Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

Issuing agencies

Abstract

The Office of the National Cyber Director (ONCD), the Cybersecurity Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) invite public comments on areas of long-term focus and prioritization on open-source software security.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 153 (Thursday, August 10, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 153 (Thursday, August 10, 2023)]
[Notices]
[Pages 54315-54317]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-17239]


=======================================================================
-----------------------------------------------------------------------

EXECUTIVE OFFICE OF THE PRESIDENT

Office of the National Cyber Director

[Docket ID: ONCD-2023-0002]
RIN 0301-AA01


Request for Information on Open-Source Software Security: Areas 
of Long-Term Focus and Prioritization

AGENCY: Office of the National Cyber Director, Executive Office of the 
President, Cybersecurity and Infrastructure Security Agency, DHS, 
National Science Foundation, Defense Advanced Research Projects Agency, 
and Office of Management and Budget, Executive Office of the President.

ACTION: Request for information (RFI).

-----------------------------------------------------------------------

SUMMARY: The Office of the National Cyber Director (ONCD), the 
Cybersecurity Infrastructure Security Agency (CISA), the National 
Science Foundation (NSF), the Defense Advanced Research Projects Agency 
(DARPA), and the Office of Management and Budget (OMB) invite public 
comments on areas of long-term focus and prioritization on open-source 
software security.

DATES: Comments must be received in writing by 5 p.m. ET October 9, 
2023.

ADDRESSES: Interested parties may submit comments through 
<a href="http://www.regulations.gov">www.regulations.gov</a>. For detailed instructions on submitting comments 
and additional information on this process, see the SUPPLEMENTARY 
INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
may be sent to: <a href="/cdn-cgi/l/email-protection#e9a6badaa0bbafa0a9878a8dc78c8699c78e869f"><span class="__cf_email__" data-cfemail="400f137309120609002e23246e252f306e272f36">[email&#160;protected]</span></a>, Nasreen Djouini, telephone: 202-
881-4697.

SUPPLEMENTARY INFORMATION: As highlighted in the National Cybersecurity 
Strategy (<a href="https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf">https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf</a>), and its Implementation Plan 
Initiative 4.2.1, the ONCD has established an Open-Source Software 
Security Initiative (OS3I) to champion the adoption of memory safe 
programming languages and open-source software security. The security 
and resiliency of open-source software is a national security, 
economic, and a technology innovation imperative. Because open-source 
software plays a vital and ubiquitous role across the Federal 
Government and critical infrastructure,\1\ vulnerabilities in open-
source software components may cause widespread downstream detrimental 
effects. The Federal Government recognizes the immense benefits of 
open-source software, which enables software development at an 
incredible pace and fosters significant innovation and collaboration. 
In light of these factors, as well as the status of open-source 
software as a free public good, it may be appropriate to make open-
source software a national public priority to help ensure the security, 
sustainability, and health of the open-source software ecosystem.
---------------------------------------------------------------------------

    \1\ ``2023 Open-Source Security and Risk Analysis Report,'' 
Synopsys, February 22, 2023, (<a href="https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?utm_source=bing&utm_medium=cpc&utm_term=&utm_campaign=B_S_OSSRA_BMM&cmp=ps-SIG-B_S_OSSRA_BMM&msclkid=15e8216ad16511c8b01945c7b683c395">https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?utm_source=bing&utm_medium=cpc&utm_term=&utm_campaign=B_S_OSSRA_BMM&cmp=ps-SIG-B_S_OSSRA_BMM&msclkid=15e8216ad16511c8b01945c7b683c395</a>).
---------------------------------------------------------------------------

    In 2021, following the aftermath of the Log4Shell vulnerability, 
ONCD in collaboration with the Office of Management and Budget's (OMB) 
Office of the Federal Chief Information Officer (OFCIO), established 
the Open-Source Software Security Initiative (OS3I) interagency working 
group with the goal of channeling government resources to foster 
greater open-source software security. Since then, OS3I has welcomed 
many other interagency partners, including the Cybersecurity 
Infrastructure Security Agency (CISA), the National Science Foundation 
(NSF), Defense Advanced Research Projects Agency (DARPA), National 
Institute of Standards and Technology (NIST),

[[Page 54316]]

Center for Medicare & Medicaid Services (CMS), and Lawrence Livermore 
National Laboratory (LLNL) in order to identify open-source software 
security priorities and implement policy solutions.
    Over the past year, OS3I identified several focus areas, including: 
(1) reducing the proliferation of memory unsafe programming languages; 
(2) designing implementation requirements for secure and privacy-
preserving security attestations; and (3) identifying new focus areas 
for prioritization.
    This Request for Information (RFI) aims to further the work of OS3I 
by identifying areas most appropriate to focus government priorities, 
and addressing critical questions such as:
    <bullet> How should the Federal Government contribute to driving 
down the most important systemic risks in open-source software?
    <bullet> How can the Federal Government help foster the long-term 
sustainability of open-source software communities?
    <bullet> How should open-source software security solutions be 
implemented from a technical and resourcing perspective?
    This RFI represents a continuation of OS3I's efforts to gather 
input from a broad array of stakeholders.

Three-Phase RFI Approach

    For this RFI, the Government intends to engage with interested 
parties in three phases:

Phase I--Addressing Respondent Questions About this RFI

    <bullet> If you have any questions about the context of the 
Government's RFI, the processes described, or the numbered topics 
below, you may send them to <a href="/cdn-cgi/l/email-protection#85cad6b6ccd7c3ccc5ebe6e1abe0eaf5abe2eaf3"><span class="__cf_email__" data-cfemail="6b24385822392d222b05080f450e041b450c041d">[email&#160;protected]</span></a> by August 18, 2023.
    <bullet> By August 28, 2023, the Government will post responses to 
select questions on <a href="http://www.regulations.gov">www.regulations.gov</a>, as appropriate.

Phase II--Submittal of Responses to the RFI by Interested Respondents

    <bullet> By October 9, 2023, all interested respondents should 
submit a written RFI response, in MS Word or PDF format, focusing on 
questions for which they have expertise and insights for the Government 
(no longer than 10 pages typed, size eleven font) to 
<a href="/cdn-cgi/l/email-protection#531c00601a01151a133d30377d363c237d343c25"><span class="__cf_email__" data-cfemail="733c20403a21353a331d10175d161c035d141c05">[email&#160;protected]</span></a> with the email subject header ``Open-Source 
Software Security RFI Response'' and your organization's name.
    <bullet> Title page, cover letter, table of contents, and appendix 
are not included within the 10-page limit. In the body of the email, 
also include contact information for your organization (POC Name, 
Title, Phone, Email, Organization Name, and Organization Address).

Phase III--Government Review

    <bullet> The Government reviews and publishes the RFI responses 
submitted during Phase II. The Government may select respondents to 
engage with the RFI project team to elaborate on their response to the 
RFI.
    Participation, or lack thereof, in this RFI process has no bearing 
on a party's ability or option to choose to participate in or receive 
an award for any future solicitation or procurement resulting from this 
or any other activity.

Questions for Respondents

    We are seeking insights and recommendations as to how the Federal 
Government can lead, assist, or encourage other key stakeholders to 
advance progress in the potential areas of focus described below.
    Please consider providing input on these areas by addressing the 
questions below:
    <bullet> Which of the potential areas and sub-areas of focus 
described below should be prioritized for any potential action? Please 
describe specific policy solutions and estimated budget and timeline 
required for implementation.
    <bullet> What areas of focus are the most time-sensitive or should 
be developed first?
    <bullet> What technical, policy or economic challenges must the 
Government consider when implementing these solutions?
    <bullet> Which of the potential areas and sub-areas of focus 
described below should be applied to other domains? How might your 
policy solutions differ?
    Respondents are not required to respond to every topic and are 
encouraged to focus on specific areas that meet their specialized 
expertise.

Potential Areas of Focus

<bullet> Area: Secure Open-Source Software Foundations
[cir] Sub-area: Fostering the adoption of memory safe programming 
languages
    <bullet> Supporting rewrites of critical open-source software 
components in memory safe languages
    <bullet> Addressing software, hardware, and database 
interdependencies when refactoring open-source software to memory safe 
languages
    <bullet> Developing tools to automate and accelerate the 
refactoring of open-source software components to memory safe 
languages, including code verification techniques
    <bullet> Other solutions to support this sub-area
[cir] Sub-Area: Reducing entire classes of vulnerabilities at scale
    <bullet> Increasing secure by default configurations for open-
source software development
    <bullet> Fostering open-source software development best practices, 
including but not limited to input validation practices
    <bullet> Identifying methods to incentivize scalable monitoring and 
verification efforts of open-source software by voluntary communities 
and/or public-private partnerships
    <bullet> Other solutions to support this sub-area
[cir] Sub-Area: Strengthening the software supply chain
    <bullet> Designing tools to enable secure, privacy-preserving 
security attestations from software vendors, including their suppliers 
and open-source software maintainers
    <bullet> Detection and mitigation of vulnerable and malicious 
software development operations and behaviors
    <bullet> Incorporating automated tracking and updates of complex 
code dependencies
    <bullet> Incorporating zero trust architecture into the open-source 
software ecosystem
    <bullet> Other solutions to support this sub-area
[cir] Sub-Area: Developer education
    <bullet> Integrating security and open-source software education 
into computer science and software development curricula
    <bullet> Training software developers on security best practices
    <bullet> Training software developers on memory safe programming 
languages
    <bullet> Other solutions to support this sub-area
<bullet> Area: Sustaining Open-Source Software Communities and 
Governance
[cir] Sustaining the open-source software ecosystem (including 
developer communities, non-profit investors, and academia) to ensure 
that critical open-source software components have robust maintenance 
plans and governance structures
[cir] Other solutions to support this sub-area
<bullet> Area: Behavioral and Economic Incentives to Secure the Open-
Source Software cosystem
[cir] Frameworks and models for software developer compensation that 
incentivize secure software development practices
[cir] Applications of cybersecurity insurance and appropriately-
tailored software liability as mechanisms to incentivize secure 
software development and operational environment practices
[cir] Other solutions to support this sub-area

[[Page 54317]]

<bullet> Area: R&D/Innovation
[cir] Application of artificial intelligence and machine learning 
techniques to enhance and accelerate cybersecurity best practices with 
respect to secure software development
[cir] Other solutions to support this sub-area
<bullet> Area: International Collaboration
[cir] Methods for identifying and harmonizing shared international 
priorities and dependencies
[cir] Structures for intergovernmental collaboration and collaboration 
with various open-source software communities
[cir] Other solutions to support this sub-area

    This RFI seeks public input as the Federal Government develops its 
strategy and action plan to strengthen the open-source software 
ecosystem. We hope that potential respondents will view this RFI as a 
civic opportunity to help shape the government's thinking about open-
source software security.
    Comments must be received no later than 5:00 p.m. ET October 9, 
2023.
    By October 9, 2023, all interested respondents should submit a 
written RFI response, in MS Word or PDF format, with their answers to 
questions on which they have expertise and insights for the Government 
through <a href="http://www.regulations.gov">www.regulations.gov</a>.
    The written RFI response should address ONLY the topics for which 
the respondent has expertise. Inputs that meet most of the following 
criteria will be considered most valuable:
    <bullet> Easy for executives to review and understand: Content that 
is modularly organized and presented in such a fashion that it can be 
readily lifted (by topic area) and shared with relevant executive 
stakeholders in an easily consumable format.
    <bullet> Expert: The Government, through this effort, is seeking 
insights to understand current best practices and approaches applicable 
to the above topics, as well as new and emerging solutions. The written 
RFI response should address ONLY the topics for which the respondent 
has knowledge or expertise.
    <bullet> Clearly worded/not vague: Clear, descriptive, and concise 
language is appreciated. Please avoid generalities and vague 
statements.
    <bullet> Actionable: Please provide enough high-level detail so 
that we can understand how to apply the information you provide. 
Wherever possible, please provide credible data and specific examples 
to support your views. If you cite academic or other studies, they 
should be publicly available to be considered.
    <bullet> Cost effective & impactful: Respondents should consider 
whether their suggestions have a clear return on investment that can be 
articulated to secure funding and support.
    <bullet> ``Gordian Knot'' solutions and ideas: Occasionally, 
challenges that seem to be intractable and overwhelmingly complex can 
be resolved with a change in perspective that unlocks hidden 
opportunities and aligns stakeholder interests. We welcome these ideas 
as well.
    <bullet> All submissions are public records and may be published on 
<a href="http://www.regulations.gov">www.regulations.gov</a>. Do NOT submit sensitive, confidential, or 
personally identifiable information.
    An additional appendix of no more than 5 pages long may also be 
included. This section should only include additional context about you 
or your organization.

Privacy Act Statement

    Submission of comments is voluntary. The information will be used 
to determine focus and priority areas for open-source software security 
and memory-safety. Please note that all comments received in response 
to this notice will be posted in their entirety to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, including any personal and business confidential 
information provided. Do not include any information you would not like 
to be made publicly available.

Kemba E. Walden,
Acting National Cyber Director.
[FR Doc. 2023-17239 Filed 8-9-23; 8:45 am]
BILLING CODE 3340-D3-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>