How to comply with mandatory government cybersecurity requirements impacting open source 

Does your organization sell software to the U.S. government? Then you are probably already aware that the government has become much more active in setting policy to improve cybersecurity in response to high-profile vulnerabilities like SolarWinds and Log4Shell.

Here’s a quick list: It all started with White House cybersecurity executive order 14028; then came…

• NIST guidance on securing the software supply chain (February, 2022)
• NIST Secure Software Development Framework (SSDF), SP 800218
• NIST Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e
• OMB Memorandum M-22-18 on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (September 2022)
• White House National Cybersecurity Strategy (March 2023)
• OMB M-23-16 updated guidance regarding M-22-18 requirements (June 2023)
• White House National Cybersecurity Strategy Implementation Plan (July 2023)

Does all that feel like alphabet soup to you? We have good news: we’re here to help.

Tidelift CEO and co-founder, Donald Fischer, talked through all these government cybersecurity initiatives—specifically how they impact the third party open source software you pull into your applications, because, spoiler alert: that code will need to comply with government regulations, too. And soon, because compliance deadlines are approaching quickly.

After Donald gave you the down low on what you need to know, Tidelift solutions architect Larry Copeland gives a demo on how Tidelift can help your team comply with these government regulations so your organization can avoid putting government contracts at risk.