The Office of Management and Budget would be tasked by the Securing Open Source Software Act with providing instructions on how to use open source software safely.
A measure that would require the Cybersecurity and Infrastructure Security Agency to create a risk framework in order to improve the security of open source software was introduced by lawmakers on Thursday. To reduce risks in systems dependent on open source code, agencies would utilise the framework, and CISA would decide if critical infrastructure owners and operators might also use it voluntarily.
The majority of systems rely on open source software that is freely available and is maintained by communities in order to build websites and applications; one of the biggest users is the federal government. The legislation was introduced by Sens. Rob Portman, R-Ohio, and Gary Peters, D-Mich., the chairman and ranking member of the Homeland Security Committee, respectively, following a hearing in response to the discovery of a serious, widespread Log4j vulnerability in open source code affecting federal systems and millions of others globally.
“This incident presented a serious threat to federal systems and critical infrastructure companies — including banks, hospitals and utilities — that Americans rely on each and every day for essential services,” Peters said in the announcement. “This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”
The Securing Open Source Software Act would also require the Office of Management and Budget to issue guidance for agencies on securing open source software, create a software security subcommittee of the CISA Cybersecurity Advisory Committee, and require CISA to hire open source software experts to assist with cyber incidents.
Prior to that, Peters and Portman’s proposals were passed unanimously by the Senate and signed into law, strengthening state and local governments’ cyber defences and forcing owners and operators of critical infrastructure to report significant cyberattacks and ransomware payments to CISA.