[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4913 Reported in Senate (RS)]
<DOC>
Calendar No. 677
117th CONGRESS
2d Session
S. 4913
[Report No. 117-278]
To establish the duties of the Director of the Cybersecurity and
Infrastructure Security Agency regarding open source software security,
and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
September 21, 2022
Mr. Peters (for himself and Mr. Portman) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
December 19, 2022
Reported by Mr. Peters, with amendments
[Omit the part struck through and insert the part printed in italic]
_______________________________________________________________________
A BILL
To establish the duties of the Director of the Cybersecurity and
Infrastructure Security Agency regarding open source software security,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Securing Open Source Software Act of
2022''.
SEC. 2. FINDINGS.
Congress finds that--
(1) open source software fosters technology development and
is an integral part of overall cybersecurity;
(2) a secure, healthy, vibrant, and resilient open source
software ecosystem is crucial for ensuring the national
security and economic vitality of the United States;
(3) open source software is part of the foundation of
digital infrastructure that promotes a free and open internet;
(4) due to both the unique strengths of open source
software and inconsistent historical investment in open source
software security, there exist unique challenges in securing
open source software; and
(5) the Federal Government should play a supporting role in
ensuring the long-term security of open source software.
SEC. 3. OPEN SOURCE SOFTWARE SECURITY DUTIES.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
(1) in section 2201 (6 U.S.C. 651)--
(A) by redesignating paragraphs (5), (6), and (7)
as paragraphs (8), (9), and (10), respectively; and
(B) by inserting after paragraph (4) the following:
``(5) Open source software.--The term `open source
software' means software for which the human-readable source
code is made available to the public for use, study, re-use,
modification, enhancement, and re-distribution.
``(6) Open source software community.--The term `open
source software community' means the community of individuals,
foundations, nonprofit organizations, corporations, and other
entities that--
``(A) develop, contribute to, maintain, and publish
open source software; or
``(B) otherwise work to ensure the security of the
open source software ecosystem.
``(7) Open source software component.--The term `open
source software component' means an individual repository of
open source software that is made available to the public.'';
(2) in section 2202(c) (6 U.S.C. 652(c))--
(A) in paragraph (13), by striking ``and'' at the
end;
(B) by redesignating paragraph (14) as paragraph
(15); and
(C) by inserting after paragraph (13) the
following:
``(14) support, including by offering services, the secure
usage and deployment of software, including open source
software, in the software development lifecycle at Federal
agencies in accordance with section 2220E; and''; and
(3) by adding at the end the following:
``SEC. 2220E. OPEN SOURCE SOFTWARE SECURITY DUTIES.
``(a) Definition.--In this section, the term `software bill of
materials' has the meaning given the term in the Minimum Elements for a
Software Bill of Materials published by the Department of Commerce, or
any superseding definition published by the Agency.
``(b) Employment.--The Director shall, to the greatest extent
practicable, employ individuals in the Agency who--
``(1) have expertise and experience participating in the
open source software community; and
``(2) perform the duties described in subsection (c).
``(c) Duties of the Director.--
``(1) In general.--The Director shall--
``(A) perform outreach and engagement to bolster
the security of open source software;
``(B) support Federal efforts to strengthen the
security of open source software;
``(C) coordinate, as appropriate, with non-Federal
entities on efforts to ensure the long-term security of
open source software;
``(D) serve as a public point of contact regarding
the security of open source software for non-Federal
entities, including State, local, Tribal, and
territorial partners, the private sector, international
partners, open source software organizations, and open
source software developers; and
``(E) support Federal and non-Federal supply chain
security efforts by encouraging efforts to bolster open
source software security, such as--
``(i) assisting in coordinated
vulnerability disclosures in open source
software components pursuant to section
2209(n); and
``(ii) supporting the activities of the
Federal Acquisition Security Council.
``(2) Assessment of critical open source software
components.--
``(A) Framework.--Not later than 1 year after the
date of enactment of this section, the Director shall
publicly publish a framework, incorporating government,
including those published by the National Institute of
Standards and Technology, industry, and open source
software community frameworks and best practices,
including those published by the National Institute of
Standards and Technology, for assessing the risk of
open source software components, including direct and
indirect open source software dependencies, which shall
incorporate, at a minimum--
``(i) the security properties of code in a
given open source software component, such as
whether the code is written in a memory-safe
programming language;
``(ii) the security practices of
development, build, and release processes of a
given open source software component, such as
the use of multi-factor authentication by
maintainers and cryptographic signing of
releases;
``(iii) the number and severity of publicly
known, unpatched vulnerabilities in a given
open source software component;
``(iv) the breadth of deployment of a given
open source software component;
``(v) the level of risk associated with
where a given open source software component is
integrated or deployed, such as whether the
component operates on a network boundary or in
a privileged location; and
``(vi) the health of the community for a
given open source software component,
including, where applicable, the level of
current and historical investment and
maintenance in the open source software
component, such as the number and activity of
individual maintainers.
``(B) Updating framework.--Not less frequently than
annually after the date on which the framework is
published under subparagraph (A), the Director shall--
``(i) determine whether additional updates
are needed to the framework described in
subparagraph (A); and
``(ii) if the Director determines that
additional updates are needed under clause (i),
make those updates to the framework.
``(C) Developing framework.--In developing the
framework described in subparagraph (A), the Director
shall consult with--
``(i) appropriate Federal agencies,
including the National Institute of Standards
and Technology;
``(ii) individuals and nonprofit
organizations from the open source software
community; and
``(iii) private companies from the open
source software community.
``(D) Federal open source software assessment.--Not
later than 1 year after the publication of the
framework described in subparagraph (A), and not less
frequently than every 2 years thereafter, the Director
shall, to the greatest extent practicable and using the
framework described in subparagraph (A)--
``(i) perform an assessment of open source
software components used directly or indirectly
by Federal agencies based on readily available,
and, to the greatest extent practicable,
machine readable, information, such as--
``(I) software bills of material
that are made available to the Agency
or are otherwise accessible via the
internet;
``(II) software inventories
collected from the Continuous
Diagnostics and Mitigation program of
the Agency; and
``(III) other publicly available
information regarding open source
software components; and
``(ii) develop 1 or more ranked lists of
components described in clause (i) based on the
assessment, such as ranked by the criticality,
level of risk, or usage of the components, or a
combination thereof.
``(E) Automation.--The Director shall, to the
greatest extent practicable, automate the assessment
conducted under subparagraph (D).
``(F) Publication.--The Director shall publicly
publish and maintain any tools developed to conduct the
assessment described in subparagraph (D) as open source
software.
``(G) Sharing.--
``(i) Results.--The Director shall
facilitate the sharing of the results of the
assessment described in subparagraph (D) with
appropriate Federal and non-Federal entities
working to support the security of open source
software, including by offering means for
appropriate Federal and non-Federal entities to
download the assessment in an automated manner.
``(ii) Datasets.--The Director may publicly
publish, as appropriate, any datasets or
versions of the datasets developed or
consolidated as a result of the assessment
described in subparagraph (D).
``(H) Critical infrastructure assessment study and
pilot.--
``(i) Study.--Not later than 2 years after
the publication of the framework described in
subparagraph (A), the Director shall conduct a
study regarding the feasibility of the Director
conducting the assessment described in
subparagraph (D) for critical infrastructure
entities.
``(ii) Pilot.--If the Director determines
that the assessment described in clause (i) is
feasible, the Director may conduct a pilot
assessment on a voluntary basis with 1 or more
critical infrastructure sectors, in
coordination with the Sector Risk Management
Agency and the sector coordinating council of
each participating sector.
``(iii) Reports.--
``(I) Study.--Not later than 180
days after the date on which the
Director completes the study conducted
under clause (i), the Director shall
submit to the appropriate congressional
committees a report that--
``(aa) summarizes the
study; and
``(bb) states whether the
Director plans to proceed with
the pilot described in clause
(ii).
``(II) Pilot.--If the Director
proceeds with the pilot described in
clause (ii), not later than 1 year
after the date on which the Director
begins the pilot, the Director shall
submit to the appropriate congressional
committees a report that includes--
``(aa) a summary of the
results of the pilot; and
``(bb) a recommendation as
to whether the pilot should be
continued.
``(3) Coordination with national cyber director.--The
Director shall--
``(A) brief the National Cyber Director on the
activities described in this subsection; and
``(B) coordinate activities with the National Cyber
Director, as appropriate.
``(4) Reports.--
``(A) In general.--Not later than 1 year after the
date of enactment of this section, and every 2 years
thereafter, the Director shall submit to the
appropriate congressional committees a report that
includes--
``(i) a summary of the work on open source
software security performed by the Director
during the period covered by the report,
including a list of the Federal and non-Federal
entities with which the Director interfaced;
``(ii) the framework developed under
paragraph (2)(A);
``(iii) a summary of changes made to the
framework developed under paragraph (2)(A)
since the last report submitted under this
subparagraph;
``(iv) a summary of the assessment
conducted pursuant to paragraph (2)(D);
``(v) a summary of changes made to the
assessment conducted pursuant to paragraph
(2)(D) since the last report submitted under
this subparagraph, including overall security
trends; and
``(vi) a summary of the types of entities
with which the assessment was shared pursuant
to paragraph (2)(G), including a list of the
Federal and non-Federal entities with which the
assessment was shared.
``(B) Public report.--Not later than 30 days after
the date on which the Director submits a report
required under subparagraph (A), the Director shall
make a version of the report publicly available on the
website of the Agency.''.
(b) Technical and Conforming Amendment.--The table of contents in
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296;
116 Stat. 2135) is amended--
(1) by moving the item relating to section 2220D to appear
after the item relating to section 2220C; and
(2) by inserting after the item relating to section 2220D
the following:
``Sec. 2220E. Open source software security duties.''.
SEC. 4. SOFTWARE SECURITY ADVISORY SUBCOMMITTEE.
Section 2219(d)(1) of the Homeland Security Act of 2002 (6 U.S.C.
665e(d)(1)) is amended by adding at the end the following:
``(E) Software security, including open source
software security.''.
SEC. 5. OPEN SOURCE SOFTWARE GUIDANCE.
(a) Definitions.--In this section:
(1) Appropriate congressional committee.--The term
``appropriate congressional committee'' has the meaning given
the term in section 2 of the Homeland Security Act of 2002 (6
U.S.C. 101).
(2) Covered agency.--The term ``covered agency'' means an
agency described in section 901(b) of title 31, United States
Code.
(3) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(4) National security system.--The term ``national security
system'' has the meaning given the term in section 3552 of
title 44, United States Code.
(4)(5) Open source software; open source software
community.--The terms ``open source software'' and ``open
source software community'' have the meanings given those terms
in section 2201 of the Homeland Security Act of 2002 (6 U.S.C.
651), as amended by section 3 of this Act.
(b) Guidance.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Director, in coordination with the
National Cyber Director, the Director of the Cybersecurity and
Infrastructure Security Agency, and the Administrator of
General Services, shall issue guidance on the responsibilities
of the chief information officer at each covered agency
regarding open source software, which shall include--
(A) how chief information officers at each covered
agency should, considering industry and open source
software community best practices--
(i) manage and reduce risks of using open
source software; and
(ii) guide contributing to and releasing
open source software;
(B) how chief information officers should enable,
rather than inhibit, the secure usage of open source
software at each covered agency;
(C) any relevant updates to the Memorandum M-16-21
issued by the Office of Management and Budget on August
8, 2016, entitled, ``Federal Source Code Policy:
Achieving Efficiency, Transparency, and Innovation
through Reusable and Open Source Software''; and
(D) how covered agencies may contribute publicly to
open source software that the covered agency uses,
including how chief information officers should
encourage those contributions.
(2) Exemption of national security systems.--The guidance
issued under paragraph (1) shall not apply to national security
systems.
(c) Pilot.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the chief information officer of each
covered agency described in selected under paragraph (2), in
coordination with the Director, the National Cyber Director,
the Director of the Cybersecurity and Infrastructure Security
Agency, and the Administrator of General Services, shall
establish a pilot open source function at the covered agency
that--
(A) is modeled after open source program offices,
such as those in the private sector, the nonprofit
sector, academia, and other non-Federal entities; and
(B) shall--
(i) support the secure usage of open source
software at the covered agency;
(ii) develop policies and processes for
contributions to and releases of open source
software at the covered agency, in
consultation, as appropriate, with the Ooffices
of G general C counsel and P procurement of the
covered agency;
(iii) interface with the open source
software community; and
(iv) manage and reduce risks of consuming
using open source software at the covered
agency.
(2) Selection of pilot agencies.--The Director, in
coordination with the National Cyber Director, the Director of
the Cybersecurity and Infrastructure Security Agency, and the
Administrator of General Services, shall select 1 or more
covered agencies to conduct the pilot described in paragraph
(1)
(3) Assessment.--Not later than 1 year after the
establishment of the pilot open source functions described in
paragraph (1), the Director, in coordination with the National
Cyber Director, the Director of the Cybersecurity and
Infrastructure Security Agency, and the Administrator of
General Services, shall assess whether open source functions
should be established at some or all covered agencies,
including--
(A) how to organize those functions within covered
agencies, such as the creation of open source program
offices; and
(B) appropriate roles and responsibilities for
those functions.
(4) Guidance.--If the Director determines, based on the
assessment described in paragraph (3), that some or all of the
open source functions should be established at some or all
covered agencies, the Director, in coordination with the
National Cyber Director, the Director of the Cybersecurity and
Infrastructure Security Agency, and the Administrator of
General Services, shall issue guidance on the implementation of
those functions.
(d) Briefing and Report.--The Director shall--
(1) not later than 1 year after the date of enactment of
this Act, brief the appropriate congressional committees on the
guidance issued under subsection (b); and
(2) not later than 540 days after the establishment of the
pilot open source functions under subsection (c)(1), submit to
the appropriate congressional committees a report on--
(A) the pilot open source functions; and
(B) the results of the assessment conducted under
subsection (c)(3).
(e) Duties.--Section 3554(b) of title 44, United States Code, is
amended--
(1) in paragraph (7), by striking ``and'' at the end;
(2) in paragraph (8), by striking the period at the end and
inserting ``; and''; and
(3) by adding at the end the following:
``(9) plans and procedures to ensure the secure usage and
development of software, including open source software.''.
SEC. 6. RULE OF CONSTRUCTION.
Nothing in this Act or the amendments made by this Act shall be
construed to provide any additional regulatory authority to any Federal
agency described therein.
Calendar No. 677
117th CONGRESS
2d Session
S. 4913
[Report No. 117-278]
_______________________________________________________________________
A BILL
To establish the duties of the Director of the Cybersecurity and
Infrastructure Security Agency regarding open source software security,
and for other purposes.
_______________________________________________________________________
December 19, 2022
Reported with amendments