The chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee on Thursday introduced a bill to strengthen the security of open source software, which is widely used in digital systems.
The Securing Open Source Software Act (S. 4913) calls for the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework for open source software for use by the federal government and evaluate how the framework could be used on a voluntary basis by critical infrastructures in the private sector.
The bill was introduced by Gary Peters (D-Mich.), the committee’s chairman, and Rob Portman (R-Ohio), the top Republican on the panel.
The bill would also require CISA to hire experienced open source code developers to work with the open source community to address cyber vulnerabilities, such as the Log4j incident discovered in late 2021. The legislation would also direct the Office of Management and Budget to issue federal guidance on the secure use of open source software.
“As we saw with the Log4shell vulnerability, the computers, phones and websites we all use every day contain open source software that is vulnerable to cyber-attack,” Portman said in a statement. Peters stated that the “Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies, including banks, hospitals and utilities that Americans rely on each and every day for essential services.”