Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].
NIST 800-53 (r4) Supplemental Guidance:
Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software.
NIST 800-53 (r5) Discussion:
Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software.
38North Guidance:
Meets Minimum Requirement:
Establish the restrictions on the use of open source software and document it in the configuration management plan.
Best Practice:
All open source software should have an owner defined within the organization.
The owner should certify that software was obtained from a trusted source and has gone though both static and dynamic vulnerability scans. Any open-source software considered for use in the environment should undergo evaluation, testing, and approval via the CSP's change approval process. Once a complete evaluation is performed and approved by the Change Approval/Advisory Board (CAB), open-source software should be added to an Approved Software List (ASL) and added to the software whitelisting mechanism utilized within the environment.
All open source software should be identified in the configuration baseline of the application.
Unapproved open source software should never be used.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Configuration Management Plan
Example documentation showing evaluation of risk and approval for use of open source software
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse