H.R.5793 - Cyber Supply Chain Management and Transparency Act of 2014113th Congress (2013-2014)
|Sponsor:||Rep. Royce, Edward R. [R-CA-39] (Introduced 12/04/2014)|
|Committees:||House - Oversight and Government Reform|
|Latest Action:||12/04/2014 Referred to the House Committee on Oversight and Government Reform. (All Actions)|
This bill has the status Introduced
Here are the steps for Status of Legislation:
Summary: H.R.5793 — 113th Congress (2013-2014)All Bill Information (Except Text)
Introduced in House (12/04/2014)
Cyber Supply Chain Management and Transparency Act of 2014 - Requires the Office of Management and Budget (OMB) to issue guidelines for agencies that contract to acquire software, firmware, or products containing a third party or open source binary component.
Requires binary component contracts to include clauses requiring:
- a confidentially supplied list, or a bill of materials, of each binary component that is used in the software, firmware, or product;
- the contractor to verify that products do not contain known security vulnerabilities and to notify the purchasing agency of any known vulnerabilities or defects;
- the contractor to obtain a waiver from the purchasing agency for components known to be vulnerable;
- an agency approving a vulnerability waiver to accept all risk associated with component use;
- product designs to allow fixes with patches, updates, or replacements; and
- the contractor to provide timely repairs for discovered vulnerabilities.
Directs the OMB to issue guidance requiring agencies: (1) to replace components with currently known vulnerabilities and to remove or repair any new vulnerable components that become known; and (2) to migrate to patchable, repairable, and fixable products.
Requires agencies to provide the Department of Homeland Security (DHS) with a list of each known vulnerable component in any product in use by the agencies.
Directs DHS to issue an annual confidential report describing the security vulnerabilities of projects that created any known vulnerable component. Requires the report to assess the integrity of component suppliers for the incidence of security vulnerabilities for use by other agencies.
Requires agencies, within 30 months after enactment of this Act, to report to Congress regarding the completion of the removal of each known vulnerable or defective component.
Directs other entities of the U.S. government to replace vulnerable components with less vulnerable alternatives.