
	

113 HR 5793 IH: Cyber Supply Chain Management and Transparency Act of 2014
U.S. House of Representatives
2014-12-04
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		I
		113th CONGRESS
		2d Session
		H. R. 5793
		IN THE HOUSE OF REPRESENTATIVES
		
			December 4, 2014
			Mr. Royce (for himself and Ms. Jenkins) introduced the following bill; which was referred to the Committee on Oversight and Government Reform
		
		A BILL
		To ensure the integrity of any software, firmware, or product developed for or purchased by the
			 United States Government that uses a third party or open source component,
			 and for other purposes.
	
	
		1.Short titleThis Act may be cited as the Cyber Supply Chain Management and Transparency Act of 2014.
		2.Software, firmware, or product with known security vulnerabilities or defects
			(a)OMB guidelines required
				(1)Clauses required in software, firmware, or product contracts for software, firmware, or product
			 created with a binary componentNot later than 180 days after the date of the enactment of this Act, the Director of the Office of
			 Management and Budget, in consultation with the Secretary of Defense, the
			 Secretary of Homeland Security, and any other intelligence or national
			 security agency the Director determines to be necessary, shall issue
			 guidelines for each agency that require including the following clauses in
			 any contract for the acquisition of software, firmware, or product that
			 contains a binary component:
					(A)Component listA clause that requires the inclusion of a comprehensive and confidentially supplied list, or a bill
			 of materials, of each binary component of the software, firmware, or
			 product that is used in the software, firmware, or product.
					(B)Verification requiredA clause that requires the contractor providing the software, firmware, or product—
						(i)to verify that the software, firmware, or product does not contain any known security
			 vulnerabilities or defects that are listed in the National Institute of
			 Standards and Technology National Vulnerability Database and any
			 additional database selected by the Director of the Office of Management
			 and Budget (that is credible and similar to the National Vulnerability
			 Database) that tracks security vulnerabilities and defects in a binary
			 component, and that is necessary to capture a wider list of binary
			 components (with known security vulnerabilities or defects and for which a
			 less vulnerable alternative is available); and
						(ii)to notify the purchasing agency of any known security vulnerabilities or defects discovered through
			 the verification required under clause (i).
						(C)WaiverA clause that requires—
						(i)a contractor to submit a written application, and obtain a waiver, for each binary component that
			 is known to be vulnerable from the head of the purchasing agency; and
						(ii)if the head of the purchasing agency approves the waiver, such head shall provide the contractor
			 with a written statement that the agency accepts all of the risk
			 associated with the use of such binary component.
						(D)UpdatesA clause that requires such software, firmware, or product to be written or designed in a manner
			 that allows for any future security vulnerability or defect in any part of
			 the software, firmware, or product to be easily patched, updated, or
			 replaced to fix the vulnerability or defect in the software, firmware, or
			 product.
					(E)Timely repairA clause that requires the contractor to provide a repair in a timely manner with regard to any new
			 security vulnerability discovered through any of the databases described
			 in subparagraph (B).
					(2)Disclosure of security vulnerability or defectNot later than 180 days after the date of the enactment of this Act, the Director of the Office of
			 Management and Budget shall issue guidelines for each agency with respect
			 to any software, firmware, or product in use by the United States
			 Government that contains a binary component that requires each agency to
			 have a process—
					(A)to replace any currently known vulnerable binary component; and
					(B)to remove and repair any new vulnerable binary component after such component becomes known
			 pursuant to paragraph (1)(B).
					(3)Agency guidelines
					(A)Software, firmware, or product that can not be fixed or patchedNot later than 220 days after the date of the enactment of this Act, the Director of the Office of
			 Management and Budget shall issue guidelines for each agency with respect
			 to any software, firmware, or product that contains a known vulnerable
			 binary component—
						(i)that can not be fixed, patched, or updated; and
						(ii)that requires such component, to migrate to patchable, repairable, and fixable products.
						(B)Inventory of existing software, firmware, or product with a known vulnerable binary componentNot later than 20 months after the date of the enactment of this Act, the Director of the Office of
			 Budget of Management shall instruct each agency to provide the relevant
			 office in the Department of Homeland Security with a list of each known
			 vulnerable binary in any software, firmware or product in use by each
			 agency.
					(C)Analysis of project integrity and annual reportNot later than twelve months after all lists described in subparagraph (B) are provided to the
			 Department of Homeland Security, the Secretary of Homeland Security shall
			 issue an annual confidential report describing the security
			 vulnerabilities of the projects that created any known vulnerable binary
			 component in any list described in subparagraph (B) and through the
			 verification required under paragraph (1)(B). The report shall assess the
			 integrity of binary component suppliers for the incidence of security
			 vulnerabilities, the severity, the mean time to remediate such
			 vulnerabilities that can be applied to assess the security of binary
			 projects and suppliers, for use by other agencies.
					(b)Report on removal of binary component with known security vulnerability or defectNot later than 30 months after the date of the enactment of this Act, the head of each agency shall
			 submit to each relevant Committee of jurisdiction in the House of
			 Representatives and the Senate a report on the completion of the removal
			 of each binary component with known security vulnerabilities or defects in
			 the agency and shall include a classified version of this report for the
			 Permanent Select Committee on Intelligence and the Committees on Armed
			 Services, Foreign Affairs, and Homeland Security of the House of
			 Representatives and the Select Committee on Intelligence and the
			 Committees on Armed Services, Foreign Affairs, and Homeland Security and
			 Governmental Affairs of the Senate. The report shall also detail the
			 policies, procedures, and processes by which a newly discovered vulnerable
			 binary component is replaced in software, firmware, and products in use by
			 the United States Government.
			(c)Other entities of the United States GovernmentAny other entity of the United States Government—
				(1)shall replace any vulnerable binary component with another less vulnerable alternative in any
			 software, firmware, or product in use by the entity; and
				(2)shall begin such replacement process with critical systems.
				(d)DefinitionsIn this section:
				(1)AgencyThe term agency has the meaning given that term in section 551(1) of title 5, United States Code.
				(2)Binary componentThe term binary component means a third party or open source component.
				
