Legal Status This site displays a prototype of a “Web 2.0” version of the daily
Federal Register. It is not an official legal edition of the Federal
Register, and does not replace the official print version or the official
electronic version on GPO’s govinfo.gov.

The documents posted on this site are XML renditions of published Federal
Register documents. Each document posted on the site includes a link to the
corresponding official PDF file on govinfo.gov. This prototype edition of the
daily Federal Register on FederalRegister.gov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register (ACFR) issues a regulation granting it official legal status.
For complete information about, and access to, our official publications
and services, go to About the Federal Register on NARA's archives.gov.

The OFR/GPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegister.gov with the objective of
establishing the XML-based Federal Register as an ACFR-sanctioned
publication in the future. While every effort has been made to ensure that
the material on FederalRegister.gov is accurately displayed, consistent with
the official SGML-based PDF version on govinfo.gov, those relying on it for
legal research should verify their results against an official edition of
the Federal Register. Until the ACFR grants it official status, the XML
rendition of the daily Federal Register on FederalRegister.gov does not
provide legal notice to the public or judicial notice to the courts.

Legal Status

Notice

Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

A Notice by the Office of the National Cyber Director on 08/10/2023

• 1.

1.

• Document Details Published Content - Document Details Agencies Executive Office of the President Office of the National Cyber Director Agency/Docket Number Docket ID: ONCD-2023-0002 Document Citation 88 FR 54315 Document Number 2023-17239 Document Type Notice Pages 54315-54317
  (3 pages) Publication Date 08/10/2023 RIN 0301-AA01 Published Content - Document Details

• PDF Official Content

  • View printed version (PDF) Official Content

• Document Details Published Content - Document Details Agencies Executive Office of the President Office of the National Cyber Director Agency/Docket Number Docket ID: ONCD-2023-0002 Document Citation 88 FR 54315 Document Number 2023-17239 Document Type Notice Pages 54315-54317
  (3 pages) Publication Date 08/10/2023 RIN 0301-AA01 Published Content - Document Details

• Document Dates Published Content - Document Dates Comments Close 10/09/2023 Dates Text Comments must be received in writing by 5 p.m. ET October 9, 2023. Published Content - Document Dates

• Table of Contents Enhanced Content - Table of Contents This table of contents is a navigational tool, processed from the
  headings within the legal text of Federal Register documents.
  This repetition of headings to form internal navigation links
  has no substantive legal effect.

  • AGENCY:
  • ACTION:
  • SUMMARY:
  • DATES:
  • ADDRESSES:
  • FOR FURTHER INFORMATION CONTACT:
  • SUPPLEMENTARY INFORMATION:
  • Three-Phase RFI Approach
  • Questions for Respondents
  • Potential Areas of Focus
  • Privacy Act Statement
  • Footnotes Enhanced Content - Table of Contents

• Public Comments Enhanced Content - Public Comments Comments are no longer being accepted.
  See DATES for details.

112 comments have
been received at Regulations.gov.

Agencies review all submissions and may choose to redact, or withhold,
certain submissions (or portions thereof). Submitted comments may not be
available to be read until the agency has approved them.

| Docket Title | Document ID | Comments | |
| --- | --- | --- | --- |
| Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization | ONCD-2023-0002-0001 | 112 | |
Enhanced Content - Public Comments
- Regulations.gov Data Enhanced Content - Regulations.gov Data

FederalRegister.gov retrieves relevant information about this document
from Regulations.gov to provide users with additional context. This
information is not part of the official Federal Register document.

Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

Docket ID ONCD-2023-0002 Supporting Documents No supporting documents available Enhanced Content - Regulations.gov Data

- Sharing Enhanced Content - Sharing Shorter Document URL https://www.federalregister.gov/d/2023-17239 Email Email this document to a friend Enhanced Content - Sharing

• Print Enhanced Content - Print
  • Print this document Enhanced Content - Print
• Document Statistics Enhanced Content - Document Statistics Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.

Page views 5,034
as of
03/14/2026 at 2:15 pm EDT Enhanced Content - Document Statistics
- Other Formats Enhanced Content - Other Formats This document is also available in the following formats:

JSON Normalized attributes and metadata XML Original full text XML MODS Government Publishing Office metadata More information and documentation can be found in our developer tools pages.

Enhanced Content - Other Formats
- Public Inspection Public Inspection This PDF is FR Doc. 2023-17239 as it appeared on Public Inspection on
08/09/2023 at 8:45 am.

It was viewed
33
times while on Public Inspection.

If you are using public inspection listings for legal research, you
should verify the contents of the documents against a final, official
edition of the Federal Register. Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 U.S.C. 1503 & 1507. Learn more here.

Public Inspection
Published Document: 2023-17239 (88 FR 54315) This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Document Headings Document headings vary by document type but may contain
the following:

1. the agency or agencies that issued and signed a document
2. the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to
3. the agency docket number / agency internal file number
4. the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions See the Document Drafting Handbook for more details.

Executive Office of the President

Office of the National Cyber Director

1. [Docket ID: ONCD-2023-0002]
2. RIN 0301-AA01

AGENCY:

Office of the National Cyber Director, Executive Office of the President, Cybersecurity and Infrastructure Security Agency, DHS, National Science Foundation, Defense Advanced Research Projects Agency, and Office of Management and Budget, Executive Office of the President.

ACTION:

Request for information (RFI).

SUMMARY:

The Office of the National Cyber Director (ONCD), the Cybersecurity Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) invite public comments on areas of long-term focus and prioritization on open-source software security.

DATES:

Comments must be received in writing by 5 p.m. ET October 9, 2023.

ADDRESSES:

Interested parties may submit comments through www.regulations.gov. For detailed instructions on submitting comments and additional information on this process, see the SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT:

Requests for additional information may be sent to: OS3IRFI@ncd.eop.gov, Nasreen Djouini, telephone: 202-881-4697.

SUPPLEMENTARY INFORMATION:

As highlighted in the National Cybersecurity Strategy (https://www.whitehouse.gov/​wp-content/​uploads/​2023/​03/​National-Cybersecurity-Strategy-2023.pdf), and its Implementation Plan Initiative 4.2.1, the ONCD has established an Open-Source Software Security Initiative (OS3I) to champion the adoption of memory safe programming languages and open-source software security. The security and resiliency of open-source software is a national security, economic, and a technology innovation imperative. Because open-source software plays a vital and ubiquitous role across the Federal Government and critical infrastructure, [1 ] vulnerabilities in open-source software components may cause widespread downstream detrimental effects. The Federal Government recognizes the immense benefits of open-source software, which enables software development at an incredible pace and fosters significant innovation and collaboration. In light of these factors, as well as the status of open-source software as a free public good, it may be appropriate to make open-source software a national public priority to help ensure the security, sustainability, and health of the open-source software ecosystem.

In 2021, following the aftermath of the Log4Shell vulnerability, ONCD in collaboration with the Office of Management and Budget's (OMB) Office of the Federal Chief Information Officer (OFCIO), established the Open-Source Software Security Initiative (OS3I) interagency working group with the goal of channeling government resources to foster greater open-source software security. Since then, OS3I has welcomed many other interagency partners, including the Cybersecurity Infrastructure Security Agency (CISA), the National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA), National Institute of Standards and Technology (NIST), ( printed page 54316) Center for Medicare & Medicaid Services (CMS), and Lawrence Livermore National Laboratory (LLNL) in order to identify open-source software security priorities and implement policy solutions.

Over the past year, OS3I identified several focus areas, including: (1) reducing the proliferation of memory unsafe programming languages; (2) designing implementation requirements for secure and privacy-preserving security attestations; and (3) identifying new focus areas for prioritization.

This Request for Information (RFI) aims to further the work of OS3I by identifying areas most appropriate to focus government priorities, and addressing critical questions such as:

• How should the Federal Government contribute to driving down the most important systemic risks in open-source software?
• How can the Federal Government help foster the long-term sustainability of open-source software communities?
• How should open-source software security solutions be implemented from a technical and resourcing perspective? This RFI represents a continuation of OS3I's efforts to gather input from a broad array of stakeholders.

Three-Phase RFI Approach

For this RFI, the Government intends to engage with interested parties in three phases:

Phase I—Addressing Respondent Questions About this RFI

• If you have any questions about the context of the Government's RFI, the processes described, or the numbered topics below, you may send them to OS3IRFI@ncd.eop.gov by August 18, 2023.

• By August 28, 2023, the Government will post responses to select questions on www.regulations.gov, as appropriate.
  Phase II—Submittal of Responses to the RFI by Interested Respondents

• By October 9, 2023, all interested respondents should submit a written RFI response, in MS Word or PDF format, focusing on questions for which they have expertise and insights for the Government (no longer than 10 pages typed, size eleven font) to OS3IRFI@ncd.eop.gov with the email subject header “Open-Source Software Security RFI Response” and your organization's name.

• Title page, cover letter, table of contents, and appendix are not included within the 10-page limit. In the body of the email, also include contact information for your organization (POC Name, Title, Phone, Email, Organization Name, and Organization Address).
  Phase III—Government Review

• The Government reviews and publishes the RFI responses submitted during Phase II. The Government may select respondents to engage with the RFI project team to elaborate on their response to the RFI.
  Participation, or lack thereof, in this RFI process has no bearing on a party's ability or option to choose to participate in or receive an award for any future solicitation or procurement resulting from this or any other activity.

Questions for Respondents

We are seeking insights and recommendations as to how the Federal Government can lead, assist, or encourage other key stakeholders to advance progress in the potential areas of focus described below.

Please consider providing input on these areas by addressing the questions below:

• Which of the potential areas and sub-areas of focus described below should be prioritized for any potential action? Please describe specific policy solutions and estimated budget and timeline required for implementation.
• What areas of focus are the most time-sensitive or should be developed first?
• What technical, policy or economic challenges must the Government consider when implementing these solutions?
• Which of the potential areas and sub-areas of focus described below should be applied to other domains? How might your policy solutions differ? Respondents are not required to respond to every topic and are encouraged to focus on specific areas that meet their specialized expertise.

Potential Areas of Focus

Area: Secure Open-Source Software Foundations

○ Sub-area: Fostering the adoption of memory safe programming languages

• Supporting rewrites of critical open-source software components in memory safe languages
• Addressing software, hardware, and database interdependencies when refactoring open-source software to memory safe languages
• Developing tools to automate and accelerate the refactoring of open-source software components to memory safe languages, including code verification techniques

• Other solutions to support this sub-area
  ○ Sub-Area: Reducing entire classes of vulnerabilities at scale

• Increasing secure by default configurations for open-source software development

• Fostering open-source software development best practices, including but not limited to input validation practices

• Identifying methods to incentivize scalable monitoring and verification efforts of open-source software by voluntary communities and/or public-private partnerships

• Other solutions to support this sub-area
  ○ Sub-Area: Strengthening the software supply chain

• Designing tools to enable secure, privacy-preserving security attestations from software vendors, including their suppliers and open-source software maintainers

• Detection and mitigation of vulnerable and malicious software development operations and behaviors

• Incorporating automated tracking and updates of complex code dependencies

• Incorporating zero trust architecture into the open-source software ecosystem

• Other solutions to support this sub-area
  ○ Sub-Area: Developer education

• Integrating security and open-source software education into computer science and software development curricula

• Training software developers on security best practices

• Training software developers on memory safe programming languages

• Other solutions to support this sub-area

• Area: Sustaining Open-Source Software Communities and Governance

• ○ Sustaining the open-source software ecosystem (including developer communities, non-profit investors, and academia) to ensure that critical open-source software components have robust maintenance plans and governance structures

• ○ Other solutions to support this sub-area

• Area: Behavioral and Economic Incentives to Secure the Open-Source Software cosystem

• ○ Frameworks and models for software developer compensation that incentivize secure software development practices

• ○ Applications of cybersecurity insurance and appropriately-tailored software liability as mechanisms to incentivize secure software development and operational environment practices

• ○ Other solutions to support this sub-area ( printed page 54317)

• Area: R&D/Innovation

• ○ Application of artificial intelligence and machine learning techniques to enhance and accelerate cybersecurity best practices with respect to secure software development

• ○ Other solutions to support this sub-area

• Area: International Collaboration

• ○ Methods for identifying and harmonizing shared international priorities and dependencies

• ○ Structures for intergovernmental collaboration and collaboration with various open-source software communities

• ○ Other solutions to support this sub-area

• This RFI seeks public input as the Federal Government develops its strategy and action plan to strengthen the open-source software ecosystem. We hope that potential respondents will view this RFI as a civic opportunity to help shape the government's thinking about open-source software security.

• Comments must be received no later than 5:00 p.m. ET October 9, 2023.

• By October 9, 2023, all interested respondents should submit a written RFI response, in MS Word or PDF format, with their answers to questions on which they have expertise and insights for the Government through www.regulations.gov.

• The written RFI response should address ONLY the topics for which the respondent has expertise. Inputs that meet most of the following criteria will be considered most valuable:

• Easy for executives to review and understand: Content that is modularly organized and presented in such a fashion that it can be readily lifted (by topic area) and shared with relevant executive stakeholders in an easily consumable format. Expert: The Government, through this effort, is seeking insights to understand current best practices and approaches applicable to the above topics, as well as new and emerging solutions. The written RFI response should address ONLY the topics for which the respondent has knowledge or expertise. Clearly worded/not vague: Clear, descriptive, and concise language is appreciated. Please avoid generalities and vague statements. Actionable: Please provide enough high-level detail so that we can understand how to apply the information you provide. Wherever possible, please provide credible data and specific examples to support your views. If you cite academic or other studies, they should be publicly available to be considered. Cost effective & impactful: Respondents should consider whether their suggestions have a clear return on investment that can be articulated to secure funding and support. “Gordian Knot” solutions and ideas: Occasionally, challenges that seem to be intractable and overwhelmingly complex can be resolved with a change in perspective that unlocks hidden opportunities and aligns stakeholder interests. We welcome these ideas as well. All submissions are public records and may be published on www.regulations.gov. Do NOT submit sensitive, confidential, or personally identifiable information.

• An additional appendix of no more than 5 pages long may also be included. This section should only include additional context about you or your organization.

• Privacy Act Statement

• Submission of comments is voluntary. The information will be used to determine focus and priority areas for open-source software security and memory-safety. Please note that all comments received in response to this notice will be posted in their entirety to http://www.regulations.gov, including any personal and business confidential information provided. Do not include any information you would not like to be made publicly available.

• Kemba E. Walden,

Acting National Cyber Director.

Footnotes

1.

                     “2023 Open-Source Security and Risk Analysis Report,” Synopsys, February 22, 2023, (*[https://www.synopsys.com/​software-integrity/​resources/​analyst-reports/​open-source-security-risk-analysis.html?​utm_​source=​bing&​utm_​medium=​cpc&​utm_​term=​&​utm_​campaign=​B_​S_​OSSRA_​BMM&​cmp=​ps-SIG-B_​S_​OSSRA_​BMM&​msclkid=​15e8216ad16511c8b01945c7b683c395](https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?utm_source=bing&utm_medium=cpc&utm_term=&utm_campaign=B_S_OSSRA_BMM&cmp=ps-SIG-B_S_OSSRA_BMM&msclkid=15e8216ad16511c8b01945c7b683c395)*).

Back to Citation [FR Doc. 2023-17239 Filed 8-9-23; 8:45 am]

BILLING CODE 3340-D3-P

Published Document: 2023-17239 (88 FR 54315)