The Senate Homeland Security and Governmental Affairs Committee has advanced the Securing Open Source Software Act – noting it protects federal and critical infrastructure systems.
The measure introduced by Sens. Gary Peters (D-MI) and Josh Hawley (R-MO) now moves to the full Senate for consideration. It directs the Cybersecurity and Infrastructure Security Agency (CISA) to ensure open source software is used safely and securely by the federal government, critical infrastructure, and others.
Legislation proponents noted software vulnerability initially discovered two years ago in Log4j, a widely used open source code, impacted millions of computers globally, including critical infrastructure and federal systems.
“The Log4j incident showed how vulnerabilities in open source software can put our networks at risk of cyber-attacks from foreign adversaries and cyber criminals who seek to disrupt our national and economic security,” said Peters, Senate Homeland Security and Governmental Affairs Committee chairman. “This bipartisan bill will help bolster our cybersecurity defenses and secure open source software that is widely used across government and the private sector.”
Bill provisions include directing CISA to develop a risk framework to evaluate how open source code is used by the federal government and evaluate how the framework could be voluntarily used by critical infrastructure owners and operators; requiring CISA to hire professionals with experience developing open source software to ensure government and the community work collaboratively and be prepared to address incidents like the Log4j vulnerability; and stipulating the Office of Management and Budget (OMB) issue guidance to federal agencies regarding the secure use of open source software and establish a CISA Cybersecurity Advisory Committee software security subcommittee.