Our friends at the Open-Source Software Security Initiative (OS3I), a federal interagency and stakeholder working group, recently released their end-of-year report. We wanted to share a few highlights, because it helps provide great insight into where the US Federal Government has been on open source—and is going to be in the upcoming year.
While it isn’t long, and so all worth reading, I wanted to note a few particularly key highlights from the report:
- OS3I focused on “unifying” the federal government’s voice on open source software security. That won’t be easy (the federal government is vast), and won’t happen in just one year, but simply starting on that implies that we’ll be seeing a much more focused set of government efforts in the future.
- The government is getting serious about funding open source security. In particular, the report singles out a call for proposals from the National Science Foundation. That may not sound like much, but it is an important first step from an organization with a ten billion dollar annual budget to spend. We should expect to see more of this sort of thing in 2024, hopefully including the first big impacts.
- OS3I’s member agencies are becoming more systematic about gathering ecosystem feedback. The tool of choice for that is often going to be “requests for information”, with the report calling out the RFI on FOSS Security we participated in in the fall, and promising more in 2024.
At Tidelift, we’re excited to see this progress from OS3I. We believe the US (and hopefully EU!) governments should be significant partners in supporting open source—including by paying the maintainers—and look forward to partnering with OS3I’s members towards that goal.