Press Release

CISA, Government, and Industry Partners Publish Fact Sheet for Organizations Using Open Source Software

Released

Fact sheet provides software security challenges and recommendations to improve security and risk management of OSS use at operational technology vendors and critical infrastructure facilities

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and U.S. Department of the Treasury published new guidance today on “Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS),” developed in collaboration with industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of our 2023 OSS planning initiative. This guidance will promote an improved understanding of and highlight best practices and considerations for the secure use of OSS in OT/ICS environments.

Critical infrastructure organizations using OT/ICS face heightened cybersecurity and safety concerns due to the potentially far-reaching impacts of incidents and associated life safety implications, particularly to connected infrastructure. Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.

This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources.

“Our JCDC planning effort brought together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks in OSS affecting OT/ICS environments and develop shared, actionable solutions. Our work to produce timely, relevant products is dependent on trusted collaboration with our partners,” said Clayton Romans,CISA Associate Director. “This guidance is another positive outcome of our partnership with the OSS community, industry and interagency partners that contributed their time and effort. We are confident that this ongoing public-private collaboration to support the OSS ecosystem will continue to grow and help further reduce risk to our nation’s critical infrastructure.” 

The recommendations provided in the guidance start with the senior leadership level of an organization and cover areas such as:

  • Vendor support of OSS development and maintenance, to include participating in OSS and grant programs, partnering with existing OSS Foundations, and supporting the adoption of security tools and best practices in the software development lifecycle.
  • Manage vulnerabilities, to include reducing risk exposure by requesting no cost cyber hygiene services and participate in vulnerability coordination by using available guidance and resources.
  • Patch management, to include promoting unique understanding of patch deployment process for OT/ICS environments and maintaining a comprehensive updated asset inventory to best identify software and hardware products, as well as open source components in both IT and OT environments.
  • Improve authentication and authorization policies, to include using accounts that uniquely and verifiably identify individual users, implementing multifactor authentication, and combining secure-by-default practices with least privilege.
  • Establish common framework, to include develop and support an open source program office, support safe and secure open source consumption practices, and maintain a software asset inventory.

The ongoing planning and collaborative effort of the JCDC and CISA supports specific objectives in the National Cyber Strategy to scale public-private collaboration, the Office of National Cyber Director Open-Source Software Security Initiative (OS3I) and complements the CISA Open Source Software Security Roadmap to drive adoption of the most impactful security and development of OSS. 

The JCDC OSS planning initiative is part of the 2023 Planning Agenda, which is a forward-looking effort that is bringing together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. To learn more about the JCDC, visit CISA.gov/JCDC

All organizations are encouraged to review the Joint Fact Sheet and visit CISA’s new webpage, Securing Open Source Software in Operational Technology for more information.

About JCDC:    

Pursuant to new authorities granted by Congress in the 2021 National Defense Authorization Acts, the Cybersecurity and Infrastructure Security Agency (CISA) established JCDC in August 2021 to transform traditional public-private partnerships into real-time private-public operational collaboration and shift the paradigm from reacting to threats and vulnerabilities to proactively planning and taking steps to mitigate them. JCDC combines the visibility, insight, and innovation of the private sector with the capabilities and authorities of the federal cyber ecosystem to collectively drive down cyber risk to the nation at scale.  

 About CISA:   

As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day. Visit CISA.gov for more information or visit www.CISA.gov/shields-up for information on how to protect your networks.   

Visit CISA.gov for more information and follow us on TwitterFacebookLinkedIn, Instagram

###