats.”