Creating a cybersecurity standard of care: The future of software liability
This approach emphasizes the importance of integrating security measures into the software development lifecycle from the beginning.
Over the past year, the federal government has taken significant steps toward promoting a “secure by design” approach to cybersecurity. This approach emphasizes the importance of integrating security measures into the software development lifecycle from the beginning.
Government leaders are actively exploring regulatory frameworks designed to hold organizations accountable for security breaches and enforce compliance with established security standards. These frameworks would incentivize the private sector to produce secure by design software that protects sensitive data and maintains customer trust.
A robust partnership between the public and private sectors is essential for establishing and enforcing effective cybersecurity standards such as secure by design. This collaboration involves refining existing regulations, such as software bill of materials (SBOM) requirements, especially when leveraging open-source software, and encouraging the private sector to create and maintain a standard of care for cybersecurity practices.
Balancing liability and innovation in open source
The question of liability in the open-source ecosystem requires careful consideration. Direct liability for open-source maintainers could harm innovation and potentially damage the collaborative ecosystem that countless developers depend on. Instead, the focus has shifted toward holding private-sector organizations accountable for the overall security of their software products. By establishing and enforcing industry-wide security standards through legal and regulatory measures, we can work toward creating a safer digital environment for all stakeholders.
Open-source software is a foundational component of technological innovation but can require additional security practices. Organizations must exercise thorough due diligence and implement comprehensive security scanning practices when integrating these components into their projects. GitLab research found that 67% of developers said a quarter or more of the code they work on is from open-source libraries — but only 21% of organizations are currently using an SBOM to document the ingredients that make up their software components.
The rising importance of SBOM
SBOMs are expected to become nearly universal across government agencies, particularly in securing defense systems and software development processes. This increased adoption will help defense agencies align with the Cybersecurity and Infrastructure Security Agency’s recent secure by design/demand guidance.
Many agencies are developing stringent SBOM requirements and may decline to work with vendors who cannot provide adequate SBOMs. The benefits of implementing standard-format SBOMs are substantial and immediate. They include:
- Comprehensive identification of open-source software used in development, including critical license and version details necessary for policy compliance.
- Effective removal of vulnerable components through the avoidance and remediation of obsolete, unmaintained or contaminated third-party repositories.
- Enhanced understanding and minimization of risks associated with deployment containers and development environments throughout the entire development lifecycle.
- Demonstrated commitment to customer security through enforced compliance with purchase requirements.
- Improved visibility into emergent threats through continuous scanning of both active and inactive software projects.
The private sector’s role and responsibility
Tech vendors in the private sector, their customers, partners and the broader industry share an implicit understanding of the need to uphold reasonable cybersecurity standards. This responsibility extends to creating and maintaining a cybersecurity standard of care that establishes baseline security requirements across the tech industry.
Thorough analyses of security practices can benefit organizations across sectors. This evaluation helps them understand their security posture, identify potential vulnerabilities and gaps, and establish a solid foundation for developing comprehensive security roadmaps that align with industry standards and regulatory guidance.
The White House and CISA continue to provide guidance on how organizations can build more secure software. The secure by design pledge represents a significant commitment from the private sector to integrate security into software development processes. While implementing these changes may pose challenges for organizations, they are crucial steps in mitigating risks and protecting against potential liability issues in the future.
Importantly, security, speed and innovation need not be mutually exclusive priorities. By establishing and adhering to foundational cybersecurity standards, tech vendors can continue delivering software at market speed while protecting confidential data. This balanced approach demonstrates that robust security measures can coexist with and enhance rapid development cycles, creating a more resilient and trustworthy technology ecosystem.
Joel Krooswyk is federal chief technology officer at GitLab.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
