Senators propose open source software risk framework in new bill
Lawmakers introduced a bill Thursday that would have the Cybersecurity and Infrastructure Security Agency develop a risk framework to strengthen the security of open-source software.
Agencies would use the framework to mitigate risks in systems reliant on open source code, and CISA would determine if critical infrastructure owners and operators could use it voluntarily as well.
Most systems rely on freely available open source code maintained by communities for creating websites and applications, and the federal government is one of the largest users. Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio — the chairman and ranking member of the Homeland Security Committee, respectively — proposed the legislation after holding a hearing in response to the discovery of a severe, widespread Log4j vulnerability in open source code affecting federal systems and millions of others worldwide.
“This incident presented a serious threat to federal systems and critical infrastructure companies — including banks, hospitals and utilities — that Americans rely on each and every day for essential services,” Peters said in the announcement. “This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”
The Securing Open Source Software Act would further have CISA hire open source software experts to help address cyber incidents, require the Office of Management and Budget to issue guidance for agencies on securing open source software, and establish a software security subcommittee of the CISA Cybersecurity Advisory Committee.
Peters and Portman previously saw bills signed into law requiring critical infrastructure owners and operators to report substantial cyberattacks and ransomware payments to CISA and bolstering state and local governments’ cyber, while the Senate unanimously passed their bills protecting federal networks and encouraging safe adoption of cloud technology.
“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council‘s Scowcroft Center for Strategy and Security, in a statement. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software.”
Details of the proposed legislation were first reported by The Washington Post.