The Office of the National Cyber Director (ONCD) today released a summary report detailing a dozen actions the Federal government is currently taking to advance security in open-source software (OSS).
The governmentwide actions to secure OSS support ONCD’s August 2023 OSS security request for information (RFI) that yielded 107 public submissions addressing key areas the Federal government should prioritize to improve the security of the OSS ecosystem.
ONCD said the submissions advocated for a “considerable number” of Federal actions to secure the OSS ecosystem, which resulted in agencies implementing a dozen activities to support the RFI recommendations.
Recommendations include increasing the adoption of memory-safe programming languages, developing new open-source tools and libraries, and using AI to enhance secure software development, among other actions.
The 20-page report highlights that – in alignment with the President’s agenda as established in the National Cybersecurity Strategy, and in support of the recommendations provided through the RFI – members of the Open-Source Software Security Initiative (OS3I) have completed or plan to complete a dozen actions to secure the OSS ecosystem in 2024 and 2025.
On the advanced research and development front, the National Science Foundation (NSF) announced that it is planning to launch an open-source software safety, security, and privacy track for the Pathways to Enable Open-Source Ecosystems (POSE) program. “The program’s goal is to transition open-source technologies into open-source ecosystems to further advance technologies and efficiently address national challenges while ensuring security and privacy,” the report says.
ONCD also highlighted the Defense Advanced Research Projects Agency’s (DARPA) new program, Translating All C to Rust (TRACTOR), that will build automation tools to help developers translate legacy software to achieve verifiably memory-safe Rust code.
The Cybersecurity and Information Security Agency (CISA) is partnering with open-source communities to help improve the security of the open-source ecosystem operationally and strategically.
The Department of Health and Human Services (HHS) Center for Medicaid and Medicare Services (CMS) recently established the first Open-Source Program Office at a Federal agency. “The function of the OSPO is to establish and maintain guidance, policies, practices, and talent pipelines that advance equity, build trust, and amplify impact across CMS, HHS, and Federal Government’s open-source ecosystem by working and sharing openly,” the report says.
DARPA launched its Verified Security and Performance Enhancement of Large Legacy Software (V-SPELLS) program, which aims to create practical tools to help developers with legacy software modernization. V-SPELLS tools will aid developers in replacing hand-written parsing code with machine-generated parsers that are proven to be free of vulnerabilities.
Additionally, DARPA’s Compartmentalization and Privilege Management (CPM) program is exploring ways to automatically transform legacy software into small code compartments, each with limited privilege, so that cyberattacks that exploit a vulnerability still can’t compromise their ultimate target.
“Open-source software is ubiquitous and it underpins much of the hardware and software vital to America’s national security and economic prosperity. The Biden-Harris administration recognizes the unique value proposition of open-source software; when it is not secure and resilient, the resulting damage, disruption, and disorder is evident,” ONCD’s report concludes. “Preventing and mitigating those risks cannot be accomplished by the Federal government alone; it requires collaboration with the open-source software community.”
