The Cybersecurity and Infrastructure Security Agency (CISA) has announced three initial key actions to help secure the open source ecosystem upon the conclusion of its two-day Open Source Software (OSS) Security Summit this week.
During the summit, OSS community leaders – including open source foundations, package repositories, civil society, industry and Federal agencies – explored approaches to help strengthen the security of the open source infrastructure, and held a tabletop exercise on open source vulnerability response.
As part of this collaborative effort, CISA announced several initial key actions that it will take to help secure the open source ecosystem:
- CISA is working closely with package repositories to foster adoption of the Principles for Package Repository Security. Developed by CISA and the Open Source Security Foundation’s Securing Software Repositories Working Group, this framework was published recently and outlines voluntary security maturity levels for package repositories.
- CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open source software infrastructure operators to better protect the open source software supply chain.
- Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open source community to improve their vulnerability and incident response capabilities.
“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said CISA Director Jen Easterly. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”
Additionally, five of the most widely used package repositories announced steps they are taking in line with the Principles for Package Repository Security framework, including introducing vulnerability database scanning and measures to prevent attackers from taking over packages without authorization.
The Federal government has coordinated its efforts around OSS security through the White House’s Office of the National Cyber Director (ONCD). Last year, ONCD, CISA, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget published a request for information on OSS security and memory safe languages, which received more than 100 substantive responses.
“Open source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” said Anjana Rajan, assistant national cyber director for technology security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values.”
Additionally in 2023, CISA released its Open Source Software Security Roadmap to help secure the Federal government’s use of OSS and support the global open source ecosystem.
The actions announced today from the summit represent key steps in fulfillment of the roadmap’s goals, including partnering with OSS communities and encouraging collective action from centralized OSS entities.
