The Senate Homeland Security and Governmental Affairs Committee on September 28 approved by voice vote the Securing Open Source Software Act, which aims to put more Federal government muscle behind protecting open source software following the emergence of the Log4J vulnerability late last year.
The bill – introduced last week by committee Chairman Sen. Gary Peters, D-Mich., and Sen. Rob Portman, R-Ohio, the panel’s ranking member – would place new security responsibilities for open source software on the Cybersecurity and Infrastructure Security Agency (CISA). According to the text of the bill, the CISA director would be required to:
- Conduct outreach and engagement to bolster open source software security;
- Support Federal efforts to strengthen the security of the software;
- Coordinate efforts with the private sector to ensure “long-term security” of the software;
- Support supply chain security efforts involving open source software;
- Assist in coordinating vulnerability disclosures; and
- Within one year, publish a framework for assessing open source software components and dependencies.
The bill also would require the Office of Management and Budget to issue guidance to Federal agencies on the secure usage of open source software.
The legislation does not appear to have a companion bill in the House.