Securing Open Source Software Act of 2023

12/20/2023, 5:30 PM

Securing Open Source Software Act of 2023

This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security.

Open source software means software for which the human-readable source code is made available to the public for use, study, reuse, modification, enhancement, and redistribution.

Specifically, CISA must

  • perform outreach and engagement to bolster the security of open source software;
  • support federal efforts to strengthen open source software security;
  • coordinate with nonfederal entities on efforts to ensure long-term open source software security;
  • serve as a public point of contact regarding open source software security for nonfederal entities; and
  • support federal and nonfederal supply chain security efforts by encouraging efforts to bolster open source software security.

CISA must (1) publish a framework, incorporating government, private sector, and open source software community frameworks and best practices, for assessing the risk of open source software components; (2) update the framework at least annually; and (3) ensure, to the greatest extent practicable, that the framework is usable by the open source software community.

The bill requires CISA to assess open source software components deployed on high value assets at federal agencies based on the framework and provides for a pilot assessment of critical infrastructure.

CISA's Cybersecurity Advisory Committee may establish a software security subcommittee.

The Securing Open Source Software Act of 2023, also known as Bill 118 hr 3286, is a piece of legislation introduced in the US Congress aimed at improving the security of open source software. The bill seeks to address the growing concerns surrounding the security of open source software, which is widely used in various industries and government agencies.

The main provisions of the bill include the establishment of a program within the Department of Homeland Security (DHS) to identify and mitigate security vulnerabilities in open source software. This program would involve conducting regular security assessments of open source software projects and providing resources and support to help developers address any identified vulnerabilities.

Additionally, the bill calls for the creation of a public database to track security vulnerabilities in open source software and provide information to users and developers on how to address these vulnerabilities. The database would also serve as a resource for government agencies and other organizations to assess the security of the open source software they use. Overall, the Securing Open Source Software Act of 2023 aims to enhance the security of open source software and protect users from potential cyber threats. By establishing a program to identify and address security vulnerabilities, the bill seeks to promote the use of open source software while ensuring that it remains secure and reliable for all users.
Congress
118

Number
HR - 3286

Introduced on
2023-05-15

# Amendments
0

Sponsors
+5

Cosponsors
+5

Variations and Revisions

7/27/2023

Status of Legislation

Bill Introduced
Introduced to House
House to Vote
Introduced to Senate
Senate to Vote

Purpose and Summary

Securing Open Source Software Act of 2023

This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security.

Open source software means software for which the human-readable source code is made available to the public for use, study, reuse, modification, enhancement, and redistribution.

Specifically, CISA must

  • perform outreach and engagement to bolster the security of open source software;
  • support federal efforts to strengthen open source software security;
  • coordinate with nonfederal entities on efforts to ensure long-term open source software security;
  • serve as a public point of contact regarding open source software security for nonfederal entities; and
  • support federal and nonfederal supply chain security efforts by encouraging efforts to bolster open source software security.

CISA must (1) publish a framework, incorporating government, private sector, and open source software community frameworks and best practices, for assessing the risk of open source software components; (2) update the framework at least annually; and (3) ensure, to the greatest extent practicable, that the framework is usable by the open source software community.

The bill requires CISA to assess open source software components deployed on high value assets at federal agencies based on the framework and provides for a pilot assessment of critical infrastructure.

CISA's Cybersecurity Advisory Committee may establish a software security subcommittee.

The Securing Open Source Software Act of 2023, also known as Bill 118 hr 3286, is a piece of legislation introduced in the US Congress aimed at improving the security of open source software. The bill seeks to address the growing concerns surrounding the security of open source software, which is widely used in various industries and government agencies.

The main provisions of the bill include the establishment of a program within the Department of Homeland Security (DHS) to identify and mitigate security vulnerabilities in open source software. This program would involve conducting regular security assessments of open source software projects and providing resources and support to help developers address any identified vulnerabilities.

Additionally, the bill calls for the creation of a public database to track security vulnerabilities in open source software and provide information to users and developers on how to address these vulnerabilities. The database would also serve as a resource for government agencies and other organizations to assess the security of the open source software they use. Overall, the Securing Open Source Software Act of 2023 aims to enhance the security of open source software and protect users from potential cyber threats. By establishing a program to identify and address security vulnerabilities, the bill seeks to promote the use of open source software while ensuring that it remains secure and reliable for all users.
Alternative Names
Official Title as IntroducedTo amend the Homeland Security Act of 2002 to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes.

Policy Areas
Government Operations and Politics

Potential Impact
Computer security and identity theft•
Computers and information technology•
Congressional oversight•
Department of Homeland Security•
Federal officials•
Government information and archives•
Government studies and investigations•
Performance measurement

Comments

Recent Activity

Latest Summary1/10/2024

Securing Open Source Software Act of 2023

This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security.

Open source software means s...


Latest Action7/27/2023
Placed on the Union Calendar, Calendar No. 127.