Securing the Open Source Software Ecosystem: End of Year Report Open Source Software Security Initiative OS3I

Since the discovery of the Log4Shell vulnerability in 2021, the Biden-Harris Administration has fortified its commitment to secure the open-source software ecosystem. In March 2023, the Biden-Harris Administration released the National Cybersecurity Strategy (NCS), which stated, “in partnership with the private sector and the open-source software community, the Federal Government will also continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.” This commitment laid the foundation for the Office of the National Cyber Director (ONCD) to foster improved security in open-source software development practices through the 2023 NCS Implementation Plan Initiative 4.1.2, “Promote open-source software security and the adoption of memory-safe programming languages.” The NCS Implementation Plan expands and matures the role of the Open-Source Software Security Initiative (OS3I). The OS3I convenes Federal agencies and considers input from the open-source software community, civil society, and private sector stakeholders across the open-source software landscape to deliver policy solutions to secure and defend the open-source software ecosystem. This End of Year Report is a product of the OS3I Working Group. The Report begins by providing background on the significance of open-source software, its ecosystem, and inherent challenges. Next, the report recaps the progress made by the OS3I on key 2023 deliverables in each of the aforementioned key areas. The report concludes with prospects for OS3I work in 2024.