As stated in the EO, “ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software components used within any portion of a product[1]” is a central driver behind many flagship initiatives like the SBOM. Though organizations should enforce formal baseline software supply chain security controls regardless of where and how code is developed, the risks of using open source or community-developed software are unique. Open source projects are diverse, numerous, and use a wide range of operating models. Many of these projects’ provenance, integrity, support maintenance, and other underlying functions are not well understood or easy to discover and vary from one project to the next.
Open source software components are pervasive, and federal agencies should understand their suppliers’ usage of open source software components by considering the capabilities recommended below.
[1] Executive Office of the President. (2021). Executive Order 14028 on Improving the Nation's Cybersecurity. https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
[2] Broadcom and Symantec (A Division of Broadcom). (2021). Position Paper on Standards and Guidelines to Enhance Software Supply Chain Security.
[3] BlackBerry. (2021). Position Paper Secure Software Development Environment and Testing Software Code.
[4] Google. (2021). High-Confidence, Scalable Secure Development.
Content: