By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
18px_cookie
e-remove

The U.S. Government Prioritizes Open Source Governance and Security

The U.S. Federal government's FY 2026 Cybersecurity Priorities focus on securing open source software, improving governance, and supporting OSS sustainability to strengthen the software supply chain.

The U.S. Federal government's FY 2026 Cybersecurity Priorities focus on securing open source software, improving governance, and supporting OSS sustainability to strengthen the software supply chain.

The U.S. Federal government's FY 2026 Cybersecurity Priorities focus on securing open source software, improving governance, and supporting OSS sustainability to strengthen the software supply chain.

Written by
A photo of Chris Hughes — Chief Security Advisor at Endor Labs.
Chris Hughes
Published on
October 10, 2024

The U.S. Federal government's FY 2026 Cybersecurity Priorities focus on securing open source software, improving governance, and supporting OSS sustainability to strengthen the software supply chain.

The U.S. Federal government's FY 2026 Cybersecurity Priorities focus on securing open source software, improving governance, and supporting OSS sustainability to strengthen the software supply chain.

It’s no surprise that the U.S. Federal government is zeroing in on software supply chain security. Through initiatives like the Cybersecurity Executive Order (EO) 14028, the NIST Secure Software Development Framework (SSDF), and OMB Memos 22-18 and 23-16, along with CISA’s Secure Software Development Attestation requirements, the government is tackling this issue from multiple angles.

Recently, they released their FY 2026 Cybersecurity Priorities, offering insight into the areas they’re focusing on in the coming years. Once again, there’s a strong emphasis on open source security.

These priorities align with key pillars of the U.S. National Cybersecurity Strategy (NCS), particularly Pillar 1: Defend Critical Infrastructure. Recognizing the importance of open source to U.S. infrastructure, the FY 2026 Cybersecurity Priorities include a section titled “Improve Open Source Software Security and Sustainability.” So how does the Federal government plan to address this? Let’s take a closer look.

How Federal Agencies Can Step Up, Secure, and Give Back to Open Source

Federal agencies have a big role to play when it comes to open source software (OSS)—not just in using it but also in keeping it secure and sustainable. Right now, many agencies are lacking mature processes to ensure OSS is used securely, and frankly, the government could be doing more to support the open source projects it relies on so heavily.

This need aligns with broader efforts from agencies like CISA, which laid out its Open Source Security Roadmap. Their goals? Secure the use of OSS, increase visibility across the Federal landscape, and reduce risks. But from my years supporting U.S. Civilian and Defense agencies, I can tell you there’s a noticeable gap. Many lack a structured approach to securely managing OSS or even understanding how widely it’s being used.

The government could learn a lot from industry best practices, like the OWASP Top 10 OSS Risks, which go beyond just patching known vulnerabilities. They address risks from unmaintained software, outdated licenses, and bloated dependencies—all of which should be core concerns for agencies managing OSS.

And let’s not forget the U.S. Government’s vast resources. With tens of billions spent annually on IT and software, they are in a prime position to support critical open source projects that are often held together by a handful of volunteers. Just imagine the impact they could have on an ecosystem where 25% of projects are managed by a single maintainer!

By stepping up their game, Federal agencies can do more than just secure their own software supply chains—they can strengthen the very open source community they depend on. It’s a win-win for everyone involved!

Building on the need for secure open source usage, the FY26 Cyber Priorities also emphasize the importance of establishing Open Source Program Offices (OSPOs). These governance structures, already adopted by some agencies like the Centers for Medicare and Medicaid (CMS) , provide a proven model for managing OSS securely. However, CMS is an exception—most Federal agencies are still missing this critical piece.

OSPO’s can help with not only governance, but serve as a key force multiplier when it comes to agencies efforts to ensure secure consumption and use of OSS, especially given how large and complex most federal agencies are. 

Endor Labs recently hosted a LeanAppSec session with Russ Eling of OSS Consultants who has a wealth of experience building and scaling OSPOs in large complex organizations. That talk can be found here

What’s Next for Federal OSS Security

While there is much progress to be made when it comes to the U.S. government's secure use, contribution to and governance of OSS, the latest FY 2026 Cybersecurity Priorities document further emphasizes just how important the Federal government views this requirement. Much like the broader software industry, the U.S. Government is now acutely aware of how dependent they are on OSS and are looking to address critical gaps. What’s also equally important is to have the right tools in place to monitor open source packages.

Book a demo to understand how Endor Labs turns your vulnerability prioritization workflows dreams into reality or start a full-featured free trial that includes test projects and the ability to scan your own projects.

The Challenge

The Solution

The Impact

Book a Demo

Book a Demo

Book a Demo

Welcome to the resistance
Oops! Something went wrong while submitting the form.

Book a Demo

Book a Demo

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Book a Demo