This week the Cybersecurity and Infrastructure Security Agency (CISA) held a two day summit with open source software (OSS) leaders, intending to continue its work advancing security of OSS. 

Over the course of the Open Source Software (OSS) Security Summit, CISA laid out three key actions that it will be taking.

First, it will work with open source maintainers to get them to adopt the Principles for Package Repository Security, which is a framework that outlines maturity levels for package repositories that was developed jointly by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group. 

Several open source organizations have already agreed to use the framework for at least some of their projects, including the Rust Foundation, Python Software Foundation, Packagist and Composer, npm, and Maven Central. 

“OpenSSF’s mission is to improve the security of open source software. Package repositories are critical infrastructure for the open source community. We thank CISA for facilitating this Open Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open source package repositories for everyone,” said Omkhar Arasaratnam, general manager of OpenSSF.

Second, CISA is launching a new initiative that will enable better information sharing of cyber defense information with open source maintainers.

Third, it will be publishing the materials from a tabletop exercise that was performed at the summit. This will allow any open-source maintainer to use those materials and lessons learned to improve their security. 

The Open Source Software (OSS) Security Summit continues CISA’s ongoing efforts to secure the open source supply chain, such as the roadmap for open source security it released last fall.  

CISA Director Jen Easterly added: “Open Source Software is foundational to the critical infrastructure Americans rely on every day. As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”