Government agencies join forces under the ONCD RFI to enhance open source software security and sustainability. As we bridge security and ingenuity, open source thrives – a testament to united progress.
The Office of the National Cyber Director (ONCD) has announced a call for public input on a strategy to fortify open source software (OSS) security. Teaming up with key players in the cybersecurity and technology fields, the ONCD’s request for information (RFI) seeks to harness collective expertise in order to bolster the resilience and safety of open source software systems.
Scheduled to close on October 9, the RFI, a collaborative effort involving the Cybersecurity and Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB), marks a significant step toward addressing the mounting security concerns surrounding open source software.
The impetus behind the RFI derives from the commitment outlined in the National Cybersecurity Strategy. This strategy, a White House initiative, emphasises the need “to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
Highlighting the broader implications of securing open source software, the RFI underscores its pivotal role in national security, economics, and technological innovation. As open source software finds itself deeply embedded across federal agencies and critical infrastructure, vulnerabilities within these components can propagate widespread and potentially damaging effects.
With a clear awareness of the benefits and vulnerabilities of open source software, the RFI envisions a concerted effort to elevate open source software to a national public priority.
This initiative was catalysed by the aftermath of the Log4Shell vulnerability, a critical event that led to the establishment of the Open source Software Security Initiative (OS3I) interagency working group in collaboration with the Office of the Federal Chief Information Officer and OMB. OS3I expanded its reach by partnering with institutions such as CISA, NSF, and DARPA, creating a synergy that identified priorities and orchestrated policy solutions for open source software security.
The ONCD’s latest RFI serves as an avenue to intensify this ongoing work. The core focus areas identified by OS3I include reducing memory unsafe programming languages, establishing implementation requirements for secure security attestations, and pinpointing new areas for prioritisation. Through the current RFI, ONCD, CISA, NSF, DARPA, and OMB aspire to pinpoint areas that deserve government attention, as well as to address critical queries such as mitigating systemic risks, ensuring the sustainability of open source communities, and devising technical and resource-based solutions for OSS security.