Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Josh Hawley, R-Mo., reintroduced bipartisan legislation on March 23 that aims to protect open-source software in response to issues raised by the Log4j vulnerability that emerged in December 2021.
The Securing Open Source Software Act tasks the Cybersecurity and Infrastructure Security Agency (CISA) to ensure open source software is used safely and securely by the Federal government, critical infrastructure entities, and others.
The bill comes after the Log4j vulnerability – which is widely used in open source code – affected Federal systems and millions of computers worldwide.
“The Log4j incident demonstrated that we must work to secure open source software against persistent and evolving cybersecurity threats,” Sen. Peters said. “This bipartisan bill will help ensure this widely used software is secure against foreign adversaries and cybercriminals seeking to disrupt our national and economic security.”
The bipartisan bill calls on CISA to develop a risk framework to evaluate how open source code is used by the Federal government, as well as critical infrastructure owners and operators. It also calls on the agency to hire open source software experts, who can address cyber incidents like the Log4j vulnerability when they arise.
Additionally, the legislation calls on the Office of Management and Budget to issue guidance to Federal agencies on the secure usage of open source software, and would establish a software security subcommittee on the CISA Cybersecurity Advisory Committee.
“At a time when our adversaries, particularly the Chinese Communist Party, continue to attack and exploit our federal agencies’ software vulnerabilities, it is imperative that Congress work to bolster our national cybersecurity,” Sen. Hawley said. “The Securing Open Source Software Act is a great step toward better understanding the risk associated with software deficiencies, and better defending the U.S. government and its critical infrastructure from cyberattacks by our enemies.”
The Senate Homeland Security and Governmental Affairs Committee will hold a markup hearing on March 29 to vote on the Securing Open Source Software Act – among several other tech bills.
Chairman Peters convened a hearing on the Log4j incident last year and authored similar legislation that advanced in the Senate last Congress.