Yesterday, the U.S. Senate Committee on Homeland Security and Governmental Affairs voted to advance bipartisan legislation to help strengthen the security of open source software. Named the Securing Open Source Software Act, this legislation was introduced last week, and builds on a similar piece of legislation that was first proposed in 2022 in response to the widely reported Log4Shell security incident.
The announcement describes some of the core goals of the legislation:
“The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.”
While there is a long way to go before this act becomes established law, it is notable because it signals wider government support for establishing open source software as public infrastructure, and is perhaps a precursor to greater government support of open source software that was one of our key takeaways from the recently announced U.S. National Cybersecurity Strategy.
We’ll continue to share updates here as more information becomes available.
If you’d like to stay on top of all of the latest news and information regarding how recent government cybersecurity actions impact organizations developing applications with open source, visit our government open source cybersecurity resource center.