Senators’ Plan to Secure Open Source Software Involves Agencies Using More of It

Sen. Rob Portman (R-OH) speaks to Sen. Gary Peters (D-MI) at a hearing to discuss security threats 20 years after the 9/11 terrorist attacks at the U.S. Capitol on September 21, 2021 in Washington, DC.

Sen. Rob Portman (R-OH) speaks to Sen. Gary Peters (D-MI) at a hearing to discuss security threats 20 years after the 9/11 terrorist attacks at the U.S. Capitol on September 21, 2021 in Washington, DC. Greg Nash - Pool/Getty Images

The discovery of exploitable weaknesses in Log4j is resurfacing a 6-year-old push to save taxpayers money by calling on agencies to embrace open-source code.

Leading cybersecurity officials should guide agencies toward—not away from—both using and contributing to open source code libraries, according to legislation reported out of the Senate Homeland Security and Governmental Affairs Committee.  

Committee Chairman Gary Peters, D-Mich, and Ranking Member Rob Portman, R-Ohio, said the Securing Open Source Software Act of 2022, which cleared the panel Wednesday, will help prevent exploitation of vulnerabilities such as Log4Shell—a severe flaw in the ubiquitous open source library Log4j. In December, Cybersecurity and Infrastructure Security Agency Director Jen Easterly issued an emergency alert for agencies to find and fix all instances of the vulnerability she has referred to as the most serious one she’s ever seen. 

Avoiding indirect use of open source software would be a tall order for agencies. Vendors of commercial-off-the shelf products—which officials have prioritized over in-house application development—compile their software using various open-source components—like Lego blocks—while generally concealing their nature or configuration.     

Among other things, the senators’ bill would rely on vendors providing agencies with a Software Bill of Materials, or SBOM. Often compared to the list of ingredients on food labels, SBOMs that note open-source and other code components in a product would have made the process of complying with the CISA directive, and generally managing critical vulnerabilities, much easier, according to proponents.

Under the legislation, the CISA director would be instructed to hire more personnel with experience working on open source libraries and use SBOMs agencies may collect to assess and rank open source components. Those assessments should include components’ risk, criticality or both, based on a framework that considers factors such as the amount of known vulnerabilities they contain and whether they are actively maintained. 

Agencies could then use the assessments to not only proactively manage and reduce their security risks, but also put more open source code into the world.  

The bill calls on the national cyber director, together with the directors of CISA and the Office of Management and Budget, to issue guidance for chief information officers on how agencies should, “enable, rather than inhibit, the secure usage of open source software,” and how they may be encouraged to contribute to and release their own open source code. The guidance could include an update to a 2016 OMB memo requiring agencies to make 20% of any custom code they had developed for the agency open-source and available for reuse by other agencies. 

That same summer the OMB memo was issued, promising to reduce duplicative software acquisitions, Sen. Bill Cassidy, R-La., successfully proposed a bill—the MEGABYTE Act—instructing agencies to inventory and better manage software licenses they were paying billions for. That, too, got an amplification from the committee.

On Wednesday, senators also approved the ‘‘Strengthening Agency Management and Oversight of Software Assets Act,’’ legislation Cassidy introduced with Peters that would expand his 2016 consolidation effort by requiring agency CIOs and other senior officials to conduct the same exercise, but across the federal enterprise.

“By requiring the federal government to keep track of its software licenses, we saved taxpayers $450 million,” Cassidy said, referring to the MEGABYTE Act in a press release on the new bill’s introduction. “That’s a win for the taxpayer and a win for government efficiency. This bill builds on this effort to make government work better and save money." 

The Peters-Cassidy bill would require CIOs, together with chief procurement officers and chief financial officers, to make plans for agencies that “provide an estimate of the costs to move to enterprise, open-source or other licenses that do not restrict the use of software by the agency, and any projected cost savings or efficiency measures throughout the total software lifecycle.” And it would instruct the OMB director to submit a strategy to the committee and its House counterpart that could include, “directions to agencies to examine options and relevant criteria for transitioning to open-source software.”

The senators’ approach would no doubt face workforce challenges, which the committee on Wednesday also passed a bill to address. The workforce bill would create a fund, maintained by contributions of participating agencies, to run federal boards around the country focused on providing education and training through mechanisms like apprenticeships in areas such as cybersecurity, which the Government Accountability Office has identified as high-risk.