Sec. 3. Open source software security duties
1,469 words·~7 min read·
/bill/117/s/4913/rs/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Subtitle A of title XXII of the Homeland Security Act of 2002 ( 6 U.S.C. 651 et seq. ) is amended— in section 2201 ( 6 U.S.C. 651 )— by redesignating paragraphs (5), (6), and
(7)as paragraphs (8), (9), and (10), respectively; and by inserting after paragraph
(4)the following: The term open source software means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and re-distribution. The term open source software community means the community of individuals, foundations, nonprofit organizations, corporations, and other entities that— develop, contribute to, maintain, and publish open source software; or otherwise work to ensure the security of the open source software ecosystem. The term open source software component means an individual repository of open source software that is made available to the public. ; in section 2202(c) ( 6 U.S.C. 652(c) )— in paragraph (13), by striking and at the end; by redesignating paragraph
(14)as paragraph (15); and by inserting after paragraph
(13)the following: support, including by offering services, the secure usage and deployment of software, including open source software, in the software development lifecycle at Federal agencies in accordance with section 2220E; and ; and by adding at the end the following: In this section, the term software bill of materials has the meaning given the term in the Minimum Elements for a Software Bill of Materials published by the Department of Commerce, or any superseding definition published by the Agency. The Director shall, to the greatest extent practicable, employ individuals in the Agency who— have expertise and experience participating in the open source software community; and perform the duties described in subsection (c). The Director shall— perform outreach and engagement to bolster the security of open source software; support Federal efforts to strengthen the security of open source software; coordinate, as appropriate, with non-Federal entities on efforts to ensure the long-term security of open source software; serve as a public point of contact regarding the security of open source software for non-Federal entities, including State, local, Tribal, and territorial partners, the private sector, international partners, open source software organizations, and open source software developers; and support Federal and non-Federal supply chain security efforts by encouraging efforts to bolster open source software security, such as— assisting in coordinated vulnerability disclosures in open source software components pursuant to section 2209(n); and supporting the activities of the Federal Acquisition Security Council. Not later than 1 year after the date of enactment of this section, the Director shall publicly publish a framework, incorporating government, including those published by the National Institute of Standards and Technology, industry, and open source software community frameworks and best practices, including those published by the National Institute of Standards and Technology, for assessing the risk of open source software components, including direct and indirect open source software dependencies, which shall incorporate, at a minimum— the security properties of code in a given open source software component, such as whether the code is written in a memory-safe programming language; the security practices of development, build, and release processes of a given open source software component, such as the use of multi-factor authentication by maintainers and cryptographic signing of releases; the number and severity of publicly known, unpatched vulnerabilities in a given open source software component; the breadth of deployment of a given open source software component; the level of risk associated with where a given open source software component is integrated or deployed, such as whether the component operates on a network boundary or in a privileged location; and the health of the community for a given open source software component, including, where applicable, the level of current and historical investment and maintenance in the open source software component, such as the number and activity of individual maintainers. Not less frequently than annually after the date on which the framework is published under subparagraph (A), the Director shall— determine whether additional updates are needed to the framework described in subparagraph (A); and if the Director determines that additional updates are needed under clause (i), make those updates to the framework. In developing the framework described in subparagraph (A), the Director shall consult with— appropriate Federal agencies, including the National Institute of Standards and Technology; individuals and nonprofit organizations from the open source software community; and private companies from the open source software community. Not later than 1 year after the publication of the framework described in subparagraph (A), and not less frequently than every 2 years thereafter, the Director shall, to the greatest extent practicable and using the framework described in subparagraph (A)— perform an assessment of open source software components used directly or indirectly by Federal agencies based on readily available, and, to the greatest extent practicable, machine readable, information, such as— software bills of material that are made available to the Agency or are otherwise accessible via the internet; software inventories collected from the Continuous Diagnostics and Mitigation program of the Agency; and other publicly available information regarding open source software components; and develop 1 or more ranked lists of components described in clause
(i)based on the assessment, such as ranked by the criticality, level of risk, or usage of the components, or a combination thereof. The Director shall, to the greatest extent practicable, automate the assessment conducted under subparagraph (D). The Director shall publicly publish and maintain any tools developed to conduct the assessment described in subparagraph
(D)as open source software. The Director shall facilitate the sharing of the results of the assessment described in subparagraph
(D)with appropriate Federal and non-Federal entities working to support the security of open source software, including by offering means for appropriate Federal and non-Federal entities to download the assessment in an automated manner. The Director may publicly publish, as appropriate, any datasets or versions of the datasets developed or consolidated as a result of the assessment described in subparagraph (D). Not later than 2 years after the publication of the framework described in subparagraph (A), the Director shall conduct a study regarding the feasibility of the Director conducting the assessment described in subparagraph
(D)for critical infrastructure entities. If the Director determines that the assessment described in clause
(i)is feasible, the Director may conduct a pilot assessment on a voluntary basis with 1 or more critical infrastructure sectors, in coordination with the Sector Risk Management Agency and the sector coordinating council of each participating sector. Not later than 180 days after the date on which the Director completes the study conducted under clause (i), the Director shall submit to the appropriate congressional committees a report that— summarizes the study; and states whether the Director plans to proceed with the pilot described in clause (ii). If the Director proceeds with the pilot described in clause (ii), not later than 1 year after the date on which the Director begins the pilot, the Director shall submit to the appropriate congressional committees a report that includes— a summary of the results of the pilot; and a recommendation as to whether the pilot should be continued. The Director shall— brief the National Cyber Director on the activities described in this subsection; and coordinate activities with the National Cyber Director, as appropriate. Not later than 1 year after the date of enactment of this section, and every 2 years thereafter, the Director shall submit to the appropriate congressional committees a report that includes— a summary of the work on open source software security performed by the Director during the period covered by the report, including a list of the Federal and non-Federal entities with which the Director interfaced; the framework developed under paragraph (2)(A); a summary of changes made to the framework developed under paragraph (2)(A) since the last report submitted under this subparagraph; a summary of the assessment conducted pursuant to paragraph (2)(D); a summary of changes made to the assessment conducted pursuant to paragraph (2)(D) since the last report submitted under this subparagraph, including overall security trends; and a summary of the types of entities with which the assessment was shared pursuant to paragraph (2)(G), including a list of the Federal and non-Federal entities with which the assessment was shared. Not later than 30 days after the date on which the Director submits a report required under subparagraph (A), the Director shall make a version of the report publicly available on the website of the Agency. . The table of contents in section 1(b) of the Homeland Security Act of 2002 ( Public Law 107–296 ; 116 Stat. 2135) is amended— by moving the item relating to section 2220D to appear after the item relating to section 2220C; and by inserting after the item relating to section 2220D the following: Sec. 2220E. Open source software security duties. .
Connectionstraces to 2
Traces to 2 documents
2 references not yet in our index
- Pub. L. 107-296
- 116 Stat. 2135
Citation graph
cites case law
Sec. 3
Open source software security duties
Pub. L.Pub. L. 107-296
Stat.116 Stat. 2135
Cites 4Cited by 0 across 0 sources