CISA releases new guidance on boosting open source software security 

The Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies released guidance Tuesday on how to boost open source software safety, security and resilience among tech vendors and critical infrastructure facilities, as open source technology has seen increased use in the past few years.

CISA’s Joint Cyber Defense Collaborative (JCDC) — including the Federal Bureau of Investigation (FBI), National Security Agency (NSA) and Treasury Department — released the guidance aimed at senior leadership and operations personnel at operational technology (OT) vendors and critical infrastructure facilities in order to highlight best practices and considerations for the secure use of open source software.

“CISA recognizes the benefits of open source software in enabling software developers to work at an accelerated pace and fostering significant innovation and collaboration,” the agencies said in a fact sheet.

“With these benefits in mind, this planning effort complements the CISA Open Source Software Security Roadmap, which defines how CISA will work to enable the secure use and development of open source software, both within and outside of the federal government,” they added.

The CISA fact sheet outlines recommendations for improving security of open source software (OSS), including: vendor support of OSS development and maintenance; better management of vulnerabilities; strengthening patch management; improving authentication and authorization policies; and establishing common frameworks for cybersecurity and IT best practices.

Last month, CISA released an Open Source Software Security roadmap that lays out four key priorities to help secure the open source software ecosystem: establishing CISA’s role in supporting the security of open source software; driving visibility into open source software usage and risks; reducing risks to the federal government; and hardening the open source ecosystem.