Press Release

CISA Announces New Efforts to Help Secure Open Source Ecosystem

Released

Underscores Collaboration with the Open Source Community

WASHINGTON – Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) concluded a two-day Open Source Software (OSS) Security Summit convening OSS community leaders and announced key actions to help secure the open source ecosystem. Recognizing that OSS underpins the essential services and functions of modern life, the Summit sought to catalyze progress in advancing security of this critical ecosystem. This urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.

CISA Director Jen Easterly opened the summit with keynote remarks and was followed by a panel discussion with Office of National Cyber Director (ONCD) Assistant National Cyber Director for Technology Security Anjana Rajan, CISA Open Source Security Section Chief Aeva Black, and CISA Senior Technical Advisor Jack Cable. The summit also featured a tabletop exercise on open source vulnerability response and a roundtable discussion on package manager security.

During the summit, OSS community leaders, including open source foundations, package repositories, civil society, industry and federal agencies explored approaches to help strengthen the security of the open source infrastructure we all rely upon. As part of this collaborative effort, CISA announced several initial key actions that CISA will take to help secure the open source ecosystem in partnership with the open source community:

  • CISA, as detailed below, is working closely with package repositories to foster adoption of the Principles for Package Repository Security Developed by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group, this framework was published recently and outlines voluntary security maturity levels for package repositories.
  • CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open source software infrastructure operators to better protect the open source software supply chain.
  • Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open source community to improve their vulnerability and incident response capabilities.

Additionally, five of the most widely used package repositories are taking steps in line with the Principles for Package Repository Security framework:

  • The Rust Foundation is working on implementing Public Key Infrastructure for the Crates.io package repository for mirroring and binary signing and plans to issue a Request for Comment. The Rust Foundation also published a detailed threat model for Crates.io and has created tooling to identify malicious activity. Further steps are highlighted in the Rust Foundation’s Security Initiative Report.
  • The Python Software Foundation is working to add additional providers to PyPI for credential-less publishing (“Trusted Publishing”), expanding support from GitHub to include GitLab, Google Cloud and ActiveState as well. Work is ongoing to provide an API and related tools for quickly reporting and mitigating malware, with the goal of increasing PyPI’s ability to respond to malware in a timely manner without consuming significant resources. Finally, the Python ecosystem is finalizing PEP 740 (“Index support for digital attestations”) to enable uploading and distributing digitally signed attestations and metadata used to verify these attestations on a Python package repository, like PyPI.
  • Packagist and Composer have recently introduced vulnerability database scanning and measures to prevent attackers from taking over packages without authorization. Further work to increase security in line with the Principles for Package Repository Security framework is in progress, and a thorough security audit of existing codebases will take place this year.
  • The package repository npm requires maintainers of high-impact projects to enroll in multifactor authentication. Additionally, npm has introduced tooling that allows maintainers to automatically generate package provenance and SBOMs, giving consumers of those open source packages the ability to trace and verify the provenance of dependencies.
  • Maven Central (maintained by Sonatype) is the largest open source repository for Java and JVM languages, and enforces validation and metadata requirements with clear namespaces. Since 2021, all staged repositories have automatically been scanned for vulnerabilities when published, and developers receive a report with any security issues. In 2024, Maven Central is transitioning publishers to a new publishing portal that has enhanced repository security, including planned support for multifactor authentication. Upcoming key initiatives include Sigstore implementation, Trusted Publishing evaluation, and access control on namespaces. This includes Maven Central benchmarking the maturity of its security processes against best practices, which will also guide backlog prioritization.

“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said CISA Director Jen Easterly. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”

“Open source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” says Anjana Rajan, Assistant National Cyber Director for Technology Security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values. As the chair of the Open Source Software Security Initiative (OS3I), ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”

“OpenSSF’s mission is to improve the security of open source software. Package repositories are critical infrastructure for the open source community. We thank CISA for facilitating this Open Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open source package repositories for everyone,” Omkhar Arasaratnam, General Manager, OpenSSF.

“Securing the open source software supply chain is crucial for protecting global economic infrastructure,” said Mike Milinkovich, Executive Director of the Eclipse Foundation. “CISA is working to improve open source security, focusing on both current issues and future application development. We’re proud to contribute to this vital work, helping CISA improve the global development ecosystem and supporting its vision for the future.”

“OSI and the Open Policy Alliance commend CISA for engaging with the open source software community and appreciate the opportunity to participate in this week’s Open Source Security Summit.  Including less represented, small open source non-profits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of Open Source,” said Deb Bryant, US Policy Director, Open Source Initiative.

The federal government has coordinated its efforts around open source software security through the ONCD Open Source Software Security Initiative. Last year, ONCD, CISA, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget published a Request for Information (RFI) on open source software security and memory safe languages, which received more than 100 substantive responses. The issuing agencies are currently reviewing responses and will publish a summary of the RFI submissions.

In 2023, CISA released its Open Source Software Security Roadmap to help secure the federal government’s use of open source software and support the global open source ecosystem. It lays out four key goals: establishing CISA’s role in supporting the security of open source software, driving visibility into open source software usage and risks, reducing risks to the federal government, and hardening the open source software ecosystem. The actions announced today from the summit represent key steps in fulfillment of the Roadmap’s goals, including Objective 1.1. Partner With OSS Communities and Objective 1.2. Encourage Collective Action From Centralized OSS Entities.

Open source community members interested in getting involved with CISA’s work can contact OpenSource@cisa.dhs.gov.

For more information, please visit: cisa.gov/OSS.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on TwitterFacebookLinkedIn, Instagram

Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked or referenced within this press release. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.