 Well, hi everybody. Thank you so much for joining us. This is the very first open GovCon and What we're trying to do with this event is to make it a series of sessions like this that's bringing together open-source contributors folks that leverage open-source software and technical leadership both on public sector and private sector with this idea that we all need to band together to build safer More secure more reliable digital infrastructure and acknowledge that digital infrastructure impacts Every citizen globally in their everyday lives. I mean, it's amazing how much software is something that is Required in our daily lives. It's we interact with it when we go to work We rely on its safety when we interact with elevators subway cars, etc We file our taxes with it. We communicate with it the internet runs off of it And so it's critical again that we band together as a community is a way to do better and help each other to build a Safer more secure world. So to kick us off then we have two fantastic speakers I'll let them introduce themselves and just give the top level, but Rob is from the DoD CIO team He has just an amazing background tons of software experience inside of the DoD helping to deliver some of his challenging systems in very challenging situations With excellence. He's helped the DoD think about what it means to have software intensive programs be the norm and how to Move from buying these monolithic applications into this new way of technology, which is frequent updates in a Smaller but more frequent updates and similar thing from the CISA side. So just you, you know, fantastic background again lots of background on the software transparency side And with that we're just gonna kind of hear Pretty interesting ex was a on how we're talking about digital infrastructure in 2023 So I'll turn it over to Think it can everybody hear me, okay? great great First of all, I'm Justin Murphy. I work for Department of Homeland Security my agency is the CISA Cybersecurity and infrastructure security agency. I work for the C in CISA the cyber security part cyber security division Specifically for the vulnerability management disclosure branch Since I've been at CISA we are Perpetually realigning so soon will be called something different. So next conference here. We speak it'll be something different, but anyway, we I work with Dr. Alan Friedman who you may be familiar with who you may have even been expecting to be here instead of me Sorry, you're stuck with me but Alan sends his best But I work on the CISA SBOM team SBOM decks technology assurance related projects things like that and yeah transparency is something that that we are passionate about emphatic about and Is really driving The way that we think about open-source software and why we are here today and wanted to be a part of Open Govcon so, you know one thing that we really want to hit on and I think hope hopefully all agree with me Is that when we look at open-source and we look at open-source software from the supply chain perspective? We have to think of it a little bit differently We have to think of it a little bit differently than we might think about it traditionally in industry Especially when you look at it from sort of the manufacturing perspective It can be challenging intimidating We like to call it a challenge or an opportunity And just because that is the case just because it's a it's a difficult problem It may be difficult for us to kind of wrap our brain around That does not mean that we especially the u.s. Government and we at CISA It does not mean that we should not and could not Do something about it so What is our u.s. Government standpoint? on open-source software We believe that it is a huge part of our critical infrastructure. It's a huge part of our public infrastructure The u.s. Government And so as part of that acknowledges and believes that open-source software Is part of that public infrastructure and we are committed from a policy perspective and From a technical reality or a technical necessity perspective. We are committed to The effort around securing our open-source software supply chain So hopefully to everyone at this point Except that there's no going back There's no going back. That is not an option. We are going there's no going back on using open-source software similar to the private sector of the federal government and also, you know the Down to the sltt Level we are highly highly dependent on open-source software And so part of the foundation of our critical infrastructure supporting every single critical infrastructure Sector and every national critical function open-source software is a big part of that So where does sysa play a part in this? And we believe our u.s. Government partners play a part in this as we are committed To helping harden the the open-source software ecosystem So sysa's mission if you're not familiar Part of that mission is understanding managing and reducing risks to the federal government But that's also to our National critical the critical infrastructure as well And and so we have to take steps. We have to take steps to better understand and protect The open-source software that we are so reliant upon highly highly reliant upon We recognize the inherent what I believe to be the inherent public good nature of open-source software And that any efforts to secure the broader Open-source software ecosystem is only going to help us Help us all, you know, sure. There's some disguise self-interest in that. We'll acknowledge that You know, that's going to help the federal government in our critical infrastructure But If you haven't been paying attention, I'm sure you all are familiar with the national cyber security strategy that was released in march Sysa is aligned with that strategy, which does in part of its strategic strategic objectives It does call out That we are to collaborate with not only the private sector But also the open-source software community and sysa is committed to doing that. It's something we're already doing But it's something that we we are Putting a lot of attention energy and focus on moving forward as well We sysa recognizes the benefits of open-source software It's it's it enables software development to happen at an incredible pace It fosters significant innovation and collaboration efforts But what we also realize we have to Enable the secure usage and development of that open-source software Both within and outside the federal government I'd mentioned earlier There are challenges But we'd like to refer to them as challenges and opportunities and there's some unique ones that come with open-source software We believe a big part of that is just mindset You know changing our mindset I mentioned at the beginning we have to think differently when we look at the supply chain from an open-source perspective I think a huge difference a key difference is the lack of a traditional customer supplier model For the most part the people writing and maintaining these open-source projects are not suppliers In the traditional sense, right? There's not a business relationship that comes from that Where the organizations who are using the software they're you know the people who are maintaining these in many cases are volunteers They're writing the code and putting in the effort And they put it online and under licenses and while they are putting it online for people to use There's not really an exchange or there's not really anything that they're getting from that in most cases So one thing that we have to think about moving forward And we are not the only ones who are thinking about this But what we are thinking about is this is how do how do we go about incentivizing the maintainers of these projects to implement secure usage and deployment and development and that's that's a challenging opportunity That that we're excited about and and we think it's as us government. It's our responsibility to look into that Because that's that's that's an area where we can affect change Open-source software, you know as a public good is supported by diverse and wide-ranging communities We try to Involve those communities and a lot of the work that we're doing But one thing that we also think needs to happen is we need to go in the other direction as well We need to be involved in that community So, you know if you want to say for lack of a better term as a stakeholder Integrate ourselves within that so we believe sissa and the rest of the u.s. Government. We need to integrate and support these communities Particularly focusing on the critical open-source software components, which the federal government uses And and i'll say a little bit more about that in a minute So it's as it stands sissa up to this point has engaged in a lot of various areas That implicate open-source software one of those is espom mentioned. I'm part of this as a espom team software build materials I'm hoping you're all familiar with that if not come talk to me. Let's talk to you There's a lot there's I think there's like 12 different talks that involve at least subtly some espom Topics here and I'll be Trying to be at all of them And also we we helped to coordinate. I mentioned i'm with the vulnerability management disclosure branch If you saw the sissa get hub repository I was one of the maintainers of that. Please be forgiving if it helped you. Please come talk to me if it didn't Don't don't don't hold your criticism to yourself, please But espom, you know, that's that's sort of my Where I where I fall and where my most of my day-to-day work falls You know, we built espom To be things that can be provided provided by a lot of different approaches and anyone can really write an espom That that is straight as does anybody have heard of seuss s o s seuss.io Check it out. If you have an s o s o s dot i o This is proof of that that seuss it can stand scan software projects they're down their dependency graphs And they're transitive dependencies and and create espoms within seconds And so this this proves that anybody can provide espoms and we built it to be like that For private sector organizations, but also for the federal government, obviously If you want to track your open source usage We believe espom is absolutely and absolutely critical first up to that because you can't make decisions without data so Those are some of the effort set of are there ongoing and and still going on love to talk to you more about that What is coming next or what is out there and kind of what we have our eyes on From a poor area from a tooling a collaboration Mindset what we have our eyes on are we're really excited about salsa if you're if you're familiar with salsa guac is new and interesting. We have our eyes on that We're excited about vex If vulnerability exploited exploitability exchange, we have equities in that we actually facilitate the vex working group meets Monday mornings at eastern time 10 a.m All are welcome. Please join us every week If you go to sysa.gov slash espom, you can see the newly released minimum requirements for vex that we we put out last month We think it's important to recognize vex as something separate from espom, but complementary to espom But in the open source space vex, I think what we're hearing from a lot of people we're talking about Especially in the cloud provider space In sas space as vex is is is really important We believe transparency is the key And vex can be written by anyone just like I mentioned, you know espoms It's just a matter. I think of trust relationships Who you know if you can trust who they come from And we believe that lends itself well to the the open source infrastructure We have our working groups. We have five total working groups We have a vex working group and we have four espom working groups If you are not aware of these working groups and would like to get involved, please talk to me afterwards You can also email espom at sysa.dhs.gov What is next for sysa and open source software a lot of things what how am I doing on time by the way? Great. Great. Okay. Uh, what are some of those other things that we have going on and what we're excited about? Uh, we are doing some meaningful meaningful work around software identity This is not an old problem. Um, this is uh Something that's been around. Um, or it is an old problem. Sorry. It's not a new problem Something has been around for a very very long time allen myself I actually if you're at the open source summit europe I gave a talk about software identity and how we were kind of beginning to think about it We've evolved hopefully since then because that was last september But uh, and some of my other colleagues have given talks if you're in the ot space or have any eyes on that My colleague lindsay circumvent gave a talk at s4 about software identity So we're it's something we're we're starting to talk about publicly There's other groups who are doing that too and some other working groups that are working on it And and we are Prioritizing that and focusing on that because if espom's going to work as vex is going to work Software identity is something That's that's going we're going to have to find a solution and and we're going to need your help We're going to need everybody's help to figure out what what solution works best for all of us because Our emphasis and what we prioritize is interoperable solutions not a not just a solution But the idea of the possibility of multiple solutions as long as they're interoperable and working together We're we try to avoid giving too many stamps of Approval because we don't feel like that's our our our role or or there's not too much of a Incentive for us to do that so Or it's not it's not it doesn't help the community if we do that so Also in the open source source world, we are going to be Looking at possibly releasing a public strategy Sort of a unified public strategy as of as of yet. We don't have that out there, but we think that that could be helpful Uh, it's sort of seeding some things seeding some conversations from working groups and And helping drive change And and one other thing that we want to acknowledge is some of the amazing efforts that uh that are being done To document open source projects That we've been paying paying attention to I don't know if you're familiar with the open source census the work from frank nagle and From a critical government, you know critical infrastructure government national security perspective We are trying to understand What are the unique risks that that rise to the critical infrastructure level for us things If you're familiar with the kev we've seen things like that Known exploitative vulnerability database, uh, we we released a critical software list We're looking at would something like that be helpful for the open source space As well and or has it has some of those things already been helpful in the open source space So those are some of the other things that we're looking at in summary and i'll turn it over to my friend from doda over here Transparency is key We we we truly truly believe that and we're emphatic about that And building things off of models of transparency is only going to help us all Open source software. Like I said, it's different. Uh, we have to look at it differently And from fresh perspectives, uh, especially since there is the lack of that traditional customer supplier model that I mentioned Open source software is part of our public infrastructure and our critical infrastructure And we have to work to to secure it because we're so highly dependent upon it Not only in the federal space, but also in the private sector space We at sysa, uh, we Recognize that we need to integrate ourselves more into supporting these communities the open source community Uh, and we have a lot of exciting stuff going on that we invite any and all to participate in whether you're Find yourself in the federal space the open source space the private sector all the above We have our working groups. Um We also tried to make ourselves as accessible as possible myself Allen the rest of our SPOM team. So love to hear from you We love to be challenged. We love to be proven wrong. We love to be we thrive under constructive criticism as long as it's somewhat polite But thank you very much Glad to be here today. I'll be here all week through friday. Please find me. I'll be walking around and we'd love to talk to you Okay Okay, yeah, thanks just and thanks for all the work that sysa's been doing in this space. Um So rob beat my duty chief software officer first I'll stand over here first. Let me say Thanks to the open source community. Thanks to linux foundation Thanks to kyle for pulling this together. I mean, I think this the sense of how we're going to pull together The government the open source community Industry and academia to move forward. So I'm really excited about kicking this off here today And the next step so I have loved the open source community. I love the the sense of Collaboration that it is entailed. I love the the capabilities that it continues to Deliver and lead I'm always amazed at the amount of effort that people will donate oftentimes without recognition without financial benefit To keep moving the space forward. So thanks Thanks for everyone that's participating in in helping us move. We are definitely in a software defined world Thanks in large part to the efforts of of this community We are now facing this this next set of challenges As we move forward with how do we get better at security and and the supply chain sorts of attacks as these design patterns We'll say but let me yeah, thanks for all the late hours, you know the Red Bull Fueled late nights for me. It was diet cherry coke But I know how that works, you know, they're trying to solve those logic puzzles trying to figure out Where did I miss a semi colon? You know all the the hassles and fun that that comes along with the delivering software So really appreciate all the work and look look at what's happened now. I think the quote was that This morning that almost Looking at the systems 98 percent of them involved are built on open source Across the globe and there was argument that that seems low Right, which I agree with and I don't think many people realize how much open source is actually driving this next This next revolution Sorry for the uniform. I I old habits die hard. I did put on my elastic socks though. So I have elastic socks on You just a little a little Symbol next time I will wear t-shirt and hoodie and fit in better But it's it's a comfort factor. You get used to this in the dc area Let's see. So let's talk about The department of defense for a little bit. So we are You know a micro a large system That represents I think a lot of the conversation we heard at the sessions this morning Like how do we go from where we are now to where we know we need to be? In dod we have I would argue probably the most complex set of systems in it landscape that one can imagine because we have Every technology ever invented is still operational today Maybe not every so so there was a report from a few years ago. This is a gao audit Um that pinged us for running nuclear command and control on a system that was backed up on eight inch floppies We have now replaced that I can happy to report. So we are no longer using as near like I can tell no longer using eight inch floppies but Except in the mid man missile side. Okay. So mid man. We're we're get yeah, we have a little bit more work to do I guess But yeah, any cobalt or eta programmers. Yeah, we have jobs for you still But what's been interesting is watching this transition transition in the department as Senior leadership is starting to realize the value of software Um Mainly from a missions capability perspective that we are a a software defined world We are a software defined military And increasingly so our mission capabilities our mission success is dependent upon How well we deliver maintain and update software? We've seen this in past conflicts where We were using our traditional waterfall of deployment models And to to push updates into the field and we found our adversaries were able to change tactics and techniques faster than we could implement software And so we were falling behind from a noodle loop perspective And so that realization was kind of one of the real first driving points that we need to do software differently We need to do it better It started this evolution of this journey we're on in the department that we refer to as def sec ops and and software modernization Um where we are on that journey right now So we have a handful of programs that have been on the cutting edge and from the cio perspective We have been trying to remove The policy roadblocks the process roadblocks to enable those programs to be successful But also looking at how do we then extend for those fast followers? How do we make start to make this? the default rather than Then than the exception and we are early in that journey I think if you look at the you know our software factories were You know up over 50 to 60 of those that we're tracking now. I encourage the group To come back. We have a sessions later on the on the software factory ecosystem and here in the audience We have our air force platform one team, which has been a real leader in in that effort Um, so we're trying to build off of those efforts. We're trying to Bring along the next set we've been working on how do we start to optimize our our The non-recurring engineering side of that. So most of the factories are built on open source tools in the cicd pipeline We are trying to Make those available through Efforts like platform ones iron bank We've standardized. How do we secure containers from a across dod perspective? We still have a little more work to get all of the aos authorizing officials the sysos Understanding what it means to have a container in kubernetes and how to secure it So stand by that's the you know that my next challenge is to bring along those take holders and say hey listen We are doing great work as a community securing these These individual components using infrastructure's code to give you a fast stand up on capabilities To focus our cybersecurity efforts on Continual improvement on how do we lock down and approve improve those? These pipeline these pipeline capabilities the automation This is something that will never be done And what's interesting is this really this transition in the department where we've Previously focused almost all of our security on production operations And we had all these rules that said like well, you know production is in its own silo and then you know dev and test And you have to build these walls between them and we're finding that What we did was we focused here and we sort of Paid no attention to the development side of things the testing side of things that was someone else's problem We're going to secure everything here. So where are we seeing the attacks, right? So now The quote was this morning 768 increase in the number of supply chain attacks Every time I hear that number it's increasing right in terms of the percentage that Which we can expect because that's where our adversaries are going after right? We they realize that We are soft and vulnerable In a lot of the supply chain because it was always this dark art of the software developers, right? And we and folks never understood it. And so yeah, someone else go off and do that piece of it We will check it when it comes into Before it goes into production and that's where we'll focus and then we'll try to secure it in production That process is no longer works, right? And so we're on this journey and so with syssa and the executive orders and the OMB guidance That folks are probably aware of Looking at s bombs the secure software development framework from NIST on the duty side We published all our guidance on on dev sec ops, which you know actually gives Builds in maps to ssdf. It was there before ssdf But it's a little more prescriptive and here's what you need to be doing in your ci cd pipelines Um We are just coming out with some new guidance now where we've started to pull in more the Other executive agents responsible in the department. So we've coordinated with our test Tested an evaluation community so that all of the test guidance that comes out of that is now fully baked into our guidance We're we're continuing to work the cyber security But it's a community effort, right? So what we're seeing right now is Attacks the we're being attacked where we're most vulnerable and they're relatively simple So I think a type A typosquadding types of attacks on general repos simple attacks on build libraries Attacking us because we're we don't have necessarily strong Identity and credential management and privilege management within our pipelines we we can us and our our suppliers can be relatively weak on that side of things You know more advanced attacks pipeline poisoning and other things those are starting to evolve at an increasing rate So we now need to have a level of sophistication To combat those attacks. We're starting to see our adversaries use ai To find and optimize their attack patterns against the supply chain We are not seeing as much though. It's evolving now as as our own Teams using ai to figure out where they're vulnerable. Where should they start to optimize in terms of addressing? potential attacks within the ci pipeline or even within the code itself so using some of the Emerging ai capabilities to take a look at you know software give recommendations and and to look at potential vulnerabilities or bugs in that software That's emerging. We still have to deal with all the problems of with ai with its hallucinations and It's some biases get built into it and and you know some some of these non deterministic patterns We're going to have to deal with that but our adversaries are adapting these tools and tactics very very quickly And so we're going to have to be Just as aggressive in how we're maturing Really appreciate the discussions this morning that the linux foundation is being investing into how do we get better at securing our Software of the open source community Really appreciate the work that david wheeler has been doing as the secure software developed pipeline Lead for the linux foundation We're trying to build off those same things. So as we're moving forward as a community You know incorporating s bombs, which you know, let's start there. It should be the easy like here's a list of ingredients Right. Here's what's in your software. I think the bigger challenge is now getting into How was that software developed? Was it developed in a secure way? I'm excited about the progress we're making as a community I'm excited about the information sharing that's happening with our vendors with the open source community with the department We need to continue to build on that and accelerate, but I think we're making progress Yep, that's excellent. Yeah, thank you so much So amazing a few things that I took away from this one It's really encouraging to hear how The us isn't focused on just defending us assets taking the lessons learned and only talking about it behind closed doors But instead you heard about you know, github resources You've heard about working groups that are trying to engage with industry And I think as this community grows, we just need to lean into that even more So thank you to you both and then with the time we have left. Let's just go ahead and you know open it up for questions That's a camera Katie from from platform one here. So you mentioned that We don't have a typical supplier customer relationship with most of the open source community But we're obviously a stakeholder We've got a vested interest in these products being good with them being secure with them being frequently updated And their library their dependencies being updated and things like that How do you see us incentivizing the open source maintainers? And do d program offices and and and everyone in between How do we incentivize the right behaviors there if it's not by being a paid Customer with a contract to hold someone to yeah Okay So I think that's that that's an ongoing effort that we need to work on. I think that Though the White House did a great job of publishing The executive order on saying we need to move the the department forward with s bombs and secure software development I think NIST and sysa working on the standards Both for what do these processes look like as well as the standards for how do we how do we collect everything from s bombs to to Attestations for ssdf, right? I think so we're looking at the the best practices side of things The guidance in terms of requirements. We are working with the far council to how do we build this into contractual language. So even if it's An open source Delivery as well as proprietary software will have the same requirements that these artifacts need to be delivered Um, and you saw you know, that's having an impact already. So you see the linux foundation and others responding on here's how we're gonna to Make this Standard practice right within the community. I get it's hard, right? So it's um, it's a lot of effort We got to turn software developers into start thinking also like cyber security folks and vice versa and and figure out how we We pull that together. I'm excited about some of the the new education and training A couple of things we are also looking at in the department that are I'd love to have the conversation on what how could we do more So we are looking at For things like small businesses. How do we and we've had a large concern with small businesses on being unable to protect CUI data the department and so we're looking at how do we make investments to Provide services to enable a small business to be able to protect CUI I'm pulling a thread within the department to see not only that but how can we stand up? Secure pipeline so if the small business is not just protecting but we also want small businesses and others to be able to deliver secure software. So how can we support them with? Secure pipelines that meet the ssdf requirements. What would that look like? So nothing official yet, but we are trying to pull those those threads. There's um, if you look at the The federal cybersecurity strategy, right? So it made a call call of action for government to large businesses To work together to solve this to then help to pick up a brought a bigger piece of the share of Bringing along the community open source developers the small businesses. How do we continue to drive innovation? It wasn't prescriptive and here the actions we're going to take and so we're trying to pull the threads on What is the most valuable? So moving beyond best practices and standards to like how do we actually enable this? We get that Running a CI a secure CI CD pipeline is a really expensive proposition and takes a lot of expertise today We need to make that much simpler um, and and Continue to incorporate More and more advanced cybersecurity tools and techniques into Those pipelines into our production systems as well I don't know the exact form or factor, but we are trying to pull on on Pull on some of those ideas. So if folks have ideas come see me We'll see if we can't make it a reality for the next come back and talk about it here next year Can I speak on that? Yeah, please. Yeah, so um, I think for for us I I mentioned transparency is key and and we have to we can say that but we have to Demonstrate that as well and and and abide by that, you know, I think in some cases maybe Uh, there there's times where it's necessary Uh, to be a little bit withholding and operate Uh Under some sort of a black box model, but in my experience that doesn't necessarily work as well And it doesn't benefit the broader ecosystem in the community as a whole so we We are trying to drive change within ourselves not just asking for You know the open source community to come to us But we need to meet them where they are as well and and integrate ourselves into the open source community And and we do a great job of inviting People to join in on our working groups. We're trying to also Be involved with some of the working groups going on out there. So the Open ssf, uh, and and the sbom everywhere group. I don't know if anybody Is familiar with that group? Um, that's that's that's a group that we started to join and we're looking at some of those other efforts going on Where are some other things that government can actually drive change and help? policy Is a big part of that. So how do we Drive change in in our own policies and wider, you know Policy that that's going to be adopted by industry One of those is how how can we look at so like syso? How can we look at changing our policies where some of the tools that we're building that we make those available in an open source way? How do we look into having our developers? Be contributors and help in maintaining open source repositories the other way around instead of just using them and saying thanks And when it doesn't work, we get upset with you. How can we actually? Help from that standpoint. So there's there's policy changes and things like that that we can look at and drive change there funding If if you are building tools and you have I guess that's not necessarily part of the open source model is the idea of getting money for thank you, but Is that something that we can look at and and if if you're using particular open source projects more than others is that some how can you build that into your cyber security funding for the year? Also, I think the way that we Can also drive changes through education K through 12 all the way down the k through 12 education How how can we spend r&d money? How can we spend money and driving changes starting from that point that people are Are being educated to Insecure code memory safe languages all those type things So when they go out and work in private sector, they come and work for the government or whatever It's just inherent in them that that is something that we do as a community and as a information security information security That's excellent. So we have time for one quick follow-up So Our I my name is lucie hide. I am a program manager here at the linux foundation. I represent pytorch ai and data Sonic and nephio, but previously I was a chief data scientist at jsox. So I've been on both sides of the coin You know both deploying on air gap networks, but on the side of the coin representing os foundations Are we eligible from the linux foundation to be creative partners? Is there any restrictions for us to enter into a crater agreement with the dod or with the government as a whole? Because that would be a way in which the government could interface at the program management level We could work with our foundations to sped up to set up special interest groups or other work groups Where we could find and advocate to the community to dedicate maintainers to meet your needs That way as the creators are typically two to three years long depending on the benchmarks that they meet Or that they need to meet and it's also not monetary So we're not impinging on any or impeding on any type of contracting opportunities or you know open fair competition or antitrust Is that an opportunity that we can advocate from a program management side to our foundations? The answer that for us is yes, and uh, we would obviously want to have conversations and uh, What exactly that that would look like and talk that out because It's super easy to work with the government. We're really straightforward But no, we love to talk we love to talk more about that for sure. Yeah, it's great. Absolutely All this week rocks here today. Um, but thank you so much. We're gonna break till I think 10 minutes after Then we'll do a start back up again with a panel discussion on software