This week, the White House unveiled its implementation plan for the strategies outlined in the National Cybersecurity Strategy that was originally released in March 2023. Many organizations have been anticipating the release of this plan in order to understand in more detail how the U.S. government intends to implement the cybersecurity strategy, the speed at which it plans to put its recommendations into action, and what, specifically, will be required of them.
For organizations building applications with open source—and especially those selling software to the U.S. government or tracking emerging cybersecurity liability policy changes—there are a few key elements of the implementation plan that are most pertinent, and we’ve highlighted them for you in this advisory.
One of the most important elements of the plan for organizations using open source to digest is that it instructs the Office of the National Cyber Director (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA) to establish a new initiative it has dubbed OS3I (Open Source Software Security Initiative) to improve the baseline security level of open source software.
From the plan:
“The Office of the National Cyber Director will establish an Open-Source Software Security Initiative (OS3I) to champion the adoption of memory safe programming languages and open-source software security. As part of this initiative, CISA will work with the OS3I and the open-source software community to enable the secure usage of open-source software in the Federal Government and critical infrastructure, and to raise the security baseline of the open-source software ecosystem. CISA will also develop close partnerships with open-source software community members and integrate into various community efforts.”
Organizations using open source—and especially those selling software to the government—should watch carefully for more details regarding how OS3I and CISA plan to do this. The initial deadline set in the plan is Q1 2024, so we won’t have to wait long to learn more.
The U.S. federal government is the largest consumer of software in the world. And government officials have made no secret of their intent to use the purchasing power of the government to induce organizations to improve their cybersecurity practices.
In Section 3.5, entitled “Leverage Federal Procurement to Improve Accountability,” the implementation plan tasks the Office of Management and Budget and the Federal Acquisition Regulatory Counsel to make changes to the FAR (Federal Acquisition Regulation) to add mandatory requirements into government contracts, specifically mentioning cybersecurity incident reporting and secure software requirements.
By standardizing these requirements across all government agencies, the government will ensure that any organization selling software to the government must meet these minimum criteria in order to make it through the purchasing or renewal process.
The power of the purse is not the only method the government intends to employ in order to improve cybersecurity outcomes. Organizations selling software to the government should also closely read the next item under Section 3.5, entitled “Leverage the False Claims Act to improve vendor cybersecurity” to understand how the government intends to hold organizations liable for cybersecurity failures.
And in this case, it is worth going back to the original wording of the National Cybersecurity Strategy to understand the original intent when it comes to organizations that knowingly make false claims about their cybersecurity practices (emphasis ours).
“The Civil Cyber-Fraud Initiative (CCFI) uses DOJ authorities under the False Claims Act to pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations. The CCFI will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.”
The plan provides more detail and tasks the Department of Justice with building out an enforcement effort to investigate false claims around cybersecurity, and specifically calls out recovering damages from irresponsible vendors. Again, emphasis ours:
“The Department of Justice will expand efforts to identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants with the aim of building resilience, increasing vulnerability disclosures, reducing the competitive disadvantage for responsible vendors, and recovering damages for affected Federal programs and agencies.”
If your organization sells software to the U.S. government, the plan outlined in Section 3.5 should provide added incentive to prioritize investments in improving your cybersecurity practices now. On one hand, those organizations that invest now will have an easier time navigating the federal procurement process and complying with new mandatory cybersecurity requirements that could stop a deal from going through. On the other hand, they will also reduce the organizational risk and potential financial penalties associated with making security claims later proven false.
By now, many of those who’ve been following these developments closely have seen that the requirement for software vendors to provide up to date software bills of materials (SBOMs) is a central part of the government’s strategy for improving cybersecurity outcomes.
The new plan tasks CISA with the responsibility to work across government to reduce gaps in SBOM implementation and increase coordination. From the plan:
“In order to collect data on the usage of unsupported software in critical infrastructure, the Cybersecurity and Infrastructure Agency will work with key stakeholders, including SRMAs [Sector Risk Management Agencies], to identify and reduce gaps in SBOM scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support and convene an international staff level working group on SBOM.”
Finally, the White House provided more details about how it intends to invest in working with the open source community to improve the way secure by design and secure by default principles are implemented.
From the plan (emphasis ours):
“The Cybersecurity and Infrastructure Agency (CISA) will lead public-private partnerships with technology manufacturers, educators, non-profit organizations, academia, the open-source software community, and others to drive the development and adoption of software and hardware that is secure by design and secure by default… CISA will identify barriers to adoption for such principles and best practices, and will work to drive collective action to adopt these principles across the private sector.”
Active engagement with the open source community, and acknowledgement of the essential role of independent open source software creators, have been a hallmark of recent U.S. cybersecurity policy initiatives. It’s encouraging to see this trend sustained and bolstered by this additional commitment to public-private partnership that explicitly includes the open source community.
It’s now been just over two years since the White House released executive order 14028 on improving the nation’s cybersecurity, and in the time since we’ve seen a steady drumbeat of action from the government with more details on how these improvements will happen.
NIST has provided a blueprint for the secure software development practices organizations selling software to the government will be expected to follow in the NIST Secure Software Development Framework (SSDF). The Office of Management and Budget has set deadlines for compliance, most recently reiterated in OMB Memorandum M-23-16 a few weeks ago.
Now, with the release of a firm plan tasking accountable government agencies and setting deadlines for each of the elements outlined in the original National Cybersecurity Strategy, the entire plan for who needs to do what by when is coming into focus.
For organizations building applications using open source software in products they sell to the government, the “when” is now.
The hard reality is that it will take time to complete the work to ensure secure development practices are in place across your organization, but especially when it comes to the open source components in use in your applications. And with Tidelift’s recent survey of open source maintainers demonstrating that the vast majority of maintainers are independent volunteers, it is unrealistic to expect them to validate that they are following these new government practices without being compensated for the work.
Organizations using open source in the applications they sell to the government will have a responsibility to ensure all of the components in their applications are using secure development practices, so how do we ensure the work gets done?
Simple: directly partner with and pay maintainers to complete the required work and then keep their attestations regarding their secure software development practices up to date over time.
Tidelift provides a way for organizations to pay maintainers at scale to ensure they put in place the secure development practices outlined in the NIST SSDF and specifically referenced in the National Cybersecurity Strategy Implementation Plan. Tidelift is also partnering with independent maintainers to co-create a set of attestations for upstream open source package secure development practices, keeping these attestations up to date over time.
If you want to learn more about how Tidelift can help your organization comply with secure software development attestation requirements for the open source components you are using in your applications: