The White House’s Office of the National Cyber Director (ONCD) published its 2023 End of Year Report on the Open-Source Software Security Initiative (OS3I) this week, highlighting four key areas the group made progress in over the last year.
OS3I is one initiative in President Biden’s National Cybersecurity Strategy (NCS), which aims “to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
This commitment was further solidified in the NCS Implementation Plan which included a directive to promote open-source software security and the adoption of memory-safe programming languages.
“The 2023 End of Year Report details the significance of open-source software, its ecosystem, and inherent challenges,” ONCD said in a press release.
According to the 7-page report, the OS3I focused on four key areas in 2023:
- Unifying the Federal government’s voice on open-source software security;
- Establishing a strategic approach for the Federal government’s secure use of open-source software and efforts to secure the broader ecosystem;
- Advancing President Biden’s Invest in America agenda by encouraging long-term, sustained security investment in the open-source software ecosystem; and
- Engaging and building trust with the open-source software community.
For example, in October, the Cybersecurity and Infrastructure Security Agency (CISA) – in coordination with the OS3I – released its Open Source Software (OSS) Security Roadmap to build relationships with open-source software communities, measure open-source software prevalence, help secure the usage of open-source software by Federal departments and agencies, and bolster the overall security of the open-source ecosystem.
Additionally, as part of the OS3I, ONCD, CISA, the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and Office of Management and Budget (OMB) issued a request for information in August to gather input from the open-source community and focus government priorities on open-source software security, which received over a hundred substantive responses.
The OS3I interagency working group was established by ONCD in collaboration with OMB following the aftermath of the Log4Shell vulnerability in 2021 with the goal of channeling government resources to foster greater open-source software security.
Since then, OS3I has welcomed many other interagency partners – including CISA, NSF, and DARPA, among others – in order to identify open-source software security priorities and implement policy solutions.
“In 2024, the OS3I will continue to champion the security of the open-source software ecosystem by taking stock of the research and information submitted through the RFI to inform future OS3I workstreams and priority actions,” the report concludes. “Additionally, the OS3I will continue to engage Federal government, the open-source software community, civil society, and private sector stakeholders across the open- source software landscape to identify and highlight policy solutions that improve the security of the open-source software ecosystem.”