Review – S 917 Reported in Senate – Open-Source Software Security
Earlier this month, the Senate Homeland Security and
Governmental Affairs Committee published their report
on S 917
[removed from paywall], the Securing Open Source Software Act of 2023. The
Committee considered the bill on March 29th, 2023, and recommended
the bill favorably without amendment. Subsequently, with the agreement of the
Chair and Ranking Member, several technical corrections were made and included
in the reported
version of the bill. The bill has been placed on the Senate’s Calendar and
could be considered by the Senate at any time.
The bill establishes several areas of responsibility for
CISA regarding open-source software security. No funding is authorized in the
bill. This bill is very similar to S
4913 that was introduced by Peters last session. That bill was reported by
the Senate Homeland Security and Governmental Affairs Committee, but no further
action was taken.
Moving Forward
With the publication of this Report, the bill is now cleared
for consideration by the full Senate. With the strong, bipartisan support in
Committee {only one vote against the bill, Sen Paul (R,KY)}, I would suspect
that there would be similar bipartisan support in the full Senate. This means
that the bill would have little problem moving through the cloture process. Unfortunately,
I do not think that the Senate leadership would feel that this bill is important
enough to take up the time it would take to move this bill through regular
order. The best prospects for this bill would be for consideration under the
unanimous consent process (though there is already one potential vote against
it, by a Senator who is well known for his willingness to voice objections to a
unanimous consent motion) or inclusion in an authorization or spending bill.
Commentary
While CISA is almost certainly the agency to which the
burden of open-source software monitoring should be assigned within the federal
government, this bill does little to address the larger societal problem of
open-source vulnerabilities. A more appropriate way to deal with the issue
would be to place the burden of open-source vulnerability management on the
folks that directly benefit from the use of open-source software: the vendors
that short-cut their software development process by using open-source software.
This could be accomplished by requiring vendors selling
software, or equipment containing software, to publicly disclose on a publicly
searchable internet site, for each supported version of software (including
firmware, BIOS, or applications) offered or provided to the federal government,
a listing of each piece of open-source software (including version number) used
in their software, along with a listing of publicly known, uncorrected
vulnerabilities found in the open-source software used in that product. This
public listing would allow companies and individuals to access vulnerability
information about their currently owned products and influence future software
purchases.
For more details about the content of the Committee Report,
including the changes made in the reported version of the bill and a discussion
about the CBO cost estimates for implementing the bill’s requirements, see my
article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/s-917-reported-in-senate
– subscription required.