The White House-led Open-Source Software Security Initiative has released a series of initiatives to secure open-source software. These initiatives aim to combat growing security concerns following high-profile cyberattacks like Log4j and SolarWinds. The interagency group includes representatives from the Office of the National Cyber Director, Cybersecurity and Infrastructure Security Agency (CISA), National Science Foundation, DARPA, and the Office of Management and Budget (OMB).
For the upcoming fiscal year, the initiatives include forging partnerships within government and globally, developing software bills of material (SBOMs), strengthening the supply chain, and creating new government roles. The Centers for Medicare and Medicaid Services (CMS) has established the first open-source program office in the federal government. National Cyber Director Harry Coker emphasized the importance of open source in the federal government, stating, “We know that open source underlies our digital infrastructure, and it’s vital that, as a government, we contribute back to the community as part of our broader infrastructure efforts.”
CMS Open Source Lead Remy DeCausemaker mentioned that the agency’s open-source journey began with the Affordable Care Act, leveraging Department of Health and Human Services data.
Government open-source security initiatives
Major initiatives include the data at the point of care, the AB2D [API], and the beneficiary FHIR database server. The CMS open-source program office focuses on establishing and maintaining guidance, policies, practices, and talent pipelines at CMS, HHS, and the broader federal open-source community.
DeCausemaker noted that these programs will mature as they learn about the unique needs of various agencies. CISA Senior Technical Advisor Jack Cable stated that CISA is working on its own open-source program office, using CMS as a model. CISA also plans to develop guidance for other agencies.
Cable said, “We are actively working on voluntary guidance to federal agencies around establishing open-source program offices. Our goal isn’t to control or regulate open-source software, but to contribute resources as a community member.”
The federal government continues to prioritize open-source software security initiatives, recognizing that strong collaboration and consistent policies will be critical in addressing the evolving cybersecurity landscape.
