In alignment with President Biden’s National Cybersecurity Strategy (NCS), the 2023 End of Year Report on the Open-Source Software Security Initiative (OS3I) has been released by the Office of the National Cyber Director. The report outlines the significant efforts undertaken in the past year to uphold the initiatives of the OS3I. 

Open-source software plays a crucial role in various aspects of American systems, providing benefits such as lower total cost of ownership, ease of adoption, transparency, and composability. However, vulnerabilities in open-source software can have widespread impacts across different sectors, posing challenges for secure software development, vulnerability management, and disclosure practices. The decentralized and volunteer-driven nature of open-source development, combined with the prevalence of code written in memory-unsafe programming languages, contributes to critical software vulnerabilities. 

In response to these challenges, the US executive branch established the OS3I in 2022, aiming to coordinate policy solutions to enhance the security of the open-source software ecosystem. In 2023, the OS3I focused on four key areas: 

1. Unifying Departments and Agencies: The OS3I brought together representatives from various federal departments and agencies, industry, academia, and other stakeholders to foster alignment on open-source software security. The initiative sought feedback from public and private stakeholders to identify opportunities for improvement and engaged with academia, open-source nonprofits, and providers of core open-source infrastructure. 

2. Strategic Approach for Secure Use: Recognizing the risks associated with vulnerabilities in widely used open-source software libraries, the OS3I worked on establishing a strategic approach for the secure use of open-source software. The Cybersecurity and Infrastructure Security Agency (CISA) released its Open-Source Software Security Roadmap, outlining goals to enhance the security baseline of open-source software, including that used by critical infrastructure. 

3. Investing Resources: The Federal Government committed to advancing the security of the open-source software ecosystem by encouraging investment in software engineering methodologies, unsafe legacy code, dependency management, trust and safety, incentive and organizational structures, and education and workforce development. The National Science Foundation (NSF) released a Dear Colleague Letter (DCL) as part of its ongoing efforts to advance software and system security. 

4. Engaging the Community: The OS3I focused on engaging the diverse and decentralized open-source software community. A Request for Information (RFI) on Open-Source Software Security was released to gather input from the community on key areas, such as securing open-source software foundations, sustaining open-source software communities, creating incentives, improving R&D/Innovation, and expanding international collaboration. 

The OS3I received over a hundred substantive responses from various representatives in the open-source software community, indicating a broad and diverse range of perspectives. In 2024, the OS3I plans to use these submissions to determine how the Federal Government can address systemic risks and foster the long-term sustainability of open-source software communities. 

In conclusion, the OS3I is committed to strengthening the open-source software ecosystem through collaboration and coordinated investment from both the public and private sectors. The focus on security not only enhances resilience but also contributes to technological innovation, growth, and competitiveness in the American economy. The report finally emphasizes the importance of continued collaboration and investment in open-source software security for the benefit of the entire ecosystem. 

You can read the full report here.