What Is the Securing Open Source Software Act?
On September 21, 2022, the Securing Open Source Software Act was introduced in the Senate. In this blog, I’ll explain what the bipartisan bill covers, as well as how we got here, and what to expect if the legislation passes.
Timeline of Recent Cybersecurity Initiatives
Open source security is on everyone’s minds these days and for good reason. It seems like every week we hear about a critical vulnerability being exploited or another devastating ransomware attack. The consequences of these events can be crippling, and it’s not just the IT community that is concerned; cybersecurity has become a priority for the U.S. government as well.
In May of 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity that included guidelines on enhancing software supply chain security, mandates for federal agencies to modernize their IT security policies and procedures, plans to standardize the response to identified cyber threats and security-related incidents.
Later that year, the infamous Log4j vulnerability wreaked havoc, and resulted in Congressional hearings, as well as a warning issued by the FTC. That led to the White House to invite tech industry leaders to convene in January of 2022 to discuss “how to make a difference in the security of open source software, while effectively engaging with and supporting, the open source community.” You can read the White House brief on that important summit here.
A few months after that meeting, the Open Source Software Security Mobilization Plan, a 10-point plan addressing the highest priority open source security areas, was released. Authored by the Linux Foundation and the Open Source Security Foundation (Open SSF) with input from CISOs and other high-level executives at some of the largest private tech companies, the plan is centered around three key initiatives:
- Preventing security defects and vulnerabilities in code and OSS packages
- Improving the process for finding defects and fixing them
- Shortening remediation response time
The vision: to make open source software security more “developer-driven,” with better education and security-specific certification programs for developers, as well as greater software development transparency through widespread creation of Software Bill of Materials (SBOM). SBOMs provide an inventory of open source components, versions, and licenses, and the 2023 State of Open Source Report found that only a little over a quarter (25.8%) of organizations currently generate SBOMs. Fortunately, the Open Source Software Security Mobilization Plan includes tools to help with SBOM creation.
The Securing Open Source Software Act of 2022
The Securing Open Source Software Act was introduced by Senators Gary Peters (D-MI) and Rob Portman (R-OH) in September of 2022. Peters and Portman both serve on the Senate Homeland Security and Governmental Affairs Committee and attended the Log4j hearings — and this bipartisan legislation is a direct result.
If passed, the Securing Open Source Software Act would be the first and only law in the U.S. that is specifically and solely about open source software security. It is remarkable for a few reasons — first, the bill articulates the significance of open source, stating that “open source software fosters technology development and is an integral part of overall cybersecurity.” It also recognizes that “a secure, healthy, vibrant, and resilient open source software ecosystem is crucial for ensuring the national security and economic vitality of the United States.” And finally, it acknowledges the need for intervention at the federal level to ensure the “long-term security of open source software.”
The Role of the CISA Director
One of the purposes of the Securing Open Source Software Act is to outline the duties of the Director of the Cybersecurity and Infrastructure Security Agency (CISA), which was established in 2018. According to the bill, CISA’s Director will be tasked with leading outreach and engagement efforts with the open source community to improve the security of open source software. Working in tandem with government officials at the federal, state, and local levels, as well as open source organizations and communities, the Director will help coordinate vulnerability disclosures and protect the software supply chain.
Risk Assessment Framework
The Securing Open Source Software Act also has a section about developing a risk assessment framework for open source software components. This framework would provide guidance around identifying open source components, making software development life cycle processes more secure, and standardizing SBOMs. Additionally, details about the “health” of the community behind open source software components and the “level of risk” will have to be disclosed, per the framework.
Government CIOs and OSPOs
The final section of the Securing Open Source Software Act relates to government agency Chief Information Officers (CIOs) and Open Source Program Offices (OSPOs). The bill states that the CISA Director will assist CIOs in instituting policies that align with open source best practices to “manage and reduce risk of using open source software.”The CIOs will also be in charge of piloting OSPOs at their agencies. As I noted in my blog on 2023 open source trends, OSPOs are on the rise in the private sector as organizations are becoming more strategic and sophisticated about their OSS adoption. The benefit of OSPOs is that they centralize all aspects of open source operations, from compliance and security to training personnel and interacting with open source communities.
What Happens Next?
The Securing Open Source Software Act will have to pass a vote in the Senate, the House of Representatives, and be signed by President Biden to become law. That process could take months, and the bill might undergo several rounds of revisions in the meantime. It is, however, encouraging that it has support from both sides of the aisle, indicating that both Democrats and Republicans agree that open source software security is vitally important.
It’s important to remember that the bill does not include any mandates or regulations that would directly impact the private sector. Still, if it passes, it would send a clear message that all organizations, regardless of industry, should not neglect open source security. It would also hopefully encourage more companies to adopt security best practices, like creating OSPOs and generating SBOMs. For help addressing open source vulnerabilities, process definition around SBOM results, and implementation of OSPOs, organizations can seek external technical and consultative support from experts in the space.
Webinar on Open Source Security and Compliance
On March 23, join Javier Perez, Chief OSS Evangelist for Perforce Software, for a presentation on the changing landscape of open source security and compliance.
- Blog - Understanding CVEs and CVSS Scores
- Blog - Debunking Open Source Software Security Myths
- Guide - What Is Enterprise Application Security?
- Infographic - Highlights from the 2023 State of Open Source Report
- Blog - Top 5 Takeaways from the 2023 State of Open Source Report
- On-Demand Webinar - Open Source Trends to Watch in 2023