Today, the U.S. Office of the National Cyber Director (ONCD) released a request for information (RFI) entitled Open-Source Software Security: Areas of Long-Term Focus and Prioritization. That may sound dull, but I think it’s very exciting—because it signals that the U.S. government is getting serious about investing in the health and security of the open source software ecosystem.
The document is a clear call to open source experts and industry leaders: we need to bring out our best ideas for how the government can make the entire open source ecosystem more healthy and secure. Given its considerable weight and investing power, this is an important opportunity. From the document, emphasis ours:
“The security and resiliency of open-source software is a national security, economic, and a technology innovation imperative. Because open-source software plays a vital and ubiquitous role across the Federal Government and critical infrastructure, vulnerabilities in open-source software components may cause widespread downstream detrimental effects. The Federal Government recognizes the immense benefits of open-source software, which enables software development at an incredible pace and fosters significant innovation and collaboration. In light of these factors, as well as the status of open-source software as a free public good, it may be appropriate to make open-source software a national public priority to help ensure the security, sustainability, and health of the open-source software ecosystem.”
So the government understands the benefits of open—and is asking us, collectively, now what?
This inquiry is an early project of the new OS3I interagency working group that was officially established as part of the National Cybersecurity Strategy issued in March of this year. OS3I is a collaborative effort between a wide range of federal agencies, including the ONCD, the Office of Management and Budget (OMB) Office of the Federal Chief Information Officer, the Cybersecurity Infrastructure Security Agency (CISA), the National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA), National Institute of Standards and Technology (NIST), Center for Medicare & Medicaid Services (CMS), and Lawrence Livermore National Laboratory (LLNL). These agencies are working together through OS3I to jointly identify open source software security priorities and implement policy solutions.
The RFI lists specific areas, and a set of questions that are to be answered about each area. Those include “which … areas … should be prioritized for any potential action” and “what technical, policy, or economic challenges must the Government consider”?
Friends of open source will want to skim the whole list of areas, because several are interesting and worth submitting comments on. But for those of us at Tidelift who have long focused on how to make open source more healthy and secure by working directly with open source maintainers, we’ve found one area particularly interesting:
- “Behavioral and Economic Incentives to Secure the Open-Source Software Ecosystem” including the sub-area of “Frameworks and models for software developer compensation that incentivize secure software development practices.”
When we started Tidelift over 6 years ago now, we set our company mission early on as making open source work better for everyone—including both those who create and consume open source. We’ve paid millions of dollars directly to open source maintainers to implement secure software development practices, which makes open source work better for maintainers (support their important work and pay them for it so they can thrive!) AND for organizations using open source (they gain the confidence that the open source they rely on uses secure development and healthy maintenance practices!). The RFI questions around incentives get to the heart of that work.
For today, we just want to celebrate this event. By starting to ask these sorts of questions and begin important conversations, the U.S. government can have a HUGE impact on making open source work better for everyone—not just in the U.S. but everywhere. We’ll be sharing our thoughts with agency stakeholders via a response to the RFI and hope we can also share some of what we’ve learned from our maintainer partners over the last few years as well.
After a very short party (🥳) we’ll get to work, highlighting both what we know about the challenges—from things like boss factor and accidental supply chains—and the successes—including the first real data on the impact of paying maintainers to improve security standards compliance. We hope this helps the government move forward with initiatives that are data-driven and impactful.
An exciting day for open source, and an exciting day for open source maintainers as well!