In response to increasing cybersecurity threats, the U.S. government (and other governments around the world, including the EU) have begun unveiling initiatives and putting in place new regulations and guidelines to improve cybersecurity. Here at Tidelift, we’ve been studying these new efforts for the potential impact they might have on open source maintainers, and we’ve been reading all of the related docs so you don’t have to. 🙂

In May 2021, The White House issued Executive Order 14028 on improving the nation’s cybersecurity which, among other things, asked the National Institute of Standards and Technology (NIST) to publish specific guidance regarding secure software development standards. The resulting documentation can be found in the NIST Secure Software Development Framework and NIST Software Supply Chain Security Guidance documents. 

In late 2022, the White House Office of Management and Budget (OMB) published memorandum M-22-18, which set clear roles, responsibilities, and deadlines for both U.S. government agencies and government suppliers. One key headline out of this memo was that organizations selling software to the U.S. government will need to self-attest that they comply with all the proposed NIST guidelines by as soon as June 2023.

But what does this all mean for maintainers? 

If you maintain a project shared via a package manager, chances are good that your project is being used by large companies who sell software to the U.S. government. Over the coming months, these companies will need to attest that the security practices of all of the software components in their applications—including open source—follow the NIST guidelines. This means they will quickly become very interested in understanding whether the open source packages they use in their applications follow the same guidelines.

However, the so called open source software supply chain is not a traditional supply chain because open source maintainers often do not have a business relationship with organizations using their software, which is almost always provided as an "as-is" license and without warranty.

We’ve started referring to the open source software supply chain as an accidental supply chain for this very reason (in fact, we made “the accidental supply chain” the theme of our next Upstream event on June 7, sign up now!).

One way or another, there will be new expectations placed on open source ‘suppliers’ to meet secure software development standards, and only you can decide how you will respond to these requests when it comes to your project. Knowing the terms of the license you’ve selected for your project and keeping informed on these cybersecurity guidelines as they continue to evolve will put you in a good position to react to requests that may come in as a result of the new NIST security standards.

How can open source maintainers learn more?

Tidelift partners directly with maintainers to ensure their projects meet critical government and industry standards, and we pay maintainers for this important work rather than expecting them to simply do it for free. To learn more about the government guidelines outlined above and to figure out how you can be prepared for incoming requests, you can watch our recent overview webinar with Tidelift CEO Donald Fischer or visit our government open source cybersecurity resource center. 

To see if your open source project is already eligible for monthly recurring income from Tidelift, visit our website and enter your project name in the search bar at the top of the page.