The Cybersecurity and Infrastructure Security Agency (CISA) just released the Open Source Software Security Roadmap, the latest step in the U.S. government’s effort to improve the nation’s cybersecurity and perhaps the clearest stance given by the U.S. government on the crucial role of open source software in the nation’s cybersecurity and the importance of working with and supporting open source maintainers.
The Open Source Security Roadmap aligns with the White House’s National Cybersecurity Strategy commitment to “a more resilient, equitable, and defensible cyberspace,” and is comprised of four key goals:
This is fantastic news for the open source community, open source software supply chain security, and cybersecurity as a whole. While there are many questions left to answer, this roadmap effectively moves the dialogue forward, and we wanted to share some of our immediate reactions here.
The roadmap clearly articulates that securing the open source software supply chain relies on us, as consumers, to support open source software maintainers and take action to manage open source in ways that encourage efficient and robust security and maintenance practices.
From the roadmap, emphasis ours:
“We envision a world in which every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community. In this world, OSS developers are empowered to make their software as secure as possible. Further, the incredible growth fostered by OSS is coupled with action from those who capitalize on OSS to be good stewards of the projects they depend on. In this world, OSS consumers responsibly use it, contributing back to the extent they can to the community and code they depend on. Similarly, consumers and integrators of these OSS projects are given the tools to ensure the packages they use are secure and well curated.”
We’re excited, because this vision CISA presents is clearly aligned with Tidelift’s mission: to make open source work better for both creators and the organizations that rely on their work.
We believe Tidelift’s capabilities have an important role to play in accomplishing this vision. Tidelift provides organizations and government agencies with an easy and efficient approach to getting visibility into their open source usage and ensuring the packages they use are secure and well curated, with accurate, human-validated data and insights delivered in partnership with paid open source maintainers.
With our maintainer partners, we have built a unique data set that is already helping organizations answer several of the questions posed in the roadmap. We also have new data showing the impact of paying maintainers to improve open source security.
Establish CISA’s role in supporting the security of OSS
CISA recognizes the open source community for already making efforts to improve the security and maintenance of open source projects (efforts such as the OpenSSF Scorecards, for a wide scale example) and at the same time stresses the importance of establishing real-time collaboration with OSS community members, participating as a community member (Objective 1.1) and working internally to improve OSS security expertise with the CISA Open Source Software Security Working Group (Objective 1.4).
Furthermore, CISA recognizes that OSS is a public good that provides benefits around the world and requires international partnership and collaboration to drive proactive cybersecurity efforts across the OSS community (Objective 1.3).
Drive visibility into OSS usage and risks
CISA aims to develop a means to assess the prevalence of OSS in federal government and critical infrastructure (Objective 2.1), and once identified, CISA intends to create a framework to analyze the OSS components and conduct a risk prioritization based on what is found (Objective 2.2). The roadmap specifically calls out actions such as:
“CISA will develop a framework to conduct a risk prioritization of OSS components discovered in Objective 2.1. The framework will recommend importance criteria and prioritization factors, such as an OSS component’s level of usage, level of maintenance, build process security, and code security properties—like memory safety and. The framework will leverage existing work where possible and will be released to the public.”
Source: CISA Open Source Software Security Roadmap, Objective 2.2
That CISA is outlining a process to drive visibility and action on open source software components is huge. Identifying the components in use is a vital first step, but even more important is knowing what to do about the information provided. Knowing if the open source package is actively maintained, secured by procedures such as two-factor authentication (2FA), and more helps to provide the necessary context to help streamline internal security processes at federal and commercial organizations.
Reduce risks to the federal government
CISA will evaluate how possible it is to offer services to aid federal agencies in managing the OSS in use at their organization, including tools “that integrate into the CI/CD process to assess OSS risks (e.g., flagging vulnerable/outdated dependencies)” (Objective 3.1), and create best practice guidance for federal agencies who want to implement an Open Source Program Office.
Harden the OSS ecosystem
Alongside identifying OSS usage in the federal government and critical infrastructure, CISA will also focus on increasing the security of the broader OSS ecosystem through:
In order to improve the security and resilience of the open source software supply chain, we need to make a large-scale effort to support open source maintainers. As we’ve articulated many times, most recently in my colleague Luis Villa’s Upstream keynote this year, simply requesting that new guidelines be followed without providing incentive is asking for additional unpaid work from, more often than not, volunteer maintainers.
We’re thrilled to see some promising signal regarding direct support for the work of open source maintainers in the roadmap (particularly in Objective 2.2, first bullet point), and we hope this definition of support includes maintainers getting paid.
At Tidelift, we provide a way for organizations to pay maintainers at scale to ensure they put in place the security software development practices required by the U.S. government, such as those defined in the NIST Secure Software Development Framework (SSDF). Tidelift is also partnering with independent maintainers to co-create a set of attestations for upstream open source package secure development practices, and keep these attestations up to date over time.
If you want to learn more about how Tidelift can help your organization attest to the secure software development practices of the open source components used to create software you are selling to the U.S. government—as required by recent government actions like M-22-18, visit our government open source cybersecurity resource center or: