Announced in May 2021, White House Executive Order 14028 on Improving the Nation’s Cybersecurity has a number of key initiatives that organizations using open source to develop applications should understand. At a high level, it states that organizations will need to begin to attest to the health, security, and provenance of the open source components that go into their applications.
The executive order also calls for the National Institute of Standards and Technology (NIST) to provide software supply chain regulations within one year. These guidelines will determine how organizations should check for vulnerabilities within applications.
Since the original publication of this page, NIST has released the NIST Secure Software Development Framework (SSDF). You can read about these guidelines and how they impact open source on our blog.
With an increase in cybersecurity attacks, from the SolarWinds hack on proprietary software to the Log4Shell incident with open source software, the U.S. government had to make the call to create much needed improvements to the nation's cybersecurity. Log4Shell in particular had a significant financial impact and highlighted the need for a sound support system for the open source maintainers behind the packages that make up 70% of the code in modern applications.
Within the executive order, they provided an outline of the recommended guidance to be created by NIST. Below are the items that are particularly key for organizations using open source to develop applications (emphasis ours):
(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;
(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website
(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.
An SBOM provides a comprehensive list of the software components that comprise your applications. Having an accurate SBOM not only keeps you and your team informed on the ingredients list of the software in use at your organization, but it's also the first step towards compliance with government initiatives such as the ones outlined in Executive Order 14028.
Furthermore, as a result of the executive order, NIST released the NIST SSDF, a series of guidelines that organizations selling to the government will need to self-attest that they comply with as soon as late 2023 for critical software, and early 2024 for all other software (as set by the U.S. government Office of Management and Budget's (OMB) memorandum M-22-18 and its follow-up, memorandum M-23-16). Creating an SBOM is just the start towards attesting that your organization's software complies with NIST SSDF guidelines, because in addition to needing to provide an SBOM for the components of your applications, your organization will also need to attest that the open source dependencies in your organization’s applications follow secure software development best practices.
To learn how Tidelift can help your organization attest to the open source components used to build your applications, download a sample of the Tidelift open source attestation report.
Executive order 14028 is just the start of the U.S. government addressing the security of the software supply chain. As directed by the executive order, NIST released the NIST SSDF and the NIST Software Supply Chain Security Guidance. In September 2022, the OMB announced M-22-18, which created a timeline outlining when organizations selling to the U.S. government will need to self-attest that they comply with the guidelines provided in the NIST SSDF. In July 2023, the follow-up M-23-16 adjusted the deadlines and further honed in on the penalties associated with non-compliance.
To learn more about these and other U.S. government initiatives, and to stay up-to-date on government policies and their relationship with the open source software supply chain, make sure to bookmark our government open source cybersecurity resource center and download the Tidelift guide to U.S. government cybersecurity requirements.
In December of 2021, Tidelift fielded our annual survey of technologists—including software developers, engineering executives and managers, architects, and devops pros—who build applications with open source.
Join Allan Friedman, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency (CISA), at his 2023 Upstream keynote on the state of SBOMs today and how do they apply to open source.
Lauren Hanford, Tidelift VP of product, and Kanish Sharma discuss the NIST SSDF and share ways organizations can actually follow its guidance, specifically highlighting considerations for the open source software on which all modern software is built.