(3) Dependencies: Because
of
its modular nature, software
is
often dependent on sub-
components, (e.g., libraries, plug-ins, extensions, and other package modules) that
may introduce additional risks. This
is
particularly true for OSS, which often reuses
existing components. Software
is
higher risk, for example,
if
it relies on versions
of
sub-components that are out
of
date or have publicly known vulnerabilities.
Assessment
of
a software component should also consider security risks
of
the sub-
component dependencies, as well as any legal issues regarding the licenses
of
sub-
components. A related concern
is
the availability
of
information related to component
libraries, dependencies, and sub-components (such as a software bill-of-materials)
that can be used to evaluate such risks.
(4) Component Security: Any software project that actively works to reduce security
vulnerabilities
is
less risky. Because
of
the open development process used to develop
OSS, it can be easier to assess evidence
of
this activity ( or the lack
of
it) compared to
closed development processes. Positive indicators include the use
of
tools, both out-
of-band and in the OSS project's integration pipeline that look for security
vulnerabilities (to detect and fix issues before deployment), transparent reporting
of
security vulnerabilities, history
of
security reviews, cyber testing ( especially third-
party audits, tests, or assessments), problems-addressed, and a history
of
timely
vulnerability remediation. The NIST SSDF (reference
(k)) includes additional
guidance on component security.
(5) Component Integrity: Any software project that actively maintains cryptographically
protected integrity verification for released code, scripts, configuration files, and
associated documentation to reduce security risks ( e.g., digitally signed hashes
of
code) is less risky. Software integrity is particularly critical for OSS programs, which
because
of
the availability
of
source code, are more subject to the creation and
distribution
of
modified, possibly-untrusted versions.
(6) Influence
of
Foreign Governments: Public Law 115-232, Section 1655 (reference (I))
requires certain actions to mitigate risks posed by suppliers
of
information technology
and services who have obligations to foreign governments. OSS
is
specifically
exempt from these requirements, but program managers must be cognizant
of
the
potential for influence on OSS projects by foreign governments, and consider what
internal reviews
of
code contributions are conducted by the OSS project, and what
external reviews or audits may be necessary to counteract the potential for malicious
interference with the project.
D.
Despite widespread misperceptions that OSS
is
"free to use", most OSS is protected by
copyright, and the Government's right to use copyrighted software
is
limited by the terms
of
the software license. Government use or distribution
of
OSS must conform to the
terms
of
the OSS license, including maintaining authorship, copyright markings, and
licensing information as specified in the license terms.
E. Given the value
ofOSS
as a source
of
potential components to software development
activities, operators
of
network enclaves that support software development and
maintenance activities should ensure that access to software repositories and software
development resources are not unduly restricted. This access is particularly critical for
software developers, testers, and analysts to be effective.
5