Skip to content
Published on

Government Mandates for Open Source Security

Categorized
Articles

Governments in the U.S., Europe and elsewhere are increasingly concerned about the security posture of software in general, of open source software in particular. The regulatory regimes and program requirements that emerge from national governments typically function in multiple ways:

  • By excluding non-compliant suppliers from the federal and defense-related acquisition cycles

  • From encouraging both direct and indirect supply chains to conform to regulations, in that most independent software and hardware vendors do some portion of their business with the government, thereby influencing other ecosystem participants to comply "upstream"

  • Through actual punitive action (fines and bans) for non-compliance

  • Via direct participation in open source projects by government employees and contractors

  • Through supply of tools and benchmarks

This blog briefly examines policy statements and regulator legislations by multiple governmental entities

  • The US White Office of Management and Budget

  • The Cybersecurity and Infrastructure Security Agency of the US Department of Homeland Security

  • The European Union Cyber-Resilience Act and other regulation emerging from the European Commission

OMB - The White House Office of Management and Budget

The OMB, an office of the White House, has been issuing memoranda regarding various aspects of cybersecurity, in particular over the last four years. Most recently, on July 10, 2024, the OMB issued the memorandum "Administration Cybersecurity Priorities for the FY 2026 Budget", outlining the Administration’s cross-agency cybersecurity investment priorities for formulating fiscal year (FY) 2026. With regard to open source software, this memorandum specifically highlights the need to

Improve Open Source Software Security and Sustainability

Recognizing the many benefits of open source software, departments and agencies should ensure secure use of open source software and contribute to maintaining open source code to help sustain components depended on by the agency. Maintenance activities could include

  • developing mechanisms that enable and encourage employees and contractors to contribute to open source software components, including security-related contributions;

  • monitoring changes to code;

  • tracking and correcting potential errors and flaws in code; and other related activities.

Agencies should integrate open source software considerations, including processes to review, approve, inventory, and centralize open source consumption, into agency IT and cybersecurity governance structures. Agencies are encouraged to study the benefits that can be gained through establishment of a governance function modeled after private sector open source program offices that define roles, responsibilities, and methods of engagement.

To follow the status of implementation of these priorities, visit the "End of Year Report on Open Source Software Security Initiative".

CISA - The Cybersecurity and Infrastructure Security Agency

CISA, a part of the Department of Homeland Security (DHS), has the mission of understanding, managing, and reducing risks to the federal government and critical infrastructure. With regard to open source, CISA envisions a world in which every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community.

In support of this vision, in 2023 CISA issued an Open Source Security Roadmap. The roadmap lays out four key priorities to help secure the open source software ecosystem:

  1. establishing CISA’s role in supporting the security of open source software,

  2. driving visibility into open source software usage and risks

  3. reducing risks to the federal government

  4. hardening the open source ecosystem. 

You can download the full RoadMap here.

Earlier in 2024, CISA launched a new framework to address the question of how to measure the trustworthiness of open source software, and to communicate open source security metrics. The new framework builds on the existing approach and focuses on four dimensions, including the project, the product, protection activities and policies.

CISA also announced that it will fund an open-source tool called Hipcheck to help automate the evaluation process for determining open source trustworthiness. and to make the process implementable and scalable.

EU - The European Union - Cyber Resilliance Act

The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The CRA would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.

The problem addressed by the Regulation is two-fold.

  • First is the inadequate level of cybersecurity inherent in many products, or inadequate security updates to such products and software.

  • Second is the inability of consumers and businesses to currently determine which products are cyber-secure, or to set them up in a way that ensures their cybersecurity is protected.

The Cyber Resilience Act aims to guarantee:

  • harmonized rules when bringing to market products or software with a digital component;

  • a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain;

  • an obligation to provide duty of care for the entire lifecycle of such products.

The Cyber Resilience Act is set to enter into force in the second half of 2024 and manufacturers will have to place compliant products on the Union market by 2027. The Commission will then periodically review the Act and report on its functioning.

The CRA and Open Source Software

The CRA applies to all products connected directly or indirectly to another device or network except for specified exclusions such as open-source software or services that are already covered by existing rules, which is the case for medical devices, aviation and cars.

Free and open-source software, as well as pure SaaS software is not targeted by the CRA, unless, for the latter, it is used to remote process the data generated by a hardware product retailed in the European market.

The CRA requires that manufacturers, upon identifying a vulnerability in a software component (including open source software), shall report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in the CRA (Annex I, Section 2).

Learn more at the EU Cyber-Resilience Fact Sheet.

Open Source Compliance Initiatives

In response to the EU CRA and other government regulations that affect the development and integration of open source software, various open source organizations have launched initiatives to help meet these emerging requirements and to work hand-in-hand with the government bodies crafting legislation and regulations that impact open source software.

Open Source Regulatory Compliance Working Group

In April 2024, The Eclipse Foundation announced the launch the Open Source Regulatory Compliance Working Group to collaborate on common specifications for secure software development based on existing open source best practices and to support the implementation of,the European Union’s Cyber Resilience Act (CRA). Membership includes Apache Software FoundationBlender FoundationOpenSSL Software FoundationPHP FoundationPython Software FoundationRust Foundation, and Eclipse Foundation.

OSRCWG Membership

The Linux Foundation and Cyber-Security

The Linux Foundation web site avers

Securing software is a priority for a functioning and thriving digital economy. Achieving sustainable and secure software, in particular open source software, is a shared effort, requiring a multi-faceted, long-term approach that includes tooling and resources, education, collaboration, and leadership! 

At the Linux Foundation, our projects and communities are shoring up software supply chain security in diverse, widespread, and comprehensive ways, and stewarding compliance with regulations such as the EU Cyber Resilience Act and the US Executive Order on Cybersecurity. To encourage project discovery and enhance collaboration, we’ve created LF Security, a central home where you can get the resources you need to improve your organization’s security posture, and to encourage more people to join us in our efforts.

The Security page on the LF web site lists resources under the Foundation umbrella, including communities, initiatives, tools and infrastructure that advance the security of software, including technical projects, standards and specifications, events and webinars, training and certification programs, and research projects.

Conclusion

In response to the increasing pace of major breaches, ransomeware attacks, network outages and wide-reaching system and application crashes, Government regulators have been compelled to act to safeguard both individual citizens and businesses under their purview. Opinions differ as to the actual impact of open source on the security postures and uptime of private and public sector systems, but no one would argue that improving the quality and security of all code, including open source software. would greatly benefit users, integrators and developers. The challenge facing the open source ecosystem will be to satisfy mandates coming out of Washington DC, the Hague and other capitals while not stifling the hallmark innovation and transparency of open source software itself and the development processes that drive it.

Open Source Regulatory Compliance and Test Automation

At present, pending regulation that affects open source software is focused on final deployment environments, vs. the test lab and build cycle. Certainly, developers and vendors who test and deliver devices and software will need to comply with these evolving regulatory regimes. Test software itself, not so much. That being said, the developers of OpenTAP take pains to follow best development practices, as do the device manufacturers in the OpenTAP ecosystem, starting with Keysight.