Request a Quote

CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure

We Keep you Connected

CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure

CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure
Your email has been sent
The agency’s roadmap outlines a plan for prioritizing where open source software makes infrastructure potentially vulnerable.
The US Cybersecurity and Infrastructure Security Agency released four priorities for securing open source software ecosystems on Tuesday, September 12. Specifically, the roadmap will be used to develop a framework to prioritize risk. This framework will then guide the federal government and critical infrastructure organizations in choosing which open source security projects to launch first.
Jump to:
The CISA’s roadmap sets up steps toward the following:
The full roadmap can be found in a PDF linked in CISA’s blog post. The roadmap will result in a process by which CISA can continually monitor open source software security risks. CISA also plans to create a guide to best practices in open source security for government entities and critical infrastructure organizations, according to the roadmap.
“We envision a world in which every critical OSS (open source software) project is not only secure but sustainable and resilient, supported by a healthy, diverse and vibrant community. In this world, OSS developers are empowered to make their software as secure as possible,” CISA wrote.
The new roadmap is part of the federal National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan. The roadmap is significant because it provides next steps for how CISA might work with companies and nonprofit groups using and developing open source software.
SEE: Explore our picks for the 8 best open source project management software in 2023. (TechRepublic) 
CISA notes that open source software can lead to great innovation; however, CISA said, vulnerabilities like the widespread Log4shell vulnerability in 2021 mean open source software can introduce insidious flaws in widely-used code. In addition, supply chain attacks can make open source software vulnerable.
CISA’s roadmap contains groundwork for possible application of the actions detailed in the Securing Open Source Software Act of 2023. This is a bill introduced in Congress in September 2022; it highlights the importance of the open source community to the tech industry and calls for CISA to work more directly with the open source community in matters of national security. The Securing Open Source Software Act was introduced to Congress in March 2023 and has not yet passed in the House of Representatives.
The alternative to a federal act is for organizations to vet their own transitive dependencies. Transitive dependencies are the links free or open source software has to other open source code. These could be locked down using a method such as a software bill of materials.
The open source security roadmap is one of many documents currently circulating in the U.S. federal realm related to aligning the open source community with high-stakes security needs. Representatives from CISA attended the Secure Open Source Software Summit 2023 to discuss open source security standards with other government agencies and members of the industry on September 13. They addressed possible open source security concerns in critical infrastructure, public health and safety, economic stability or national security.
The meeting resulted in the creation of three objectives for the next year:
“While government agencies have made progress in addressing open source security, it is evident that further action is needed to enhance the protection of critical infrastructure and corporate assets,” said Mike Walters, vice president of vulnerability and threat research and co-founder of patch management software company Action1, in an email to TechRepublic.
“The risks that organizations face from open source vulnerabilities are significant and can have devastating consequences,” Walters said. “By investing in comprehensive security measures, fostering collaboration and enforcing secure practices, we can build a resilient ecosystem that encourages innovation while protecting against potential threats.”
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
CISA Aims For More Robust Open Source Software Security for Government and Critical Infrastructure
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Backup routines are the lifeblood of information technology. Protecting an organization’s data is a computer professional’s highest priority. Whether it’s hackers, disgruntled or confused users, a fire or flood, hardware failure or just thunderstorms threatening the information you’re charged with protecting, a solid backup routine is at least a best practice if not a best …
To comprehend the true power of the Internet of Things, it’s helpful to become familiar with at least some of the terms involved in it. This list of 31 concepts and technologies, from TechRepublic Premium, will help you grasp the vocabulary behind IoT and the ideas supporting an interconnected, all-things-networked world. From the glossary: DIGITAL …
Windows is not without certain issues and flaws, of course. Like any operating system it has been exposed to numerous vulnerabilities, both deliberate (viruses) and unintentional (exploitable holes in programs or processes). This policy from TechRepublic Premium provides guidelines for securing Windows on company computers or computers used to conduct company business. From the policy: …
Macs, like Windows computers, benefit from routine maintenance. Regular tune-ups help protect Macs, both desktop and laptop models, from potential data loss, needlessly slow performance and other issues. Just what steps should a macOS tune-up checklist include? Check out the steps below, from TechRepublic Premium, to ensure you get proper, consistent results during each macOS …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE