The agency’s roadmap outlines a plan for prioritizing where open source software makes infrastructure potentially vulnerable.