In August of 2023, ONCD, CISA, NSF, DARPA, and OMB published a Request for Information (RFI) on Open-Source Software Security in the Federal Register, and in August of 2024 the government released a summary of the responses and next steps coming out of the project.
Tidelift survey data was quoted in the final report, and additional data is included in our full response to the original RFI, which you can read here.
.png)
The White House's National Cybersecurity Strategy, launched in March 2023 as a multi-phase effort, is designed to secure a safe and secure digital ecosystem for all Americans. It emphasizes a collaborative approach between the public and private sectors to enhance cybersecurity. The strategy introduces significant shifts in how cybersecurity roles, responsibilities, and resources are allocated, focusing on rebalancing the burden of cybersecurity away from individuals and smaller entities towards more capable organizations. It also aims to realign incentives to encourage long-term investments in cybersecurity to ensure future resilience and protect national interests.
Organizations building applications with open source should look for impacts in the following areas:
Read the plan:
OMB memorandum M-22-18 and M-23-16 were issued in response to Executive Order 14028. They aim to enhance the security of the software supply chain by requiring federal agencies and their software vendors to adhere to the Secure Software Development Framework as outlined by NIST (NIST SP 800-218). They mandate that agencies obtain a self-attestation from software producers confirming compliance before using their software. This applies to both newly developed software and existing software undergoing major version changes. The focus is on creating a conformity assessment framework that ensures all software used by federal agencies meets these security standards.
Any organization that sells software to the government will be required to self-attest that their software complies with the NIST guidelines. In addition:
Read more:
The White House issued Executive Order 14028 on Improving the Nation’s Cybersecurity in May 2021 in response to increasing digital threats like the one that impacted SolarWinds and its customers.
This order set in motion many of the other US government and industry efforts to improve cybersecurity. It had many elements that specifically impacted organizations developing applications with open source, and set timelines for more detailed guidelines from NIST, CISA, and the OMB.
Executive Order 14028 has numerous provisions that organizations using open source to develop applications should understand. At a high level, it states that organizations will need to begin to attest to the health, security, and provenance of all the software components that go into their applications. Among other stipulations, it recommends that organizations:
The CISA's Secure by Design pledge is a commitment by organizations to integrate security measures right from the design phase of their products and services. It emphasizes the importance of building security into the infrastructure and operations, not merely addressing it post-development. This approach aims to mitigate vulnerabilities early, enhance overall cybersecurity, and ensure the resilience of digital environments against emerging threats. The pledge calls for collaboration across industries to uphold rigorous security standards throughout the lifecycle of tech products and services.
Tidelift is a proud signee of the Secure by Design pledge, having joined other leading technology companies in an industry-wide effort to ensure security is built into the design of products from the start. Learn more about how Tidelift is delivering on the requirements of the pledge.
All organizations participating in this pledge are making a good-faith effort to work towards a set of important security outcomes centered around software development within the first year to demonstrate:
Learn more about the CISA Secure by Demand Guide, which lays out questions and resources that organizations buying software can use to better understand a software manufacturer’s approach to cybersecurity and ensure that the manufacturer makes secure by design a core consideration.
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions released by the Food and Drug Administration (FDA), outlines guidelines for incorporating cybersecurity measures into the design and development of medical devices. It emphasizes the importance of considering cybersecurity throughout the device lifecycle, including during the premarket phase. Manufacturers are urged to implement comprehensive cybersecurity practices to protect devices from risks associated with unauthorized access and ensure patient safety. The guidance details specific cybersecurity documentation that should be included in premarket submissions to demonstrate how manufacturers assess and mitigate potential cybersecurity threats.
As directed by Executive Order 14028, the National Institute of Standards and Technology (NIST) published specific guidance on secure software development standards (including for third-party software) in its NIST Secure Software Development Framework and NIST Software Supply Chain Security Guidance documents.
The European Union's Cyber Resilience Act is a pivotal regulation designed to enhance cybersecurity across digital products and services within the EU. It sets forth mandatory cybersecurity requirements for manufacturers and developers to ensure that digital products, including both hardware and software, are safer and more secure. The Act mandates the adoption of cybersecurity measures such as incident reporting and vulnerability remediation. It aims to reduce the cybersecurity risks associated with digital products by establishing a uniform standard of cyber resilience, thereby protecting consumers and strengthening the internal market.
The New York State Department of Financial Services' regulation 23 NYCRR 500 establishes cybersecurity requirements for financial services companies within New York. This comprehensive framework mandates that these companies implement a cybersecurity program tailored to their specific risk profiles, which includes regular risk assessments and the development of policies and procedures to protect information systems and nonpublic data. A key requirement is the designation of a Chief Information Security Officer (CISO) to oversee and enforce the cybersecurity program. Additionally, the regulation requires regular penetration testing and vulnerability assessments, as well as timely notification to the DFS about significant cybersecurity events. This set of standards is pivotal in bolstering the cybersecurity posture of New York’s financial services sector against the increasing threat of cyber attacks.
Maintainer Seth Michael Larson was able to substantially improve urllib3 security practices thanks to income from Tidelift and its customers.
Maintainer Tatu Saloranta completely rearchitected jackson-databind and eliminated the risk of remote code execution (RCE) vulnerabilities.
In this recorded webinar, you will learn:
50 Milk St, 16th Floor, Boston, MA 02109.svg){kind=icon}