Underpinning all modern technology — software and hardware — is a supply chain . The reality however , is that software is much easier to pollute than hardware . For federal agencies to better protect themselves and the American citizenry , they need to start shifting security practices left and playing better offense at the beginning of their digital supply chain .

Open Source is

Powering Federal Software Development

85 % of an application is comprised of free , readily available open source components .

Not All Open Source

Components are Created Equal

Research shows that within the Java ecosystem , 1 in 10 contains a known security vulnerability .

Agencies Don ’ t Know

How Much Open Source They ’ re Using

There is a disconnect between development and security , with little transparency into the parts feeding today ’ s software supply chains .

Lack of Open Source Policies Lead to Breaches

According to the DevSecOps Community Survey of 5,500 IT pros , 1 in 4 organizations confirmed or suspected an open source related breach last year .

Cost Emphasized Over Security Protocol

An unexpected threat comes from the contractors , inadvertently introducing vulnerabilities into the supply chain with an emphasis on cost over security .

Around Software Development is Coming

Savvy contractors and agencies are prioritizing security in their development process now .

JUN 2018 NTIA launches initiative to improve software component transparency

MAR 2019 Internet of Things Cybersecurity Improvement Act of 2019 introduced

DEC 2018 U . S . House Energy and Commerce Committee releases its Cybersecurity Strategy Report

AUG 2018 Deliver Uncompromised report published by Mitre Corporation

OCT 2018 FDA releases guidance on cybersecurity management of medical devices

JAN 2020 2020 National Defense Authorization Act ( NDAA ) passed by U . S . Senate

The DoD releases its Cybersecurity Maturity Model Certification ( CMMC )