Recent signs show the government is getting open source right. Is your organization?

Against a backdrop of increasing concerns about software security, the U.S. government has recently taken a series of actions to improve software security. This effort started with the White House Executive Order 14028 on Improving the Nation’s Cybersecurity and was followed by two Office of Management and Budget memorandums, M-22-18 and M-23-16, that set schedules and requirements for security compliance. The White House released a National Cybersecurity Strategy and then followed up with an implementation plan, with many of the elements of the plan already underway.

Each of these actions include details about how the government and its suppliers can improve the security of the open source software components that make up a large percentage of the code being used in government applications. But even beyond these government-wide actions, two recent developments show the government is investing in modern, proactive strategies for improving open source software security.

1. The first U.S. government open source program office

The Center for Medicaid and Medicare Services (CMS) recently established the first U.S. government open source program office (OSPO), where the agency is implementing a developer-minded, private-sector-styled strategy to modernize their approach to open source software. The designation of its first dedicated open source program office is an encouraging signal that the federal government recognizes the strategic value of open source and the innovation it can bring to our government agencies.

As Andrea Fletcher, chief digital strategy officer for CMS, explained it: “We already have a lot of really fantastic open source programs… [and are focused on] pushing these programs forward and how we release our software and our code to the greater healthcare ecosystem… We’re pushing this out over the next couple of years to see what it looks like for an agency to have policies around inbounding and outbounding code.”

Questions for readers:

• Has your organization considered following this lead and building an open source program office to manage your open source software policies, including both how you manage contributing to open source externally and how you bring in and manage the open source components your organization is already using? As new government cybersecurity requirements take effect, an open source program office might be a good centralized place from which to organize your efforts to ensure the open source built into your applications stays in compliance with the requirements under M-22-18 and M-23-16.
• Who in your organization is tasked with staying up to date on government cybersecurity regulations impacting open source software, and how can you stay in step with the rapidly evolving requirements and deadlines?
• Which part of the organization will be taking the lead on the secure software development attestation requirements under M-22-18 and M-22-16?

2. Investing in the security of the open source software supply chain

The Office of the National Cyber Director recently released an RFI on Open-Source Software Security and Memory-Safe Programming Languages, seeking ideas from the public and private sector on how to use government resources to invest in improving open source software security. 

One particularly interesting section of the RFI requested ideas around incentives for securing the open source ecosystem.

The core challenge of securing the open source software ecosystem is that it is unlike any other supply chain that is so critical to the global economy because the “suppliers” are largely independent and often unpaid developers (usually called “maintainers”). 

A recent study by Tidelift found that 60% of open source software maintainers described themselves as unpaid hobbyists. The reason the government is focused on maintainer incentives is because unpaid hobbyist maintainers often lack the time and motivation to implement the secure development practices that government and industry require. 

So it is significant to see this RFI looking to address incentives for improving open source software security—potentially by paying maintainers to do the work to implement secure development practices like those recommended in the NIST Secure Software Development Framework.

Questions for readers:

• Are you aware of the NIST Secure Software Development Framework, and the best practices it outlines for the development of software in and for the federal government?
• Do you know whether the open source software being used in the applications you sell to the government follows the practices outlined in the NIST Secure Software Development Framework or whether the project maintainers have the time and incentives to do this work? 
• Without this information, how will you ensure your software complies with new government cybersecurity requirements potentially impacting the open source components you use?

It’s becoming clear that many within the U.S. government, in agencies like CISA, ONCD, CMS, NIST, and OMB, are applying modern thinking to how they manage the security risks of building with open source so they can still take advantage of the enormous innovative potential it provides. 

Is your organization following the lead? Are you thinking about centralizing how you manage your open source policies and practices like CMS is? Are you keeping track of emerging cybersecurity policies and standards impacting open source so you can ensure you are following security best practices NIST recommends, and not endangering your government revenue by missing key deadlines and requirements from OMB? And are you thinking proactively about the volunteer suppliers who you count on for the open source code you use, like ONCD is, and how you can ensure the maintainers who create it are incented to keep it secure into the future?

Open source can be a powerful and positive innovative force when managed effectively, and a liability when not. These are the types of questions you should be asking in order to stay in tune with leading government initiatives that will help point the way to your organization’s success with open source.

Rob Wickham is vice president of public sector at Tidelift and a 20 year veteran of supporting the U.S. federal government by delivering innovative technology solutions that address critical capabilities in the areas of cybersecurity, DevSecOps, hybrid architectures, and zero trust. He is a frequent panel participant speaking on topics including zero trust, identity and access management, and emerging technology trends like software supply chain security, and vulnerability prevention.