CISA and the OSS Community: Partnering for a More Secure Digital Ecosystem

The Cybersecurity and Infrastructure Security Agency (CISA) hosted its Open Source Software (OSS) Security Summit in March 2024, acknowledging the critical role of the OSS community in protecting the nation’s digital infrastructure. The keynote speaker, CISA Director Jen Easterly, highlighted the immense value generated by open source software, citing the recent Harvard study that estimated its societal impact at over eight trillion dollars.

The speaker praised the OSS community’s dedication to ensuring the secure and sustainable scaling of open source software, emphasizing that the movement’s continued success relies on their tireless efforts.

CISA’s Role in Protecting Critical Infrastructure:

CISA is the U.S.’s lead cyber defence agency, working to protect the critical infrastructure that Americans rely on every day. From water and power to healthcare and finance, CISA is dedicated to strengthening the security of the systems that keep the nation running.

The Importance of Open Source Software Security:

OSS is a key focus for CISA, as it forms the backbone of much of the critical infrastructure of the U.S. The widespread use of OSS means that vulnerabilities, when exploited, can have far-reaching consequences, as demonstrated by the Log4Shell incident.

The (U.S.) National Cybersecurity Strategy calls for a shift in the responsibility of cybersecurity from those least equipped to handle it to those better positioned, such as the federal government and technology companies. CISA is at the forefront of this effort, working with partners to enhance the nation’s cyber resilience and safeguard the critical infrastructure against evolving threats.

CISA’s Approach to OSS Security:

CISA states that its approach to OSS security is one of collaboration and support, not control or regulation. CISA aims to contribute resources and promote secure practices as an active community member. In line with this mission, it published CISA’s Open Source Software Security Roadmap last year, outlining its plans to enable secure OSS usage within the federal government and foster a healthy, secure global OSS ecosystem.

Key Initiatives:

  1. Principles for Package Repository Security: In collaboration with the OpenSSF, CISA published the Principles for Package Repository Security to help improve this critical component of the OSS supply chain. Package repositories play a vital role in the distribution and management of OSS, and securing them is essential for the overall security of the ecosystem.
  2. Real-time Collaboration on Security Incidents: CISA is launching a new effort specifically for OSS community members to facilitate voluntary collaboration and sharing of cyber defence information. This initiative aims to foster real-time cooperation in responding to security incidents, considering the unique international complexities of the global OSS community.
  3. Encouraging Responsible OSS Usage: CISA is calling on software manufacturers to be responsible consumers of and contributors to the OSS they use, in line with our Secure by Design principles. This means properly vetting their OSS dependencies and giving back to the community, either through financial support or contributions of employee time, to help ensure the quality and security of the OSS they rely on.

The Power of Collaboration:

The security of OSS is at its strongest when all stakeholders—volunteer contributors, foundations, companies, and governments—work together. The OSS movement has driven tremendous innovation and connectedness, but it has also attracted bad actors seeking to exploit vulnerabilities. By committing to collaborative open source principles and prioritizing security from the outset, we can make it significantly harder for these malicious actors to succeed.

Appreciating the OSS Community’s Efforts:

There is deep appreciation of the OSS community’s ongoing efforts to improve security. From the widespread adoption of multifactor authentication and package signing to the generation of software bills of materials (SBOMs) and the rewriting of critical libraries in memory-safe languages, these initiatives have led to tangible security improvements in software worldwide.

As our society becomes increasingly reliant on OSS, ensuring its security is a shared responsibility. By working together, we can create a more secure and resilient open source ecosystem that will continue to drive innovation and progress for years to come.

We’ve emailed you the access to the Whitepaper from

Kindly check your SPAM folder, if you have not received it.