CISA
Critical infrastructure
Industrial Cyber Attacks
News

CISA announces new efforts to help secure open-source ecosystem, aligns with community

March 12, 2024
CISA announces new efforts to help secure open-source ecosystem, aligns with community

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week concluded a two-day Open Source Software (OSS) Security Summit convening OSS community leaders and announced key actions to help secure the open source ecosystem. Recognizing that OSS underpins the essential services and functions of modern life, the Summit sought to catalyze progress in advancing the security of this critical ecosystem. This urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.

During the summit, OSS community leaders, including open-source foundations, package repositories, civil society, industry, and federal agencies explored approaches to help strengthen the security of the open-source infrastructure. 

As part of this collaborative effort, CISA announced several initial key actions that CISA will take to help secure the open source ecosystem in partnership with the open source community with CISA working closely with package repositories to foster adoption of the Principles for Package Repository Security. Developed by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group, the framework was published recently and outlines voluntary security maturity levels for package repositories. 

Also, CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open-source software infrastructure operators to better protect the open-source software supply chain. Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open-source community to improve their vulnerability and incident response capabilities.

The federal government has coordinated its efforts around open source software security through the Office of the National Cyber Director (ONCD) Open Source Software Security Initiative

Last year, ONCD, CISA, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget published a Request for Information (RFI) on open-source software security and memory-safe languages, which received more than 100 substantive responses. The issuing agencies are currently reviewing responses and will publish a summary of the RFI submissions.

In 2023, CISA released its Open Source Software Security Roadmap to help secure the federal government’s use of open-source software and support the global open-source ecosystem. It lays out four key goals: establishing CISA’s role in supporting the security of open source software, driving visibility into open source software usage and risks, reducing risks to the federal government, and hardening the open source software ecosystem. 

CISA detailed that the latest actions from the summit represent key steps in the fulfillment of the Roadmap’s goals, including Objective 1.1. Partner With OSS Communities and Objective 1.2. Encourage Collective Action From Centralized OSS Entities.

“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” Jen Easterly, CISA director said in a media statement. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”

“Open source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” says Anjana Rajan, assistant national cyber director for technology security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values. As the chair of the Open Source Software Security Initiative (OS3I), ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”

“OpenSSF’s mission is to improve the security of open-source software. Package repositories are critical infrastructure for the open source community,” according to Omkhar Arasaratnam, general manager at OpenSSF. “We thank CISA for facilitating this Open Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open-source package repositories for everyone.”

“Securing the open source software supply chain is crucial for protecting global economic infrastructure,” said Mike Milinkovich, executive director of the Eclipse Foundation. “CISA is working to improve open source security, focusing on both current issues and future application development. We’re proud to contribute to this vital work, helping CISA improve the global development ecosystem and supporting its vision for the future.”

“OSI and the Open Policy Alliance commend CISA for engaging with the open source software community and appreciate the opportunity to participate in this week’s Open Source Security Summit,” said Deb Bryant, US policy director of Open Source Initiative. “Including less represented, small open source non-profits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of Open Source.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings