Intelligence Agencies Publish New Open-Source Software Guidance

Intelligence community agencies and the Department of the Treasury have produced an open-source software security fact sheet on using operational technology and industrial control systems.

Developed alongside public and private-sector partners, the document contains OSS security information and best practices for critical infrastructure entities and OT/ICS vendors, the Cybersecurity and Infrastructure Security Agency said.

The fact sheet authors recommend that such organizations manage vulnerabilities by joining vulnerability coordination efforts and requesting no-cost cyber hygiene services to reduce risk exposure. Vendors can participate in relevant grant programs, partner with existing OSS foundations, and promote the adoption of security tools in the software development lifecycle. 

According to the document, organizations can maintain an asset inventory to identify open-source components in information technology and OT environments.

In terms of cybersecurity, the authors suggest implementing multifactor authentication and adopting secure-by-default and least-privilege principles.

CISA Director Jen Easterly, a 2023 Wash100 winner, said earlier in 2023 that she would rely on public-private partnerships to address OSS security challenges. Her agency recently released a two-year roadmap to clarify how it will work to secure government and critical infrastructure OSS.