The new package bill was introduced amid calls for increased government support of open-source software development.
Leaders of the Homeland Security and Governmental Affairs Committee introduced the Strengthening American Cybersecurity Act bundling provisions they view as crucial in the wake of vulnerabilities like one found in open-source software library log4j, but couldn’t get over the finish line in previous attempts.
“This landmark, bipartisan legislative package will provide our lead cybersecurity agency, [the Cybersecurity and Infrastructure Security Agency], with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches,” Committee Chairman Gary Peters, D-Mich., said in a press release Tuesday. “Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.”
The new legislation combines three previously introduced bills. Together it would require private-sector critical infrastructure owners to report cybersecurity incidents to CISA, make the first changes to the Federal Information Security Modernization Act in seven years, and codify the General Services Administration’s Federal Risk and Authorization Management Program–FEdRAMP—which aims to certify the security of federal cloud vendors.
Peters and Committee Ranking Member Rob Portman, R-Ohio, urged passage of the legislation during a hearing Tuesday in order to learn from and respond to a vulnerability—log4shell—discovered in the commonly used open-source software library called log4j.
Specifically referring to the incident reporting provisions, Portman said, “that legislation will ensure that our nation has visibility into attacks exploiting the log4shell vulnerability against critical infrastructure.”
Witnesses testifying before the committee included David Nalley, president of the Apache Software Foundation, Brad Arkin, senior vice president and chief security and trust officer forCisco, Jen Miller-Osborn, deputy director of threat intelligence, for cybersecurity firm Palo Alto’s Unit 42, and Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative. They all voiced support for greater use of a software bill of materials for proactively notifying users of open source software about their vulnerabilities.
“Something that I can echo is the potential for the software bill of materials and other automation tools in order to make it easier and lower the friction for people to have insights into their codebase and what's happening upstream for the components that they rely on,” Cisco’s Arkin said.
Asked whether private industry is doing enough to bolster the open-source infrastructure they also rely on, Herr said industry can certainly do more, but that their contributions currently far outstrip the government’s so “calling for action on both sides is admirable.”