MITRE’s Response to EOP RFI on Open-Source Software Security

What’s the issue? As highlighted in the National Cybersecurity Strategy, the Office of the National Cyber Director has established an Open-Source Software Security Initiative to champion the adoption of memory safe programming languages and open-source software security. They issued this RFI to help identify areas most appropriate to focus government priorities.

What did we do? The Center for Data-Driven Policy led a cross-MITRE analysis of the RFI’s posed questions, seeking to uncover data and evidence (from our work in the public interest) that would help the White House understand opportunities and develop plans that are evidence-based, actionable, and effective.

What did we find? In this response, MITRE distinguishes between two broad categories of open-source software: Free and Open-Source Software (FOSS) and Open-Source Software (OSS). They are often managed in different ways and need to be considered differently in future government activities. We then recommended the following four priorities:

• Strengthening the Software Supply Chain
• Defending FOSS Maintainers from Undue Assignment of Liability
• Incentives for Commercial Producers of Software that Embed OSS Components
• Supporting a Transition of Critical FOSS to Memory Safe Languages