Last week, Tidelift co-founder and CEO Donald Fischer hosted a webinar briefing on the new U.S. cybersecurity strategy and what it means for organizations building applications with open source software. Below are some of the highlights and to see the whole webinar, watch it on-demand here.
What is the National Cybersecurity Strategy?
The National Cybersecurity Strategy is part of a coordinated effort by the U.S. government to improve cybersecurity for the government, industry, and citizens, further establishing the nation’s cybersecurity strategy for the upcoming years. While the changes it addresses may not happen overnight, it’s important that organizations building with open source educate themselves on the directives and proactively prepare for their implementation. (To learn more about other related government cybersecurity actions, visit our new government open source cybersecurity resource center.)
How does it impact open source?
After breaking down the timeline of U.S. government actions leading up to the National Cybersecurity Strategy, Donald detailed the four key areas of the strategy that organizations building with open source should watch carefully:
- An increase in government regulation and mandatory requirements
- Cybersecurity liability shifts from consumers to commercial producers of software
- A safe harbor for organizations employing best practices
- Proactive U.S. federal government involvement in open source communities
Questions organizations should be asking themselves to prepare
Donald proposed a series of questions organizations should be asking themselves to prepare for the impacts of the strategy on the open source that they are using in their applications:
- What are our policies for securing software development processes throughout the SDLC, and how can we ensure external open source maintainers implement the same level of security for the packages we rely on?
- How will we communicate the secure software development requirements to the open source maintainers who maintain the components that make up business-critical software for our organization?
- How will we continuously verify and demonstrate that commercially acquired, open source, and all other third-party software components comply with the requirements, throughout their life cycles?
How Tidelift can help
Tidelift partners directly with maintainers to ensure their projects meet critical government and industry standards, and we pay maintainers for this important work. This partnership improves the security of some of the world’s most depended-upon open source packages and helps organizations better prepare to meet the criteria proposed in government initiatives such as the National Cybersecurity Strategy.
To hear Donald’s take on the four key areas of the National Cybersecurity Strategy for open source and to see if any questions you may have were answered in the Q&A, you can tune into the on-demand webinar now. And to learn more about U.S. government guidelines and to figure out how your organization can be prepared for upcoming deadlines, you can visit our government open source cybersecurity resource center.