ISC is a Small Business open source software provider; we author and maintain BIND 9, ISC DHCP, and Kea DHCP, essential software that handles DNS and DHCP functionality across the Internet. Our software is the foundation for most of the domain name service and IP-address assignment on the Internet today. ISC can benefit the US government through our support and maintenance of your mission-critical Internet infrastructure.
Summer 2021 Update - US Executive Order
We are closely following the work pursuant to the May 12, 2021 White House Executive Order on Improving the Nation’s Cybersecurity, and in particular, section 4, “Enhancing Software Supply Chain Security.” ISC participated in the June 2nd NIST Workshop on this topic. Although the definition of what software is considered critical for the purposes of the EO is not yet determined, it is likely that BIND will fall under that definition in at least some deployments, and ISC’s DHCP software may also be impacted.
ISC development teams already follow most of the secure development practices previously recommended by NIST in the Secure Software Development Framework whitepaper. Many of these requirements are captured by the Core Infrastructure Initiatve Best Practices Badge Application. We already require peer code reviews, run pair-wise testing and code fuzzing, and use multiple static analyzers, for example. Our system for vulnerability handling is mature and we have extensive experience in that area. One area where we expect to need additional capabilities relates to managing external dependencies on other open source, and providing Software Bill of Materials (SBOM) information. If the final recommendation is to adopt the Software Package Data Exchange (SPDX) method of tagging software, we will adopt that.
Can you and your agency afford NOT to purchase maintenance and support services from ISC?
Various federal, state, and local government agencies and organizations already purchase software support services from ISC, because they know they can trust us to provide the security assistance they need.
How can ISC help the US government secure its mission-critical communications infrastructure?
One of our most valuable services, and one for which we are the sole source, is our Advance Security Notification (ASN) to alert subscribers to discovered vulnerabilities in ISC software.
The BIND 9 Security Vulnerability Matrix gives a detailed list of all known vulnerabilities in current versions of BIND 9. ASN subscribers receive advance notification of these vulnerabilities, which offers them valuable time to address any potential weaknesses before they become known to the general public.
We offer complete support services, including the ASNs, level 4 technical support with hot fixes, DNS audits and DNS/DHCP training. As the author, maintainer, and publisher of BIND 9, ISC DHCP, and Kea DHCP, we are the sole source capable of performing these services for the authoritative versions of these software products.
References pertaining specifically to US government open source users
You may find some of these other sites and documents useful when considering ISC as a government partner.
- ISC’s Capability Statement for more information, including our CAGE and NAICS codes.
- NIST Resource page on the 2021 Executive Order on Cybersecurity
- CERT/CC comments on the 2021 US EO
- Network Infrastructure Security Technical Implementation (STIG) Overview, 2 January 2019 (note discussion of IP-addressing approaches)
- Domain Name System (DNS) Security Requirements Guide (SRG) 01/05/2015
- DoD Open Source Software (OSS) FAQ web page.
- NTIA resource page on SBOMS
- BIND DNS STIG, October 1, 2015
- Google Group (mailing list) for Military Open Source Software