Sen. Gary Peters, D-Mich., chairman of the Homeland Security and Governmental Affairs Committee, and Ranking Member Rob Portman, R-Ohio, introduced bipartisan legislation on Sept. 22 that aims to protect open-source software in response to issues raised by the Log4j vulnerability that emerged in December 2021.
The Securing Open Source Software Act comes after the Log4j vulnerability – which is widely used in open source code – affected Federal systems and millions of other computers worldwide.
The legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to ensure open source software is used safely and securely by the Federal government, critical infrastructure, and others.
“Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it,” Sen. Peters said in a statement. “This incident presented a serious threat to Federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services.”
“This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation,” the chairman added.
The bipartisan bill calls on CISA to develop a risk framework to evaluate how open source code is used by the Federal government, as well as critical infrastructure owners and operators. It also calls on the agency to hire open-source software experts, who can address cyber incidents like the Log4j vulnerability when they arise.
Additionally, the legislation calls on the Office of Management and Budget (OMB) to issue guidance to Federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.
“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” said Sen. Portman. “The bipartisan Securing Open Source Software Act will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”