An interagency group led by the Office of the National Cyber Director is offering up five areas on open-source software security that the government could focus on based on input from a new request for information.
The Open-Source Software Security Initiative (OS3I) is currently focused on: “(1) reducing the proliferation of memory unsafe programming languages; (2) designing implementation requirements for secure and privacy-preserving security attestations; and (3) identifying new focus areas for prioritization,” according to the RFI, which was published today in the Federal Register.
The five areas are “Secure Open-Source Software Foundations”; “Sustaining Open-Source Software Communities and Governance”; “Behavioral and Economic Incentives to Secure the Open-Source Software Ecosystem”; “R&D / Innovation”; and “International Collaboration.”
Each area contains sub-areas for further exploration. The RFI asks which of them should be prioritized, what is the most time sensitive, and the “technical, policy, or economic challenges” that should be considered by the government when it comes to implementation.
Under the heading “foundations”, the RFI seeks advice on opportunities to foster the adoption of memory safe programming languages. This could include supporting “rewrites of critical open-source software components in memory safe languages” or “[a]ddressing software, hardware, and database interdependencies when refactoring open-source software to memory safe languages,” according to the RFI.
The RFI also suggests that the government could develop “tools to automate and accelerate the refactoring of open-source software components to memory safe languages, including code verification techniques.”
Another sub-area under “foundations” looks into how to reduce “entire classes of vulnerabilities at scale.” This includes increasing “secure by default configurations for open-source software development” and “[f]ostering open-source software development best practices, including but not limited to input validation practices.”
The RFI says the federal initiative could also play a role in “[i]dentifying methods to incentivize scalable monitoring and verification efforts of open-source software by voluntary communities and/or public private-partnerships.”
Strengthening the software supply chain is explored as part of the “foundations” topic, including tools that “enable secure, privacy-preserving security attestations from software vendors, including their suppliers and open-source software maintainers,” according to the RFI.
The RFI says, “Detection and mitigation of vulnerable and malicious software development operations and behaviors” is another topic up for more investigation, along with looking into how to incorporate zero trust architecture into the open-source software “ecosystem.”
When it comes to “communities and governance”, the RFI says the government could play a role in “[s]ustaining the open-source software ecosystem (including developer communities, non-profit investors, and academia) to ensure that critical opensource software components have robust maintenance plans and governance structures.”
The “behavioral and economic incentives” area proposes looking into frameworks and models for “developer compensation that incentivize secure software development practices.” The RFI also asks for input on applications of “cybersecurity insurance and appropriately-tailored software liability as mechanisms to incentivize secure software development and operational environment practices.”
Under R&D, the RFI seeks to get details on the “[a]pplication of artificial intelligence and machine learning techniques to enhance and accelerate cybersecurity best practices with respect to secure software development.”
The final area, “international collaboration”, asks for information on “[m]ethods for identifying and harmonizing shared international priorities and dependencies” and “[s]tructures for intergovernmental collaboration and collaboration with various open-source software communities.”
CISA, NIST, the National Science Foundation, the Defense Advanced Research Projects Agency, the Center for Medicare and Medicaid Services and the Lawrence Livermore National Laboratory are participating in the OS3I effort.
BSA-The Software Alliance weighed in on the RFI emphasizing how software security, including open-source software security, should be a “priority for the US government.”
BSA’s Henry Young told Inside Cybersecurity, “Adopting memory-safe languages offer an additional tool for the US government to promote software security. The US government should promote the strategic adoption of memory-safe language rather than impose fixed timelines that could inadvertently harm the security of the digital ecosystem.”
“A policy of strategic adoption requires active risk management, prioritizes new code, invests in R&D and training, provides incentives for adoptions, and positions the government to lead by example,” Young said.
Deadlines
The RFI takes a three-phase approach where ONCD will be accepting questions on the context or processes described in the document by Aug. 18. The government will post responses to “select questions” by Aug. 28, the RFI says.
Written responses to the RFI are due Oct. 9. The RFI asks for stakeholders to focus on questions where they have “expertise and insights” for the government and to keep their comments under 10 pages typed using size eleven font.
The RFI says, “Title page, cover letter, table of contents, and appendix are not included within the 10- page limit.”
Finally, the RFI says the government will review and publish the RFI responses in the third phase. It could also choose “select respondents to engage with the RFI project team to elaborate on their response to the RFI,” the document says. -- Sara Friedman (sfriedman@iwpnews.com)