Senators on Thursday reintroduced bipartisan legislation to help protect the federal government and critical infrastructure systems by ensuring open source software used by them is safe and secure after a major open source software vulnerability was discovered last year.
Senators Gary Peters, D-MI., Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley, R-MO., reintroduced the Securing Open Source Software Act last week which would direct the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework to evaluate how open source code is used by the federal government.
Peters first proposed the bill in September last year after holding a Senate hearing in response to the discovery of a severe, widespread Log4j vulnerability in open source code affecting federal systems and millions of others worldwide.
“The Log4j incident demonstrated that we must work to secure open source software against persistent and evolving cybersecurity threats,” Senator Peters said in a statement. “This bipartisan bill will help ensure this widely used software is secure against foreign adversaries and cybercriminals seeking to disrupt our national and economic security.”
The Securing Open Source Software Act would have CISA hire open source software experts to help address cyber incidents, require the Office of Management and Budget to issue guidance for agencies on securing open source software, and establish a software security subcommittee of the CISA Cybersecurity Advisory Committee.
CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software.
“At a time when our adversaries, particularly the Chinese Communist Party, continue to attack and exploit our federal agencies’ software vulnerabilities, it is imperative that Congress work to bolster our national cybersecurity,” Senator Hawley said in a statement. “The Securing Open Source Software Act is a great step toward better understanding the risk associated with software deficiencies, and better defending the U.S. government and its critical infrastructure from cyberattacks by our enemies.”