The US Federal Government’s recent Request for Information (RFI) on Open Source Software Security (announced by the US White House) is a noteworthy development for open source software (OSS). This RFI originated from the Open-Source Software Security Initiative (OS3I) interagency working group created to improve OSS security. This blog post aims to provide a brief overview of the RFI.
Overview of the RFI
The RFI is an initiative to gather information and insights into improving OSS security. Responses are due October 9, 2023, and responses don’t need to answer every question; it’s better to comment on areas where the respondent has some expertise or ideas. Respondents are also encouraged to add additional commentary or insight that may fall outside of the questions within the RFI. While the RFI poses potential areas of focus, there may be areas that the OS3I did not enumerate in the RFI that are of significance to OSS security. The responses will go to the White House Office of the National Cyber Director (ONCD) and its partners in the Open-Source Software Security Initiative (OS3I).
The RFI begins by asking broad questions, such as:
- How should the US Federal Government contribute to driving down the most important systemic risks in open source software?
- How can the US Federal Government help foster the long-term sustainability of open source software communities?
- How should OSS security solutions be implemented from a technical and resourcing perspective?
- What should be prioritized?
Potential focus areas
The RFI identifies the following as potential focus areas:
- Secure open source software foundations: e.g., fostering the adoption of memory-safe programming languages, reducing entire classes of vulnerabilities at scale, strengthening the software supply chain, and developer education
- Sustaining open source software communities and governance
- Behavioral and economic incentives to secure the open source software ecosystem
- International collaboration
Respondents can suggest other areas. For example, we know there’s been discussion of education more generally (not just of developers) and of improved incident response.
The RFI is intentionally open to all, and its broad scope should allow for diverse input from various stakeholders. We also note that the RFI relates to some existing initiatives in the OSS community, such as its interest in increasing the use of memory-safe languages.
The US Federal Government’s RFI on OSS Security is an important initiative that seeks to understand and enhance the OSS security landscape. It provides an opportunity for various stakeholders (including you!) to share insights, experiences, and recommendations. Governments worldwide depend on OSS, and we believe governments have resources and capabilities that could help make OSS security even better for everyone.
We at the Linux Foundation believe that OSS security is vital. In 2020, we and our members established the Open Source Security Foundation (OpenSSF). The OpenSSF is working to improve OSS security through a variety of measures. For example, the OpenSSF has released free educational material for developers, a variety of guides, and sigstore (for digital signing and verification). There’s always more that can be done, and we’re glad they’re interested in this important topic. The OpenSSF has already been engaged with various governments to find ways to improve OSS security collaboratively. The OpenSSF plans to reply to this RFI, and we encourage you to respond as well!
Whether you are an individual developer, an organization, or someone interested in the field of open source security, the RFI offers an opportunity to engage in a meaningful dialogue about the future of OSS security.