The Office of the National Cyber Director (ONCD) announced a request for information (RFI) today seeking public comment on open-source software security and memory safe programming languages.
Responses to the RFI are due on October 9.
In partnership with the Cybersecurity and Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB), the White House’s RFI builds on the commitment it made in its National Cybersecurity Strategy “to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
The RFI also advances the initiative – promote open-source software security and the adoption of memory safe programming languages – of the National Cybersecurity Strategy Implementation Plan released last month.
“The security and resiliency of open-source software is a national security, economic, and a technology innovation imperative,” the RFI says. “Because open-source software plays a vital and ubiquitous role across the federal government and critical infrastructure, vulnerabilities in open-source software components may cause widespread downstream detrimental effects.”
“The federal government recognizes the immense benefits of open-source software, which enables software development at an incredible pace and fosters significant innovation and collaboration,” the document continues. “In light of these factors, as well as the status of open-source software as a free public good, it may be appropriate to make open-source software a national public priority to help ensure the security, sustainability, and health of the open-source software ecosystem.”
In 2021, following the aftermath of the Log4Shell vulnerability, ONCD in collaboration with OMB and the Office of the Federal Chief Information Officer established the Open-Source Software Security Initiative (OS3I) interagency working group with the goal of channeling government resources to foster greater open-source software security.
Since then, OS3I has welcomed many other interagency partners – including CISA, NSF, and DARPA, among others – in order to identify open-source software security priorities and implement policy solutions.
According to the White House, OS3I has identified several focus areas, including reducing the proliferation of memory unsafe programming languages; designing implementation requirements for secure and privacy-preserving security attestations; and identifying new focus areas for prioritization.
Today’s RFI aims to further the work of OS3I by identifying areas most appropriate to focus government priorities, and addressing critical topics such as:
- How the Federal government can contribute to driving down the most important systemic risks in open-source software;
- How the Federal government can help foster the long-term sustainability of open-source software communities; and
- How open-source software security solutions can be implemented from a technical and resourcing perspective.
The agencies are seeking public and private sector input as Federal leadership develops its strategy and action plan to strengthen the open-source software ecosystem. ONCD, CISA, NSF, DARPA, and OMB are seeking input from stakeholders to develop and implement long-term and sustainable policy solutions.