CISA Issues New Plan to Secure Open-Source Software Used by Government

The Cybersecurity and Infrastructure Security Agency has released a new roadmap for securing open-source software in the government.

From fiscal years 2024 to 2026, the agency aims to establish its role in the effort, improve its understanding of OSS usage and risks, address such risks and harden the broader ecosystem.

Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a press release that open-source software is integral to government and critical infrastructure systems. He said vulnerabilities in such software could present systemic risks to the United States economy.

According to the roadmap’s overview, software is open-source when its human-readable source code is publicly available to use, modify and redistribute. CISA said the easy availability of such software can drive innovation, encourage collaboration and lead to the production of higher-quality code.

Open-source software could, however, be vulnerable to supply chain attacks and contain latent weaknesses with potentially far-reaching consequences because of its ubiquity, CISA said.

One way CISA is tackling open-source software risks is through public-private partnerships. Jen Easterly, agency director and 2023 Wash100 winner, highlighted the Joint Cyber Defense Collective’s focus on securing open ecosystems through information sharing and planning.