Recent issues with persistent vulnerabilities, most notably Log4j, has Congress addressing open source software security in a broad way at the federal level for the first time. The proposed Securing Open Source Software Act has moved from committee to review by the Senate, and if passed would create an evaluation framework for use by federal agencies. While the bill’s prospects are still not entirely clear, it has bipartisan support and is in the vein of the Biden administration’s ongoing efforts to rapidly improve the cybersecurity of the federal government and its contractors.
Bipartisan open source software security bill has good prospects, but faces challenges
The proposed open source software security bill essentially mirrors the functions of an Open Source Program Office (OSPO), something that it would formally require to be established within certain federal agencies. But CISA would be tasked with creating a risk assessment framework applicable throughout the federal government, touching all of the open source software it adopts.
Sponsored by a pair of Republican and Democrat senators, and in keeping with recent Biden administration efforts to beef up federal cybersecurity (such as requiring a “software bill of materials” be present for open source software used in critical functions), the open source software security bill would appear to have strong prospects. However, some concern has already been raised about the lack of detail in how exactly software will be tested. Others wonder if this puts too much attention on open source at the expense of similar requirements for commercial software, which has been more directly responsible for government breaches as of late.
Those are issues that can potentially be ironed out as the open source software security bill moves through Congress. But getting that process underway is another significant obstacle in and of itself. Congress presently has a shortened legislative session as it comes up on a typically contentious midterm election, and things could be different when they return in 2023. But President Biden’s signature is widely expected to be put on the bill if it makes it to his desk.
Federal government enhances focus on open source software security, but no private industry requirements yet
The obvious and direct prompt for the open source software security bill was the Log4j vulnerability, which experts believe will continue to plague organizations of all types for years to come. But thus far it appears to be restricted to federal agencies, with the eventual CISA framework to be offered to critical infrastructure companies to use on a voluntary basis. This does not mean that private industry is in the clear in terms of Log4j failures, however, as the FTC has said that it is looking to fine companies that fail to patch it and then lose personal information in a data breach caused by it.
Should the bill end up passing, the Office of Management and Budget (OMB) would be involved with creating federal guidance on open source software security for general use.