Impact of New US National Cybersecurity Strategy on Organizations Building With OSS

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Donald Fischer of Tidelift examines the potential impact of the new US National Cybersecurity Strategy.

The last few years have seen a significant number of high-profile cybersecurity incidents, such as the SolarWinds attack, the ransomware attack on Colonial Pipeline, the Equifax data breach, and a number of open-source supply chain vulnerabilities like Heartbleed and Log4Shell. In response, the U.S. government has undertaken a concerted effort to create policies that will enhance the country’s cyber defenses and safeguard both businesses and citizens from the impact of cyber threats.

In 2021, the U.S. Congress called for the formation of the Office of the National Cyber Director (ONCD) and in May of the same year, White House Executive Order 14028 on improving the nation’s cybersecurity instructed the National Institute of Standards and Technology (NIST) to provide guidance on secure software development standards. This led to NIST issuing the Secure Software Development Framework (SSDF) v1.1, SP 800-218, and the NIST Software Supply Chain Security Guidance. The Executive Office of the President, Office of Management and Budget then issued memorandum M-22-18 in September 2022. This memorandum set dates and deadlines for both government agencies and organizations selling software to the government to comply with NIST guidelines. Among other stipulations, it requires that any organization selling software to the government must self-attest that their software is compliant with the NIST framework by June 2023 for critical software or by September 2023 for all other software.

If that seems like a lot to digest, it is. That is why organizations building applications with open-source components should be getting prepared by paying close attention to these dates and guidelines and asking questions internally to ensure they can complete their self-attestation requirements.

A New National Cybersecurity Strategy for the US

The ONCD’s initial task has been to establish a comprehensive national cybersecurity strategy, which was recently released. The cybersecurity strategy has implications for government policies and laws pertaining to cybersecurity in that a major change in policy direction has been announced that will shift responsibility for cybersecurity to hardware and software vendors— and away from consumers and businesses impacted by cybersecurity lapses.

How Will These Changes Impact Organizations Building Software with Open-Source?

Organizations that conduct business with the U.S. government and also utilize open-source software in their software development practices will see immediate impacts as their government clients begin requiring compliance with these new policies. Other organizations building applications with open-source may not feel the direct effects of these new policies and regulations right away but should still be educating themselves and staying informed.

When It Comes to Open-Source, How Will Organizations Attest to the Security Practices of the Projects They Use?

Ensuring compliance with the over thirty pages of NIST guidelines for internally developed software will be challenging in itself. As it relates to third-party open-source software, which often comprises over 70 percent of the code in a software application, organizations need to ask: who is doing the work of implementing these secure development practices and how can the practices be verified?

To meet self-attestation requirements, organizations must gain a better understanding of the security practices of the open-source software they integrate into their applications. However, the open-source software supply chain is not a traditional supply chain because open-source maintainers do not typically have a business relationship with organizations using their software, which is almost always provided as an “as-is” license and without warranty.

Organizations need to look at solutions that make it possible to account for the practices of open-source components created and maintained by volunteer maintainers, many of whom have not historically had the time or incentives to ensure they implement these new rigorous practices. Organizations need to start by gaining visibility into the open-source software supply chain(s) they rely on and answering questions such as:

• How do we attest to the security practices of open-source software we use, but is produced and maintained by volunteer maintainers?
• Do the volunteer maintainers have all the support they need to understand these new guidelines and practices?
• Are they able to commit the time and effort needed to do the work of implementing the necessary guidelines and practices?
• How can we ensure they will continue to do this work in the future?

Any Organization Utilizing Open-Source Should Watch These Policies and Regulations Closely

Even if your organization is not selling software to the U.S. government, there will likely be impacts to your work based on these new policies and regulations. Organizations in industries that the U.S. government has deemed critical infrastructure should pay especially close attention and be ready for additional cybersecurity policies and legislation that are specific to them. And any organization that stores valuable consumer or business data may be held liable if it does not take reasonable steps to protect this data from exposure as a result of unpatched security vulnerabilities. So being aware of and implementing the recommended practices found in the NIST Secure Software Development Framework will be a good first step to ensuring your organization is meeting the government standard for software cybersecurity. You’ll also want to learn more about the security practices employed by open-source maintainers whose components are part of your software supply chain.

Recommended Next Steps

As we move forward, organizations in all sectors should expect further government action designed to improve the nation’s cybersecurity defenses. In order to respond effectively to these changes and prepare for additional policies, organizations building applications using open-source software should:

• Identify the tools and resources necessary to understand emerging government standards and policies and how they will impact your organization.
• Proactively build a catalog of pre-vetted and approved open-source packages that meet government cybersecurity standards and set organization-wide policies and standards for open-source usage.
• Define an organizational strategy to ensure the open-source critical to your organization is kept up to date and secure— which may involve establishing a business relationship with the open-source maintainers behind these open-source components and paying them to do this important work.

Final Thoughts on the National Cybersecurity Strategy

In the near term, complying with these new cybersecurity requirements and understanding how they impact open-source may seem like a daunting task. But we all benefit if open-source — and the applications built with it — are more resilient and secure. By being prepared in advance and building a strategy that brings together your organization’s own cybersecurity resources and the open-source maintainers behind the components you are using in your applications, you’ll be able to take full advantage of all of the innovative potential of open-source, while still keeping our organizations and our customers safe and secure.