[Senate Report 117-278]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 677
117th Congress      }                                   {       Report
                                 SENATE
 2d Session         }                                   {      117-278
_______________________________________________________________________

                                     



                     SECURING OPEN SOURCE SOFTWARE 
                              ACT OF 2022

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 4913

             TO ESTABLISH THE DUTIES OF THE DIRECTOR OF THE
            CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
    REGARDING OPEN SOURCE SOFTWARE SECURITY, AND FOR OTHER PURPOSES










[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








               December 19, 2022.--Ordered to be printed 
               
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
39-010                   WASHINGTON : 2023
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
              William H.W. McKenna, Minority Chief Counsel
                     Laura W. Kilbride, Chief Clerk





















                                                      Calendar No. 677
117th Congress      }                                   {       Report
                                 SENATE
 2d Session         }                                   {      117-278

======================================================================



 
               SECURING OPEN SOURCE SOFTWARE ACT OF 2022

                                _______
                                

               December 19, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 4913]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 4913) to establish 
the duties of the Director of the Cybersecurity and 
Infrastructure Security Agency regarding open source software 
security, and for other purposes, having considered the same, 
reports favorably thereon with amendments and recommends that 
the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  4
 IV. Section-by-Section Analysis of the Bill, as Reported.............  5
  V. Evaluation of Regulatory Impact..................................  7
 VI. Congressional Budget Office Cost Estimate........................  7
VII. Changes in Existing Law Made by the Bill, as Reported...........  10

                         I. Purpose and Summary

    S. 4913, the Securing Open Source Software Act of 2022, 
authorizes a number of activities at the Cybersecurity and 
Infrastructure Security Agency (CISA) to support the security 
of open source software in the Federal government and in 
private sector critical infrastructure. The bill requires CISA 
to publish and use a framework to evaluate the risk of open 
source components in use across Federal systems, and to study 
the potential for such an evaluation in private sector critical 
infrastructure. Additionally, the bill establishes a software 
security subcommittee on the CISA Cybersecurity Advisory 
Committee and requires the Office of Management and Budget 
(OMB) to issue guidance on the responsibilities of Federal 
agency chief information officers regarding open source 
software.

              II. Background and Need for the Legislation

    Open-source software is ubiquitous in modern information 
technology. Virtually every computer in the world, and every 
software application, contains open-source software--it is one 
of the foundational building blocks of the modern digital 
world.\1\ Due to its near universal use, a vulnerability 
affecting a widespread open source software component can be 
leveraged to attack millions of computers by bad actors, 
including Federal government systems, as evidenced by the 
significant public attention paid to the Log4Shell 
vulnerability. In November 2021, researchers from the Chinese 
technology company Alibaba disclosed a vulnerability, called 
Log4Shell, affecting Log4j, a widely used open-source logging 
library for the Java programming language.\2\ On December 10, 
2021, the vulnerability was publicly disclosed, along with a 
patch that fixed the vulnerability.\3\ The vulnerability allows 
attackers to easily execute arbitrary code on computers, 
effectively allowing an attacker to take full control over a 
system.\4\ Jen Easterly, the Director of CISA, called Log4Shell 
``one of the most serious'' vulnerabilities she had ever 
seen.\5\ S. 4913, the Securing Open-Source Software Act, would 
help to improve the secure use of open-source software in the 
Federal government and critical infrastructure.
---------------------------------------------------------------------------
    \1\The Digital Economy Runs on Open Source. Here's How to Protect 
It., Harvard Business Review (Sep. 2, 2021) (https://hbr.org/2021/09/
the-digital-economy-runs-on-open-source-heres-how-to-protect-it).
    \2\Senate Committee on Homeland Security and Governmental Affairs, 
Hearing on Responding to and Learning from the Log4Shell Vulnerability, 
117th Cong. (2022). (Statement of David Nalley, President of Apache 
Software Foundation).
    \3\Cybersecurity and Infrastructure Security Agency, Mitigating 
Log4Shell and Other Log4j-
Related Vulnerabilities (Dec. 2021) (www.cisa.gov/uscert/ncas/alerts/
aa21-356a).
    \4\Id.
    \5\CISA warns `most serious' Log4j vulnerability likely to affect 
hundreds of millions of devices, CyberScoop (Dec. 2021) 
(www.cyberscoop.com/log4j-cisa-easterly-most-serious/).
---------------------------------------------------------------------------
    Open-source software is software where the license (an 
open-source license) allows the source code to be reviewed, 
modified, and used by the public to customize it for their own 
purpose, often at no cost.\6\ Much open-source software is 
developed by not-for-profit entities--whether formally 
organized communities, loosely organized groups of developers, 
or individuals--though there are many exceptions.\7\ It is 
collaboratively developed in a decentralized way and as a 
result is often cheaper, more flexible, and longer lasting than 
proprietary software.\8\ Proprietary software can only be 
legally altered or copied by the original authors and used for 
the purposes specified in the license.\9\ Linux is an example 
of widely used open-source software.\10\
---------------------------------------------------------------------------
    \6\What is open source?, Red Hat, (Oct. 24, 2019), https://
www.redhat.com/en/topics/open-source/what-is-open-source.
    \7\E.g., Google Open Source, https://opensource.google/.
    \8\Id.
    \9\See Id.
    \10\What is open source?, Red Hat, (Oct. 24, 2019), https://
www.redhat.com/en/topics/open-source/what-is-open-source.
---------------------------------------------------------------------------
    Although some open-source software is simply released for 
public use by the author and not maintained, other open-
software may continue to have an official version that is 
maintained through organized communities of open-source 
software developers. These communities are often facilitated by 
`foundations'--generally non-profit organizations run by 
volunteers who set rules and standards for any products that 
choose to be maintained under that foundation's umbrella. An 
open-source software developer can continue to maintain control 
over official versions and although anyone can download, modify 
and use the source code for their own purposes, only developers 
who are approved by the project can modify and publish a new 
official version of the software.\11\ For example, the Apache 
Software Foundation facilitates about 650,000 people working on 
about 350 official products.\12\ Although anyone can download, 
modify, and use open-source Apache software, including any of 
the 650,000 people working on the project, only about 8,300 of 
them have earned some level of status in the different project 
communities that allows them to implement changes to the 
official versions of code.\13\ Others can only propose changes, 
which are then reviewed by a core team.\14\ It can take months 
or years of work and the submission of more than 50 or 100 
proposed changes (dependent on the Foundation's and project's 
own policies) before someone is granted the status to change 
the official code.\15\
---------------------------------------------------------------------------
    \11\David Nalley, President, Apache Software Foundation, Interview 
with Senate Homeland Security and Governmental Affairs Staff (Jan. 14, 
2022).
    \12\Id.
    \13\Id.
    \14\Id.
    \15\Id.
---------------------------------------------------------------------------
    Open-source software code can be used like building blocks 
in larger software projects by developers for little to no 
cost.\16\ On average, an enterprise application has 384 open-
source libraries, which saves significant development time and 
expense.\17\ For example, keeping track of what software is 
doing, i.e., logging (the function of Log4j), is a commonly 
used function--most software applications need to perform this 
action. Rather than having every software company develop, 
maintain, and upgrade this same function--open-source software 
was created and made freely available for anyone to use.\18\
---------------------------------------------------------------------------
    \16\Id.
    \17\Megan Stifel, Chief Strategy Officer, Institute for Security 
and Technology and Marc Rogers, Vice President of Cybersecurity 
Strategy, Okta, Inc., Interview with Senate Homeland Security and 
Governmental Affairs Staff (Jan. 14, 2022).
    \18\What is open source?, Red Hat, (Oct. 24, 2019), https://
www.redhat.com/en/topics/open-source/what-is-open-source.
---------------------------------------------------------------------------
    Open source software, as with any software, has security 
challenges. Certain practices, such as secure coding education 
and adoption of security practices, can help secure software, 
including open source software.\19\ For instance, the majority 
of vulnerabilities in software today are caused by flaws 
related to memory access.\20\ Shifting away from memory-unsafe 
programming languages, such as C and C++, and towards memory-
safe programming languages, such as Rust, Python, and Java, can 
eliminate entire classes of vulnerabilities.\21\ The 
legislation's framework for assessing the risk of open source 
components requires an evaluation of the use of such security 
practices in open source software components.
---------------------------------------------------------------------------
    \19\Open Source Security Foundation, The Open Source Software 
Security Mobilization Plan (May 2022) (openssf.org/oss-security-
mobilization-plan/).
    \20\Internet Security Research Group, What is memory safety and why 
does it matter? (.memorysafety.org/docs/memory-safety/) and National 
Security Agency, Cybersecurity Information Sheet: Software Memory 
Safety (Document Number: U/OO/219936-22 | PP-22-1723)(Nov 2022) 
(https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/
CSI_SOFTWARE_MEMORY_ SAFETY.PDF).
    \21\Id.
---------------------------------------------------------------------------
    Following the announcement of the Log4Shell vulnerability, 
the Senate Homeland Security and Governmental Affairs Committee 
held a hearing investigating its impact.\22\ During the 
hearing, experts testified on the importance of open source 
software and the need for the Federal government to aid in 
securing it.\23\ Recommendations for improving the relationship 
between the government and the open source community, 
increasing the government's investment in securing software 
supply chains, and evaluating open source software security 
risk were made by members of the panel, and have been 
incorporated into this legislation.\24\
---------------------------------------------------------------------------
    \22\Senate Committee on Homeland Security and Governmental Affairs, 
Hearing on Responding to and Learning from the Log4Shell Vulnerability, 
117th Cong. (2022).
    \23\Id.
    \24\Senate Committee on Homeland Security and Governmental Affairs, 
Hearing on Responding to and Learning from the Log4Shell Vulnerability, 
117th Cong. (2022). (Statements of Dr. Trey Herr, Director of Cyber 
Statecraft Initiative, Atlantic Council and Brad Arkin, Senior Vice 
President, Chief Security and Trust Officer, Cisco Systems, and David 
Nalley, President of Apache Software Foundation).
---------------------------------------------------------------------------
    The Department of Homeland Security's (DHS) Cyber Safety 
Review Board (CSRB), established in President Biden's Executive 
Order on Improving the Nation's Cybersecurity, conducted an 
investigation into Log4Shell.\25\ In its review, the CSRB found 
that Log4Shell is an ``endemic vulnerability'' and that the 
vulnerability will ``remain in systems for many years to 
come.''\26\ Despite its pervasiveness and significant attempts 
at exploitation, the CSRB did not yet find any ``significant'' 
attacks on critical infrastructure systems leveraging the Log4j 
vulnerability.\27\
---------------------------------------------------------------------------
    \25\The White House, Executive Order on Improving the Nation's 
Cybersecurity (May 2021) (www.whitehouse.gov/briefing-room/
presidential-actions/2021/05/12/executive-order-on-improving -the-
nations-cybersecurity/).
    \26\Cyber Safety Review Board, Review of the December 2021 Log4j 
Event (July 2022) (www.cisa.gov/sites/default/files/publications/CSRB-
Report-on-Log4-July-11-2022_508.pdf).
    \27\Id.
---------------------------------------------------------------------------
    Open source community efforts such as the Open Source 
Security Foundation (OpenSSF), housed under the non-profit 
Linux Foundation, have been established to aid in securing open 
source software.\28\ In 2022, the OpenSSF released the Open 
Source Software Security Mobilization Plan, outlining work 
streams to secure open source software, including replacing 
non-memory safe programming languages and conducting risk 
assessments for top open source software components.\29\ This 
legislation would facilitate partnerships with such community 
efforts to ensure government systems are being effectively 
secured and that the government contributes to the security of 
open source software.
---------------------------------------------------------------------------
    \28\Open Source Security Foundation (openssf.org).
    \29\Id at 4.
---------------------------------------------------------------------------

                        III. Legislative History

    Senators Peters (D-MI) and Portman (R-OH) introduced S. 
4913, the Securing Open Source Software Act of 2022, on 
September 21, 2022. The bill was referred to the Senate 
Committee on Homeland Security and Governmental Affairs. The 
Committee considered S. 4913 at a business meeting on September 
28, 2022. The Committee ordered S. 4913 reported favorably by 
voice vote en bloc with Senators Peters, Carper, Hassan, 
Sinema, Rosen, Padilla, Ossoff, Portman, Johnson, Paul, 
Lankford, Romney, Scott, and Hawley present.
    Consistent with Committee Rule 3(G), the Committee reports 
the bill with a technical amendment by mutual agreement of the 
Chairman and Ranking Member.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section designates the name of the bill as the 
``Securing Open Source Software Act of 2022''.

Section 2. Findings

    This section provides Congress's findings on the need for 
the legislation, including that the open source software 
ecosystem is crucial for the national security of the United 
States, and that the Federal government should play a 
supporting role in ensuring the long-term security of open 
source software.

Section 3. Open source software security duties

    Subsection (a) paragraph (1) amends section 2201 of 
Subtitle A of title XXII of the Homeland Security Act of 2002 
to define the terms ``open source software'', ``open source 
software community'', and ``open source software component''.
    Subsection (a) paragraph (2) amends section 2202 of 
Subtitle A of title XXII of the Homeland Security Act by 
amending the responsibilities of the Director of the 
Cybersecurity and Infrastructure Security Agency (CISA) to 
include supporting the secure usage and deployment of software, 
including open source software, in the software development 
lifecycle at Federal agencies.
    Subsection (a) paragraph (3) adds Section 2220E of Subtitle 
A of title XXII, which establishes the duties of the Director 
of CISA regarding open source software security.

Section 2220E. Open source software security duties

    The section defines the term ``software bill of 
materials''.
    The section requires that the Director employ individuals 
who, to the greatest extent practicable, have expertise and 
experience participating in the open source software community.
    The section then establishes duties of the Director 
regarding open source software security, which includes 
performing outreach and engagement to secure open source 
software, supporting Federal efforts to secure open source 
software, and serving as a public point of contact for the 
security of open source software.
    The section also requires the Director to conduct an 
assessment of critical open source software components. The 
Director must publish a framework to assess the risk of open 
source software components, incorporating government, industry, 
and open source software community frameworks and best 
practices. The Director must determine every year whether 
additional updates to the framework are needed. In developing 
the framework, the Director must consult with open source 
community members and Federal agencies.
    The section then directs the Director to perform an 
assessment of the most critical open source software components 
used within the Federal government, using the established 
framework. The Director shall automate the assessment to the 
greatest extent practicable. The Director shall publish tools 
developed to conduct the assessment, and shall share results of 
the assessment with appropriate entities.
    The section also directs the Director to study the 
feasibility of conducting the assessment for critical 
infrastructure entities. If the Director determines the 
assessment to be feasible, the Director may conduct a voluntary 
pilot assessment with one or more critical infrastructure 
sectors. The Director shall submit a report to Congress 
following the study and the pilot.
    The section requires the Director to report to Congress not 
later than 1 year after the date of enactment of the section, 
and every 2 years thereafter. The Director shall make a version 
of such reports publicly available.
    The section also requires the Director to brief and 
coordinate activities with the National Cyber Director, as 
appropriate.

Section 4. Software security advisory subcommittee

    This section adds a subcommittee on software security, 
including open source software security, to the CISA 
Cybersecurity Advisory Committee.

Section 5. Open source software guidance

    This section defines the term ``Director'' to mean the 
Director of the Office of Management and Budget (OMB). The 
section defines the terms ``open source software'', and ``open 
source software community'' to have the meaning given in this 
Act. The section also defines the terms ``appropriate 
congressional committee'' and ``covered agency''.
    This section then requires the Director of OMB to issue 
guidance on the responsibilities of the chief information 
officer at each covered agency regarding open source software. 
This guidance includes how chief information officers should 
manage and reduce risks of using open source software, guide 
contributing to and releasing open source software, and enable 
the secure usage of open source software. National security 
systems are exempt from such guidance.
    The section establishes a pilot to establish open source 
functions at 1 or more covered agencies. The pilot functions 
shall be modeled after existing non-Federal open source program 
offices, and support the secure usage of open source software 
at the covered agency. Following the establishment of the 
pilot, the Director of OMB shall assess whether such functions 
should be established at covered agencies. If so, the Director 
shall issue guidance on the implementation of those functions.
    The section requires the Director of OMB to brief Congress 
on the guidance and issue a report on the pilot open source 
function.
    The section also amends Section 3554(b) of title 44, United 
States Code, to include the secure usage and development of 
software, including open source software, in the information 
security responsibilities of Federal agencies.

Section 6. Rule of construction

    This section states that nothing in this Act or the 
amendments made by this act shall be construed to provide any 
additional regulatory authority to any agency described 
therein.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, November 9, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 4913, the Securing 
Open Source Software Act of 2022.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    
    

    The bill would:
           Require assessments of open-source software 
        used by federal agencies and critical infrastructure 
        operators
           Establish program offices to manage secure 
        open-source software at federal agencies
           Require the Cybersecurity and Infrastructure 
        Security Agency to hire open-source software analysts
           Require several reports and studies about 
        the effectiveness of open-source software assessments
    Estimated budgetary effects would mainly stem from:
           Testing information systems for open-source 
        software vulnerabilities
           Assessing federal network security
           Hiring open-source software analysts
    Areas of significant uncertainty include:
           Anticipating the deployment schedules of 
        hardware and software solutions
           Predicting the staffing requirements of 
        federal open-source program offices
    Bill summary: S. 4913 would authorize the Cybersecurity and 
Infrastructure Security Agency (CISA) to improve the security 
of open-source software, or computer code that is publicly 
available for anyone to use or modify. The bill would require 
the agency to identify and mitigate vulnerabilities in open-
source software used by federal agencies and critical 
infrastructure operators. CISA also would conduct annual 
assessments of the security of commonly used open-source 
software.
    S. 4913 also would require federal agencies to establish 
open-source software program offices under their chief 
information security officers. The bill would direct agencies 
to develop policies for the safe deployment and management of 
open-source software on their information networks.
    Estimated Federal cost: The estimated budgetary effects of 
S. 4913 are shown in Table 1.

                                TABLE 1.--ESTIMATED BUDGETARY EFFECTS OF S. 4913
----------------------------------------------------------------------------------------------------------------
                                                                     By fiscal year, millions of dollars--
                                                              --------------------------------------------------
                                                                2023    2024    2025    2026    2027   2023-2027
----------------------------------------------------------------------------------------------------------------
Open-Source Software Assessments:
    Estimated Authorization..................................       *      90      50      50      30       220
    Estimated Outlays........................................       *      25      46      59      45       175
Open-Source Program Offices:
    Estimated Authorization..................................       0      12      18      26      26        82
    Estimated Outlays........................................       0      12      18      26      26        82
CISA Open-Source Staff:
    Estimated Authorization..................................       2       4       4       4       4        18
    Estimated Outlays........................................       2       4       4       4       4        18
    Total Changes:
        Estimated Authorization..............................       2     106      72      80      60       320
        Estimated Outlays....................................       2      41      68      89      75       275
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.

    Basis of estimate: For this estimate, CBO assumes that S. 
4913 will be enacted by the end of 2022 and that CISA would 
begin to implement most of the bill's requirements in 2024. On 
the basis of information from CISA, CBO expects that the agency 
would not offer cybersecurity assessments to critical 
infrastructure operators until after 2027.
    CBO expects that the costs to implement S. 4913 would 
include the salaries and benefits of additional federal staff, 
procurement of new hardware systems, and service contracts with 
cybersecurity analytics firms. Outlays are based on historical 
spending patterns for existing or similar programs.
    Spending subject to appropriation: CBO estimates that 
implementing the bill would cost $275 million over the 2023-
2027 period. Such spending would be subject to the availability 
of appropriated funds.
    Open-source software assessments: CISA currently operates 
programs to identify and mitigate threats to federal 
information systems. S. 4913 would require CISA to assess open-
source software used by the federal government for security 
vulnerabilities. Under the bill, CISA would review the supply 
chain histories of open-source applications to identify any 
potential cybersecurity vulnerabilities in the underlying code. 
CISA would then publish its findings so that software users 
could remediate any weaknesses.
    Using information from CISA, CBO expects that the agency 
would implement this program by procuring a new information 
technology system with the capability to scan federal networks 
for weaknesses in the components of open-source software. On 
the basis of similar acquisition programs, CBO estimates that 
acquiring that system would require appropriations of $190 
million over the 2024-2026 period. CBO expects that beginning 
in 2027, CISA would subsequently contract with cybersecurity 
advisory companies to monitor data feeds, analyze results for 
potential weaknesses, provide vulnerability scans and remote 
penetration testing, and maintain the system, which would 
require annual appropriations of $30 million. Accounting for 
the time needed to complete deployment of the new system, CBO 
estimates that implementing those requirements would cost $175 
million over the 2023-2027 period.
    Open-source program offices: S. 4913 would require the 24 
federal agencies covered under the Chief Financial Officers Act 
to establish new offices to manage the use of secure open-
source software. CBO expects the agencies covered under this 
bill would each require on average five analysts to develop 
policies, share best practices, and monitor open-source 
applications used by their agencies. CBO estimates that each 
analyst would earn an average annual rate of about $175,000 and 
that agencies would begin hiring those employees in 2024. On 
that basis and accounting for the effects of anticipated 
inflation, CBO estimates that salaries and benefits of those 
employees would total $82 million over the 2023-2027 period.
    CISA open-source staff: S. 4913 would require CISA to hire 
additional analysts with expertise in the development of secure 
open-source software. Within one year of enactment, CISA would 
be required to publish guidance for federal, state, and 
private-sector entities to securely adopt and manage open-
source software in their information networks and devices. CISA 
also would identify and publish vulnerabilities in open-source 
software. CBO expects that CISA would hire 20 new open-source 
software analysts beginning in 2023 at an average annual cost 
of about $175,000 per employee. On that basis and accounting 
for the effects of anticipated inflation, CBO estimates that 
salaries and benefits of those employees would total $18 
million over the 2023-2027 period.
    Uncertainty: Areas of uncertainty in this estimate include 
predicting the acquisition timeline to support assessments at 
federal agencies and critical infrastructure operators. CBO 
anticipates that CISA would be able to procure and deploy the 
necessary hardware and software to assess federal open-source 
software in the 2024-2026 period and that CISA would not likely 
be able to deploy a solution for critical infrastructure until 
after 2027. The budgetary effects of the bill could be tens of 
millions of dollars higher or lower than CBO's estimate if the 
time needed to deploy the system differs from CBO's estimate.
    The budgetary effects of the bill also would depend on 
accurately predicting the number of additional employees that 
would be needed at CISA and other federal agencies to satisfy 
the requirements of the bill. Costs would be moderately larger 
or smaller than this estimate depending on how the number of 
hired open-source software analysts differs from CBO's 
estimate.
    Pay-As-You-Go considerations: None.
    Increase in long-term deficits: None.
    Mandates: None.
    Estimate prepared by: Federal costs: Aldo Prosperi; 
Mandates: Brandon Lever.
    Estimate reviewed by: David Newman, Chief, Defense, 
International Affairs, and Veterans' Affairs Cost Estimates 
Unit; Kathleen FitzGerald, Chief, Public and Private-Sector 
Mandates Unit; Leo Lex, Deputy Director of Budget Analysis; 
Theresa Gullo, Director of Budget Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

           *       *       *       *       *       *       *


Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


Sec. 2220D. Federal Clearinghouse on School Safety Evidence-based 
          Practices.
Sec. 2220E. Open source software security duties.
     * * * * * * *

                  Subtitle D--Cyber Incident Reporting

     * * * * * * *
[Sec. 2220D. Federal Clearinghouse on School Safety Evidence-based 
          Practices.]
     * * * * * * *

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

         Subtitle A--Cybersecurity and Infrastructure Security

SEC. 2201. DEFINITIONS.

    In this subtitle:
          (1) * * *
          (2) * * *
          (3) * * *
          (4) * * *
          (5) Open source software.--The term `open source 
        software' means software for which the human-readable 
        source code is made available to the public for use, 
        study, re-use, modification, enhancement, and re-
        distribution.
          (6) Open source software community.--The term `open 
        source software community' means the community of 
        individuals, foundations, nonprofit organizations, 
        corporations, and other entities that--
                  (A) develop, contribute to, maintain, and 
                publish open source software; or
                  (B) otherwise work to ensure the security of 
                the open source software ecosystem.
          (7) Open source software component.--The term `open 
        source software component' means an individual 
        repository of open source software that is made 
        available to the public.
          ([5]8) * * *
          ([6]9) * * *
          ([7]10) * * *

SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

    (a) * * *
    (b) * * *
    (c) * * *

           *       *       *       *       *       *       *

          (13) carry out the duties and authorities relating to 
        the .gov internet domain, as described in section 2215; 
        [and]
          (14) support, including by offering services, the 
        secure usage and deployment of software, including open 
        source software, in the software development lifecycle 
        at Federal agencies in accordance with section 2220E; 
        and
          ([14]15) * * *

           *       *       *       *       *       *       *


SEC 2219. CYBERSECURITY ADVISORY COMMITTEE.

    (a) * * *
    (b) * * *
    (c) * * *
    (d) Subcommittees.--
          (1) In general.--The Director shall establish 
        subcommittees within the Advisory Committee to address 
        cybersecurity issues, which may include the following:
                  (A) Information exchange.
                  (B) Critical infrastructure.
                  (C) Risk management.
                  (D) Public and private partnerships.
                  (E) Software security, including open source 
                software security.

           *       *       *       *       *       *       *


SEC. 2220E. OPEN SOURCE SOFTWARE SECURITY DUTIES.

    (a) Definition.--In this section, the term `software bill 
of materials' has the meaning given the term in the Minimum 
Elements for a Software Bill of Materials published by the 
Department of Commerce, or any superseding definition published 
by the Agency.
    (b) Employment.--The Director shall, to the greatest extent 
practicable, employ individuals in the Agency who--
          (1) have expertise and experience participating in 
        the open source software community; and
          (2) perform the duties described in subsection (c).
    (c) Duties of the Director.--
          (1) In general.--The Director shall--
                  (A) perform outreach and engagement to 
                bolster the security of open source software;
                  (B) support Federal efforts to strengthen the 
                security of open source software;
                  (C) coordinate, as appropriate, with non-
                Federal entities on efforts to ensure the long-
                term security of open source software;
                  (D) serve as a public point of contact 
                regarding the security of open source software 
                for non-Federal entities, including State, 
                local, Tribal, and territorial partners, the 
                private sector, international partners, open 
                source software organizations, and open source 
                software developers; and
                  (E) support Federal and non-Federal supply 
                chain security efforts by encouraging efforts 
                to bolster open source security, such as--
                          (i) assisting in coordinated 
                        vulnerability disclosures in open 
                        source software components pursuant to 
                        section 2209(n); and
                          (ii) supporting the activities of the 
                        Federal Acquisition Security Council.
          (2) Assessment of critical open source software 
        components.--
                  (A) Framework.--Not later than 1 year after 
                the date of enactment of this section, the 
                Director shall publicly publish a framework, 
                incorporating government, including those 
                published by the National Institute of 
                Standards and Technology, industry, and open 
                source software community frameworks and best 
                practices, for assessing the risk of open 
                source software components, including direct 
                and indirect open source software dependencies, 
                which shall incorporate, at a minimum--
                          (i) the security properties of code 
                        in a given open source software 
                        component, such as whether the code is 
                        written in a memory-safe programming 
                        language;
                          (ii) the security practices of 
                        development, build, and release 
                        processes of a given open source 
                        software component, such as the use of 
                        multi-factor authentication by 
                        maintainers and cryptographic signing 
                        of releases;
                          (iii) the number and severity of 
                        publicly known, unpatched 
                        vulnerabilities in a given open source 
                        software component;
                          (iv) the breadth of deployment of a 
                        given open source software component;
                          (v) the level of risk associated with 
                        where a given open source software 
                        component is integrated or deployed, 
                        such as whether the component operates 
                        on a network boundary or in a 
                        privileged location; and
                          (vi) the health of the community for 
                        a given open source software component, 
                        including, where applicable, the level 
                        of current and historical investment 
                        and maintenance in the open source 
                        software component, such as the number 
                        and activity of individual maintainers.
                  (B) Updating framework.--Not less frequently 
                than annually after the date on which the 
                framework is published under subparagraph (A), 
                the Director shall--
                          (i) determine whether additional 
                        updates are needed to the framework 
                        described in subparagraph (A); and
                          (ii) if the Director determines that 
                        additional updates are needed under 
                        clause (i), make those updates to the 
                        framework.
                  (C) Developing framework.--In developing the 
                framework described in subparagraph (A), the 
                Director shall consult with--
                          (i) appropriate Federal agencies, 
                        including the National Institute of 
                        Standards and Technology;
                          (ii) individuals and nonprofit 
                        organizations from the open source 
                        software community; and
                          (iii) private companies from the open 
                        source software community.
                  (D) Federal open source software 
                assessment.--Not later than 1 year after the 
                publication of the framework described in 
                subparagraph (A), and not less frequently than 
                every 2 years thereafter, the Director shall, 
                to the greatest extent practicable and using 
                the framework described in subparagraph (A)--
                          (i) perform an assessment of open 
                        source software components used 
                        directly or indirectly by Federal 
                        agencies based on readily available, 
                        and, to the greatest extent 
                        practicable, machine readable, 
                        information, such as--
                                  (I) software bills of 
                                material that are made 
                                available to the Agency or are 
                                otherwise accessible via the 
                                internet;
                                  (II) software inventories 
                                collected from the Continuous 
                                Diagnostics and Mitigation 
                                program of the Agency; and
                                  (III) other publicly 
                                available information regarding 
                                open source software 
                                components; and
                          (ii) develop 1 or more ranked lists 
                        of components described in clause (i) 
                        based on the assessment, such as ranked 
                        by the criticality, level of risk, or 
                        usage of the components, or a 
                        combination thereof.
                  (E) Automation.--The Director shall, to the 
                greatest extent practicable, automate the 
                assessment conducted under subparagraph (D).
                  (F) Publication.--The Director shall publicly 
                publish and maintain any tools developed to 
                conduct the assessment described in 
                subparagraph (D) as open source software.
                  (G) Sharing.--
                          (i) Results.--The Director shall 
                        facilitate the sharing of the results 
                        of the assessment described in 
                        subparagraph (D) with appropriate 
                        Federal and non-Federal entities 
                        working to support the security of open 
                        source software, including by offering 
                        means for appropriate Federal and non-
                        Federal entities to download the 
                        assessment in an automated manner.
                          (ii) Datasets.--The Director may 
                        publicly publish, as appropriate, any 
                        datasets or versions of the datasets 
                        developed or consolidated as a result 
                        of the assessment described in 
                        subparagraph (D).
                  (H) Critical infrastructure assessment study 
                and pilot.--
                          (i) Study.--Not later than 2 years 
                        after the publication of the framework 
                        described in subparagraph (A), the 
                        Director shall conduct a study 
                        regarding the feasibility of the 
                        Director conducting the assessment 
                        described in subparagraph (D) for 
                        critical infrastructure entities.
                          (ii) Pilot.--If the Director 
                        determines that the assessment 
                        described in clause (i) is feasible, 
                        the Director may conduct a pilot 
                        assessment on a voluntary basis with 1 
                        or more critical infrastructure 
                        sectors, in coordination with the 
                        Sector Risk Management Agency and the 
                        sector coordinating council of each 
                        participating sector.
                          (iii) Reports.--
                                  (I) Study.--Not later than 
                                180 days after the date on 
                                which the Director completes 
                                the study conducted under 
                                clause (i), the Director shall 
                                submit to the appropriate 
                                congressional committees a 
                                report that--
                                          (aa) summarizes the 
                                        study; and
                                          (bb) states whether 
                                        the Director plans to 
                                        proceed with the pilot 
                                        described in clause 
                                        (ii).
                                  (II) Pilot.--If the Director 
                                proceeds with the pilot 
                                described in clause (ii), not 
                                later than 1 year after the 
                                date on which the Director 
                                begins the pilot, the Director 
                                shall submit to the appropriate 
                                congressional committees a 
                                report that includes--
                                          (aa) a summary of the 
                                        results of the pilot; 
                                        and
                                          (bb) a recommendation 
                                        as to whether the pilot 
                                        should be continued.
          (3) Coordination with national cyber director.--The 
        Director shall--
                  (A) brief the National Cyber Director on the 
                activities described in this subsection; and
                  (B) coordinate activities with the National 
                Cyber Director, as appropriate.
          (4) Reports.--
                  (A) In general.--Not later than 1 year after 
                the date of enactment of this section, and 
                every 2 years thereafter, the Director shall 
                submit to the appropriate congressional 
                committees a report that includes--
                          (i) a summary of the work on open 
                        source software security performed by 
                        the Director during the period covered 
                        by the report, including a list of the 
                        Federal and non-Federal entities with 
                        which the Director interfaced;
                          (ii) the framework developed under 
                        paragraph (2)(A);
                          (iii) a summary of changes made to 
                        the framework developed under paragraph 
                        (2)(A) since the last report submitted 
                        under this subparagraph;
                          (iv) a summary of the assessment 
                        conducted pursuant to paragraph (2)(D);
                          (v) a summary of changes made to the 
                        assessment conducted pursuant to 
                        paragraph (2)(D) since the last report 
                        submitted under this subparagraph, 
                        including overall security trends; and
                          (vi) a summary of the types of 
                        entities with which the assessment was 
                        shared pursuant to paragraph (2)(G), 
                        including a list of the Federal and 
                        non-Federal entities with which the 
                        assessment was shared.
                  (B) Public report.--Not later than 30 days 
                after the date on which the Director submits a 
                report required under subparagraph (A), the 
                Director shall make a version of the report 
                publicly available on the website of the 
                Agency.

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 44--PUBLIC PRINTING AND DOCUMENTS

           *       *       *       *       *       *       *


CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

           *       *       *       *       *       *       *



Subchapter II--Information Security

           *       *       *       *       *       *       *



SEC. 3554. FEDERAL AGENCY RESPONSIBILITIES.

    (a) * * *

           *       *       *       *       *       *       *

    (b) Agency Program. * * *
          (7) * * *

           *       *       *       *       *       *       *

                  (C) Shall include--
                                  (I) * * *

           *       *       *       *       *       *       *

                                  (IV) any other agency or 
                                office, in accordance with law 
                                or as directed by the 
                                President;[and]
          (8) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency[.]; and
          (9) plans and procedures to ensure the secure usage 
        and development of software, including open source 
        software.

           *       *       *       *       *       *       *


                                  [all]