Senate Lawmakers Introduce Measure to Minimize Open-Source Software Risks
Sens. Gary Peters and Rob Portman have introduced the Securing Open Source Software Act, a measure that would compel the Office of Management and Budget and Cybersecurity and Infrastructure Security Agency to act on cyber risks in open-source software. According to Peters, the legislation will enhance the state’s ability to protect American citizens’ sensitive data through more effective detection and mitigation, FCW reported.
The bill assigns new responsibilities to the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency. The OMB must provide guidance on the secure usage of open-source software, while CISA must work within a year to devise a risk assessment methodology for open-source code, with another two years to determine the applicability of the framework to the private sector and critical infrastructure industries.
Additionally, the cyber agency must establish a software security-focused subcommittee, hire subject matter experts and annually monitor open-source code components across the government.
Peters and Portman created the bill in light of the Log4Shell security flaw, a zero-day vulnerability that attackers can exploit to execute payloads with full privileges. According to the senators, Log4Shell exposed serious vulnerabilities within many of the country’s foundational networks. In June, CISA and the U.S. Coast Guard Cyber Command said the software flaw was still present in unpatched VMWare servers.
Tags: cybersecurity Cybersecurity and Infrastructure Security Agency FCW Log4Shell open source software Securing Open Source Software Act