Strict security rules could push open source community out of federal work, expert says

Government agencies and private industry need to take a more collaborative approach with the open source community to reach the goals set by the 2021 Executive Order on software supply chain security, according to a virtual panel of federal agency CISOs and other development experts based in Washington D.C.

Organizations need to embrace a shared responsibility model for working with the open source community. That would include a dedicated person or resource that would focus on security and other related issues, according to Rayvn Manuel, a senior application developer and DevOps engineer at the National Museum of African American History and Culture, a Smithsonian Institution.

Federal agencies have been very good at being consumers of open source software, but it may be time to step up as contributors, Steven Hernandez, director and CISO of information assurance services at the U.S. Department of Education’s Office of the Chief Information Officer.

The virtual panel, sponsored by the Advanced Technology Academic Research Center, centered around recent efforts by the Biden administration to strengthen the security of the nation’s software supply chain through new guidelines for all third-party software used by federal agencies.

The White House, through the Office of Management and Budget, said software producers must self-attest the security of the software provided to federal agencies in an effort to prevent future cyberattacks like SolarWinds or widespread vulnerabilities like Log4j.

The National Security Agency and Cybersecurity and Infrastructure Security Agency previously released guidelines urging developers to take the lead in screening out security vulnerabilities and other problems at the earliest possible stages of the software lifecycle, before those problems were integrated with other applications or used by customers

Manuel raised concerns that the pressure on the open source community to take on the responsibility to fix the software supply chain through software bills of material and other means could effectively drive the open source community out of federal agencies altogether.

“Open source is going to be pushed out very slowly," she said. The community “will not be able to meet this very regimented standard across the board.”

By extension, the private sector could begin to withdraw from open source as it would need to meet federal requirements to qualify for government contract work.

One concern facing facing federal agencies was when the M-22-09 memo came out from the Office of Management and Budget in January regarding the implementation of zero trust, it was important for agencies not to move too fast into SBOMs, according to William Salamon, director, ICAM Shared Service Division at the Office of the CISO at the U.S. General Services Administration.

“We need to be careful that we’re not getting ahead of where the [Federal Acquisition Regulatory] Council is on the various clauses and requirements for acquisitions, so that industry is ready for requirements for the government to submit SBOMs,” Salamon said.

According to the OMB memo regarding the proposed software security guidelines, the FAR Council will propose rulemaking on a uniform standard self-attestation form.

Officials said a critical step in maintaining a robust level of security is to have a high level of transparency throughout the entire lifecycle, according to Tiina Rodrigue, CISO at the Consumer Financial Protection Bureau’s Office of Technology and Innovation.

“My primary goal is to maintain transparency not only at the point of procurement if it is supplied software, but throughout the entire lifecycle,” Rodrigue said.