Today, the White House Office of the National Cyber Director, in partnership with members of the Open-Source Software Security Initiative, is publishing a summary report on the Request for Information (RFI): Open-Source Software Security: Areas of Long-Term Focus and Prioritization. This builds on the commitment the Administration made in the National Cybersecurity Strategy, “to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”

This report harnesses the Biden-Harris Administration’s investment in our Nation’s infrastructure and competitiveness to deliver tangible outcomes. Through the President’s signature Bipartisan Infrastructure Law, the Department of Homeland Security is using dedicated funding to launch the Open-Source Software Prevalence Initiative (OSSPI). The OSSPI is intended to further our national understanding of the distribution of use of open-source software components in critical infrastructure, allowing the Federal Government and partners in the open-source community to strengthen the security of the open-source software ecosystem.

The RFI summary report consolidates submissions received from the open-source software community and details twelve activities that members of the OS3I plan—or have completed—in 2024-2025. These activities include:

1. Advance research and development;
2. Secure package repositories;
3. Partner with open-source communities;
4. Promote further development and implementation of the use of Software Bill of Materials;
5. Strengthen the software supply chain;
6. Establish the first U.S Government Open-Source Program Office;
7. Assign vulnerability severity metrics;
8. Increase education and training tools;
9. Expand International Collaboration;
10. Enhance security and replace components of legacy software;
11. Advance public-private partnerships; and
12. Use formal methods.

The Biden-Harris Administration remains steadfastly committed to long-term planning and collaboration with the open-source software community to achieve a more defensible and resilient digital ecosystem for all Americans.

Read the full National Cybersecurity Strategy here.

Read the full OS3I End of Year Report here.

Read the full 2023 National Cybersecurity Strategy Implementation Plan here.

Read the full 2024 National Cybersecurity Strategy Implementation Plan here.

Read the full Back to the Building Blocks Report here.

While the Federal Government has an important role to play, so do you! For DEF CON 32 we are launching a challenge to find additional open source software security “plank holders.” These are people who have committed themselves early on to supporting a secure and trustworthy open source software ecosystem.

The Challenge: find the clues needed to add yourself to the Plank Holder List, and then do it!

Once your submission is verified successfully you can come claim your badge outside the DEF CON Policy Village at the following times (while supplies last):

• Friday, August 9th @ 12 – 1 pm
• Saturday, August 10th @ 12 – 1pm
• Sunday, August 11th @ 10 – 11am

If you need a hint, find someone with an ONCD badge on at DEF CON 32 or keep an eye on our @ONCD page!

For those who don’t complete the challenge in time, or who aren’t at the conference in person (or who are just curious!), the design files used to create the badge are open source and available in whitehouse_CAD.zip. If you want an added challenge, send a #badgelife picture to @ONCD with your own modified version of this year’s badge!