118 HR 3286 IH: Securing Open Source Software Act of 2023 U.S. House of Representatives 2023-05-15 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

I118th CONGRESS1st SessionH. R. 3286IN THE HOUSE OF REPRESENTATIVESMay 15, 2023Mr. Green of Tennessee (for himself, Mr. Garbarino, and Mr. Swalwell) introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committee on Oversight and Accountability, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concernedA BILLTo amend the Homeland Security Act of 2002 to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes.

1.

Short title

This Act may be cited as the Securing Open Source Software Act of 2023.

2.

Open source software security duties

(a)

In general

Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 650 et seq.) is amended—(1)in section 2200 (6 U.S.C. 650)—(A)by redesignating paragraphs (22) through (28) as paragraphs (25) through (31), respectively; and(B)by inserting after paragraph (21) the following new paragraphs:(22)

Open source software

The term open source software means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and re-distribution.(23)

Open source software community

The term open source software community means the community of individuals, foundations, nonprofit organizations, corporations, and other entities that—(A)develop, contribute to, maintain, and publish open source software; or(B)otherwise work to ensure the security of the open source software ecosystem.(24)

Open source software component

The term open source software component means an individual repository of open source software that is made available to the public.; (2)in section 2202(c) (6 U.S.C. 652(c))—(A)in paragraph (13), by striking and at the end;(B)by redesignating paragraph (14) as paragraph (15); and(C)by inserting after paragraph (13) the following:(14)support, including by offering services, the secure usage and deployment of software, including open source software, in the software development lifecycle at Federal agencies in accordance with section 2220F; and; and(3)by adding at the end the following:

2220F.

Open source software security duties

(a)

Definition

In this section, the term software bill of materials has the meaning given such term in the Minimum Elements for a Software Bill of Materials published by the Department of Commerce, or any superseding definition published by the Agency. (b)

Employment

The Director shall, to the greatest extent practicable, employ individuals in the Agency who—(1)have expertise and experience participating in the open source software community; and(2)perform the duties described in subsection (c).(c)

Duties of the Director

(1)

In general

The Director shall—(A)perform outreach and engagement to bolster the security of open source software;(B)support Federal efforts to strengthen the security of open source software;(C)coordinate, as appropriate, with non-Federal entities on efforts to ensure the long-term security of open source software;(D)serve as a public point of contact regarding the security of open source software for non-Federal entities, including State, local, Tribal, and territorial partners, the private sector, international partners, and open source software communities; and(E)support Federal and non-Federal supply chain security efforts by encouraging efforts to bolster open source software security, such as—(i) assisting in coordinated vulnerability disclosures in open source software components pursuant to section 2209(n); and(ii)supporting the activities of the Federal Acquisition Security Council.(2)

Assessment of critical open source software components

(A)

Framework

Not later than one year after the date of the enactment of this section, the Director shall publicly publish a framework, incorporating government, private sector, and open source software community frameworks and best practices, including those published by the National Institute of Standards and Technology, for assessing the risk of open source software components, including direct and indirect open source software dependencies, which shall incorporate, at a minimum, the following with respect to a given open source software component:(i)The security properties of code, such as whether the code is written in a memory-safe programming language.(ii)The security practices of development, build, and release processes, such as the use of multi-factor authentication by maintainers and cryptographic signing of releases.(iii)The number and severity of publicly known, unpatched vulnerabilities.(iv)The breadth of deployment.(v)The level of risk associated with where such component is integrated or deployed, such as whether such component operates on a network boundary or in a privileged location.(vi)The health of the open source software community, including, where applicable, the level of current and historical investment and maintenance in such component, such as the number and activity of individual maintainers.(B)

Updating framework

Not less frequently than annually after the date on which the framework is published under subparagraph (A), the Director shall—(i)determine whether updates are needed to such framework, including the augmentation, addition, or removal of the elements described in clauses (i) through (vi) of such subparagraph; and (ii)if the Director so determines that such additional updates are needed, make such updates.(C)

Developing framework

In developing the framework described in subparagraph (A), the Director shall consult with the following:(i)Appropriate Federal agencies, including the National Institute of Standards and Technology.(ii)Individuals and nonprofit organizations from the open source software community.(iii)Private sector entities from the open source software community.(D)

Usability

The Director shall ensure, to the greatest extent practicable, that the framework described in subparagraph (A) is usable by the open source software community, including through the consultation required under subparagraph (C).(E)

Federal open source software assessment

Not later than one year after the publication of the framework under subparagraph (A) and not less frequently than every two years thereafter, the Director shall, to the greatest extent practicable and using such framework—(i)perform an assessment of each open source software component used directly or indirectly by Federal agencies based on readily available, and, to the greatest extent practicable, machine readable, information, such as—(I)software bills of material that are, at the time of the assessment, made available to the Agency or are otherwise accessible via the internet; (II)software inventories, available to the Director at the time of the assessment, from the Continuous Diagnostics and Mitigation program of the Agency; and(III)other publicly available information regarding open source software components; and (ii)develop one or more ranked lists of components described in clause (i) based on the assessment, such as ranked by the criticality, level of risk, or usage of the components, or a combination thereof.(F)

Automation

The Director shall, to the greatest extent practicable, automate the assessment performed pursuant to subparagraph (E).(G)

Publication

The Director shall publicly publish and maintain any tools developed to perform the assessment under subparagraph (E) as open source software.(H)

Sharing

(i)

Results

The Director shall facilitate the sharing of the results of each assessment under subparagraph (E)(i) with appropriate Federal and non-Federal entities working to support the security of open source software, including by offering means for appropriate Federal and non-Federal entities to download the assessment in an automated manner. (ii)

Datasets

The Director may publicly publish, as appropriate, any datasets or versions of the datasets developed or consolidated as a result of an assessment under subparagraph (E)(i).(I)

Critical infrastructure assessment study and pilot

(i)

Study

Not later than two years after the publication of the framework under subparagraph (A), the Director shall conduct a study regarding the feasibility of the Director conducting the assessment under subparagraph (E) for critical infrastructure entities.(ii)

Pilot

(I)

In general

If the Director determines that the assessment described in clause (i) is feasible, the Director may conduct a pilot assessment on a voluntary basis with one or more critical infrastructure sectors, in coordination with the Sector Risk Management Agency and the sector coordinating council of each participating sector.(II)

Termination

If the Director proceeds with the pilot assessment described in subclause (I), such pilot assessment shall terminate not later than two years after the date on which the Director begins such pilot assessment.(iii)

Reports

(I)

Study

Not later than 180 days after the date on which the Director completes the study conducted under clause (i), the Director shall submit to the appropriate congressional committees a report that—(aa)summarizes the study; and (bb)states whether the Director plans to proceed with the pilot assessment described in clause (ii)(I).(II)

Pilot

If the Director proceeds with the pilot assessment described in clause (ii), not later than one year after the date on which the Director begins such pilot assessment, the Director shall submit to the appropriate congressional committees a report that includes the following:(aa)A summary of the results of such pilot assessment.(bb)A recommendation as to whether the activities carried out under such pilot assessment should be continued after the termination of such pilot assessment in accordance with clause (ii)(II). (3)

Coordination with National Cyber Director

The Director shall—(A)brief the National Cyber Director on the activities described in this subsection; and(B)consult with the National Cyber Director regarding such activities, as appropriate.(4)

Reports

(A)

In general

Not later than one year after the date of the enactment of this section and every two years thereafter, the Director shall submit to the appropriate congressional committees a report that includes for the period covered by each such report the following:(i)A summary of the work on open source software security performed by the Director, including a list of the Federal and non-Federal entities with which the Director interfaced.(ii)The framework under paragraph (2)(A) or a summary of any updates to such framework pursuant to paragraph (2)(B), as the case may be.(iii)A summary of each assessment under paragraph (2)(E)(i).(iv)A summary of changes made to each such assessment, including overall security trends.(v)A summary of the types of entities with which each such assessment was shared pursuant to paragraph (2)(H), including a list of the Federal and non-Federal entities with which such assessment was shared.(B)

Public report

Not later than 30 days after the date on which the Director submits each report required under subparagraph (A), the Director shall make a version of each such report publicly available on the website of the Agency.

.(b)

Technical and conforming amendment

The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 2220E the following new item:Sec. 2220F. Open source software security duties..(c)

Software security advisory subcommittee

Section 2219(d)(1) of the Homeland Security Act of 2002 (6 U.S.C. 665e(d)(1)) is amended by adding at the end the following:(E)Software security, including open source software security..(d)

Rule of construction

Nothing in this Act or the amendments made by this Act may be construed to provide any additional regulatory authority to any Federal agency described therein.