The Cybersecurity and Infrastructure Security Agency announced new initiatives to help ensure the security of the open source ecosystem at a two-day Open Source Software Security Summit.
CISA said Thursday that the actions include close collaboration with package repositories to promote the adoption of the Principles for Package Repository Security framework, which details voluntary security maturity levels for package repositories.
The agency also revealed the launch of a new effort to facilitate cyber defense information sharing and voluntary collaboration with open source software infrastructure operators to improve safeguards for the open source software supply chain.
Another CISA initiative is the planned publication of materials from the summit’s tabletop exercise to make lessons learned available to the open source community, and several repositories are also working to align with the new security guidelines.
These projects include the Rust Foundation’s work to implement Public Key Infrastructure for the Crates.io package repository and the Python Software Foundation’s move to add new providers to PyPI for credential-less publishing, among others.
“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said Jen Easterly, director of CISA and a 2024 Wash100 awardee.
“As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come,” she added.
Join the Potomac Officers Club’s 2024 Cyber Summit on June 6 and hear cyber experts from both government and industry discuss the latest trends and the dynamic role of cyber in the public sector. Register here.
