Feds Prioritize Open-Source Software Security Initiatives

A White House working group comprising federal agencies released a series of initiatives it will tackle regarding ongoing work to secure open-source software as the technology becomes more critical to combatting growing security concerns following high-profile cyberattacks like Log4j and SolarWinds.

Some of the initiatives over the upcoming fiscal year include forging partnerships within government and globally, further developing software bills of material (SBOMs), strengthening the supply chain and creating government’s first open-source program office at the Centers for Medicare and Medicaid Services.

The updates came as part of an August summary report of a 2023 request for information on open-source software security put forth by the Open-Source Software Security Initiative, an interagency group comprising representatives from the Office of the National Cyber Director, Cybersecurity and Infrastructure Security Agency (CISA), National Science Foundation, DARPA and the Office of Management and Budget (OMB).

National Cyber Director Harry Coker highlighted the evolving landscape around open source within the federal government in his opening remarks at DefCon in August.

“We know that open source underlies our digital infrastructure, and it’s vital that, as a government, we contribute back to the community as part of our broader infrastructure efforts,” said Coker.

He cited how policymakers are increasingly turning to the security research community to solve cybersecurity challenges, resulting in efforts like NSA’s Cybersecurity Collaboration Center, CISA’s Joint Cyber Defense Collaborative and government’s first open-source program office.

Government’s First Open-Source Program Office

Momentum around open-source software security grew from the March 2023 National Cybersecurity Strategy and subsequent implementation plans followed by the Bipartisan Infrastructure Law providing incentives for investments in advanced cybersecurity technology.

For government’s first open-source program office, CMS has long seen this coming.

“CMS has been on an open-source journey for many years. We don’t want to be reinventing the wheel,” CMS Open Source Lead Remy DeCausemaker told GovCIO Media & Research.

DeCausemaker said this journey initially began with the Affordable Care Act with Department of Health and Human Services data repositories dating back to 2011 and included major initiatives such as the Blue Button API, data at the point of care, the AB2D [API] and the beneficiary FHIR database server.

“We’ve been on our open-source journey here at CMS for well over a decade, starting in sort of the era of healthcare.gov. The sort of crown jewels of CMS’ open-source journey is on developer.cms.gov,” said DeCausemaker.

The office is currently focused on establishing and maintaining guidance, policies, practices and talent pipelines at CMS, HHS and the rest of the federal open-source community.

DeCausemaker emphasized these programs will mature as it learns about the unique needs across agencies.

“All of [the offices at HHS] have their own cybersecurity policies and infrastructure teams. The open-source program office serves as a bridge between the different parts of the agency,” said DeCausemaker. “We are helping to make it easier to implement and follow the guidelines that come from places like our own information security and privacy group, but also keeping an eye on things coming down from CISA.”

CISA Senior Technical Advisor Jack Cable said CISA is working on its own open-source program office using CMS as a lighthouse. CISA also plans to create guidance for other agencies to do the same.

“We are actively working on voluntary guidance to federal agencies around establishing open-source program offices,” said Cable. “Our goal isn’t to control or regulate open-source software, but rather show up as a community member and contribute where we can with government’s resources.”