CISA’s new roadmap aims to fortify open source software security

The Cybersecurity and Infrastructure Security Agency published a new roadmap Tuesday that the nation's cyber defense agency will use to help fortify a growing open source ecosystem while supporting security efforts and reducing risks to the federal government.

CISA's Open Source Software Security roadmap is part of a broader federal effort to secure open source software leveraged by critical infrastructure sectors and expand visibility into open source software usage across government agencies. 

The roadmap includes four key priorities, including establishing CISA's role in providing security support to the open source software community, increasing visibility into the usage of open source software, reducing risks to the federal government and improving the overall cyber posture of the open source ecosystem.

The Office of the National Cyber Director issued a request for information in August seeking public input on ways the federal government can help secure the open source software community, a decentralized and fragmented ecosystem that has been historically difficult to regulate. 

Camille Stewart Gloster, ONCD's deputy national cyber director for technology and ecosystem security, said in a blog post at the time that her agency and CISA "envision an ecosystem in which creating secure open source code and regularly assessing the security of existing open source code is the norm rather than an added burden."

CISA outlined plans to partner with open source software communities and establish "a real-time collaboration channel" with key members, including open source foundations, code hosting services and package managers to provide critical input on open source security measures. 

The agency also plans to expand engagement and collaboration with international partners, according to the roadmap, while developing a framework to help organizations conduct risk prioritizations for open source software components. CISA will then use that framework to conduct its own risk assessments of open source software dependencies across the federal government and in certain critical infrastructure sectors.

The roadmap says that CISA will develop open source program office guidance for federal agencies, including best practices and additional guidance for agencies and entities that plan to pilot or launch open source program offices. 

The agency will continue fostering security education for open source developers, advancing software bills of materials within open source software supply chains and publishing guidance on open source software security best practices, the roadmap said.