The federal government, as well as state, local, tribal, and territorial governments, heavily rely on open source software (OSS) to support critical infrastructure and various sectors. OSS is software that allows the public to access and utilize the source code, enabling use, study, modification, enhancement, and redistribution. It forms the foundation of software across critical infrastructure, supporting all sectors and National Critical Function.
A study conducted on codebases from different sectors revealed that 96% of the studied codebases contained open source code, with 76% of the code being open source. In light of this, the Cybersecurity and Infrastructure Security Agency (CISA) aims to fulfill its mission of understanding, managing, and reducing risks to the federal government and critical infrastructure by prioritizing the protection of open source software.
Open source software is considered a public good and is supported by diverse communities comprising individual maintainers, non-profit software foundations, and corporate stewards. It is crucial for CISA to integrate into and support these communities, particularly focusing on the critical OSS components that the federal government and critical infrastructure systems heavily rely on.
CISA recognizes the significant benefits of open source software, such as enabling accelerated software development, fostering innovation, and encouraging collaboration. With these advantages in mind, the agency has prepared a roadmap outlining its strategies to facilitate the secure usage and development of OSS, both within and beyond the federal government. The roadmap primarily focuses on four key goals:
1. Establishing CISA’s role in supporting the security of OSS: This goal emphasizes CISA’s commitment to ensuring the security of open source software by actively participating in its development and enhancement. By partnering with the OSS community, CISA aims to strengthen the overall security posture of critical infrastructure.
2. Understanding the prevalence of key open source dependencies: CISA recognizes the significance of identifying the critical OSS components that are heavily relied upon by the federal government and critical infrastructure systems. Understanding these dependencies is essential for effectively managing and mitigating potential risks.
3. Reducing risks to the federal government: CISA acknowledges the need to proactively address the risks associated with open source software. This involves a comprehensive approach that combines vulnerability assessments, threat intelligence sharing, and collaboration with the OSS community to develop and implement effective security measures.
4. Hardening the broader OSS ecosystem: In line with its mission, CISA aims to contribute to the overall resilience of the open source software ecosystem. This involves collaborating with stakeholders, raising awareness, and promoting best practices to ensure the security and integrity of OSS across different sectors.
By aligning its objectives with these four key goals, CISA seeks to enhance the security and reliability of open source software within critical infrastructure and the federal government. This roadmap underscores the agency’s commitment to fostering a secure and collaborative environment for the development and usage of OSS. It recognizes the importance of the OSS community and aims to actively support and engage with it to drive innovation, collaboration, and secure advancements in critical infrastructure systems.