Impact to Open Source Use
In March 2023, the U.S. Government released the National Cybersecurity Strategy. Recently, the White House followed up by releasing its implementation plan to support that strategy—the National Cybersecurity Strategy Implementation Plan (NCSIP). The plan is intended to be a roadmap to accomplish the goals set out by the administration when it announced the Cybersecurity Executive Order (EO) in 2021. You could say this plan is long awaited by many organizations that want to better understand how the U.S. government is going to proceed, how fast they plan on getting it done, and, more importantly, what’s expected of organizations to meet requirements.
For organizations building applications with open source—and let’s face it, open source is in almost everything—and for those companies selling software to the U.S. government, there are some key takeaways in this plan.
The Software Bill of Materials (SBOM)
We wrote a lot initially about what was in the Cybersecurity EO about SBOMs. The order explicitly laid out the idea that in order to protect our nation from “malicious cyber actors” the Federal Government and private sector must work together to enhance the software supply chain. Specific requirements in the order included:
- Providing a purchaser a SBOM for each product either directly or by other means such as a website
- Employing automated tools or processes to maintain trusted source code supply chains and ensuring code integrity
In this new plan, CISA owns the responsibility to work across the government to reduce gaps in SBOM implementation, establish requirements for an end-of-life database and to level-up international communication and coordination efforts by establishing an SBOM team:
“In order to collect data on the usage of unsupported software in critical infrastructure, the Cybersecurity and Infrastructure Agency will work with key stakeholders, including SRMAs [Sector Risk Management Agencies], to identify and reduce gaps in SBOM scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support and convene an international staff level working group on SBOM.”
Leverage Federal Procurement to Improve Accountability
In Section 3.5 of the implementation plan, the Office of Management and Budget and the Federal Acquisition Regulatory Counsel are tasked with making changes to the Federal Acquisition Regulation to add mandatory requirements to government contracts around cybersecurity incident reporting and secure software requirements. This will most likely standardize those requirements for all government agencies and anyone selling into the government.
Open Source Software Security Initiative
The plan provides the ability for the Office of the National Cyber Director (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA) to establish a new initiative it has dubbed OS3I—Open Source Software Security Initiative—to improve the baseline security level of open source software. The purpose of OS3I is to engage public and private stakeholders to learn about risks and opportunities to improve the security of the open-source software ecosystem.
“The Office of the National Cyber Director will establish an Open-Source Software Security Initiative (OS3I) to champion the adoption of memory safe programming languages and open-source software security. As part of this initiative, CISA will work with the OS3I and the open-source software community to enable the secure usage of open-source software in the Federal Government and critical infrastructure, and to raise the security baseline of the open-source software ecosystem. CISA will also develop close partnerships with open-source software community members and integrate into various community efforts.”
More details as to how they are going to accomplish the above are coming. The current deadline to establish the plan is Q1 of 2024.
Utilize the False Claims Act to Improve Vendor Cybersecurity
The question becomes, how is the government going to hold organizations accountable for cybersecurity failures? Section 3.5 of the plan begins to answer that question. The National Cybersecurity Strategy released earlier this year also began to lay the groundwork:
“The Civil Cyber-Fraud Initiative (CCFI) uses DOJ authorities under the False Claims Act to pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations. The CCFI will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.”
The Department of Justice owns the process for creating a framework for investigating false claims around cybersecurity. Included in its directive is how to penalize vendors for violating and/or misrepresenting cybersecurity protocols.
Secure by Design
According to the plan, CISA will lead public/private partnerships with technology manufacturers, educators, non-profit organizations, academia, the open source community, and others to drive the development and adoption of software and hardware that is secure by design and secure by default. It goes further by stating that, “CISA will identify barriers to adoption for such principles and best practices, and will work to drive collective action to adopt these principles across the private sector.”
Regardless of where you sit in the world of open source—user or creator; developer or advocate—I believe one of the most important elements of helping projects and people thrive is active engagement with the open source community. It’s about raising awareness and standing up for the benefits of open source in order to collaborate and grow. The U.S. Federal Government understands that it needs this community to help bridge the gaps in its cybersecurity defense plans and create cohesive policy.
Cyber Trust Mark
In a more recent development as part of an ongoing focus on cybersecurity, the Biden administration launched a new cybersecurity label for smart devices.
In a press briefing, Federal Communications Commission (FCC) Chair Jessica Rosenworcel said the new label, called the U.S. Cyber Trust Mark, will signify that devices bearing it meet security standards based on those established in a report by the National Institute of Standards and Technology (NIST). The voluntary program is expected to be in place in 2024, with the labels hitting devices “soon after.”
We will continue to provide updates and key deadlines as they become available.