NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-10(1)Open-source Software

Establish the following restrictions on the use of open-source software: {{ insert: param, cm-10.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software.

Practitioner Notes

This enhancement addresses the use of open-source software — you need policies governing when and how open-source components can be used, including license compliance and security vetting.

Example 1: Require all developers to run open-source dependencies through Snyk or Black Duck to check for known vulnerabilities and license conflicts before use.

Example 2: Maintain an approved list of open-source libraries with accepted license types (MIT, Apache 2.0) and require review for any library with a restrictive license like GPL.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency