H.R. 3286 · 118th Congress · House

Securing Open Source Software Act of 2023

Active· Placed on the Union Calendar, Calendar No. 127.
Introduced
May 15, 23
Passed House
Pending
Passed Senate
Pending
Sent to President
Pending
Signed into Law
Pending

Executive Summary

Securing Open Source Software Act of 2023

This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security.

Open source software means software for which the human-readable source code is made available to the public for use, study, reuse, modification, enhancement, and redistribution.

Specifically, CISA must

  • perform outreach and engagement to bolster the security of open source software;
  • support federal efforts to strengthen open source software security;
  • coordinate with nonfederal entities on efforts to ensure long-term open source software security;
  • serve as a public point of contact regarding open source software security for nonfederal entities; and
  • support federal and nonfederal supply chain security efforts by encouraging efforts to bolster open source software security.

CISA must (1) publish a framework, incorporating government, private sector, and open source software community frameworks and best practices, for assessing the risk of open source software components; (2) update the framework at least annually; and (3) ensure, to the greatest extent practicable, that the framework is usable by the open source software community.

The bill requires CISA to assess open source software components deployed on high value assets at federal agencies based on the framework and provides for a pilot assessment of critical infrastructure.

CISA's Cybersecurity Advisory Committee may establish a software security subcommittee.

Previous Versions

00May 15, 2023

Securing Open Source Software Act of 2023

This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security.

Open source software means software for which the human-readable source code is made available to the public for use, study, reuse, modification, enhancement, and redistribution.

Specifically, CISA must

  • perform outreach and engagement to bolster the security of open source software;
  • support federal efforts to strengthen open source software security;
  • coordinate with nonfederal entities on efforts to ensure long-term open source software security;
  • serve as a public point of contact regarding open source software security for nonfederal entities; and
  • support federal and nonfederal supply chain security efforts by encouraging efforts to bolster open source software security.

CISA must (1) publish a framework, incorporating government, private sector, and open source software community frameworks and best practices, for assessing the risk of open source software components; (2) update the framework at least annually; and (3) ensure, to the greatest extent practicable, that the framework is usable by the open source software community.

The bill requires CISA to assess open source software components used by federal agencies based on the framework and provides for a pilot assessment of critical infrastructure.

CISA's Cybersecurity Advisory Committee may establish a software security subcommittee.

Action Timeline

11
  1. JUL 27, 2023Committee

    Reported (Amended) by the Committee on Homeland Security

    H. Rept. 118-160, Part I.

    118Yea
    160Nay
    0NV
  2. JUL 27, 2023Committee

    Reported (Amended) by the Committee on Homeland Security

    H. Rept. 118-160, Part I.

    118Yea
    160Nay
    0NV
  3. JUL 27, 2023Committee

    Committee on Oversight and Accountability discharged.

  4. JUL 27, 2023Discharge

    Committee on Oversight and Accountability discharged.

  5. JUL 27, 2023Calendars

    Placed on the Union Calendar, Calendar No. 127.

  6. MAY 17, 2023Committee

    Committee Consideration and Mark-up Session Held.

  7. MAY 17, 2023Committee

    Ordered to be Reported (Amended) by Voice Vote.

  8. MAY 15, 2023IntroReferral

    Introduced in House

  9. MAY 15, 2023IntroReferral

    Introduced in House

  10. MAY 15, 2023IntroReferral

    Referred to the Committee on Homeland Security, and in addition to the Committee on Oversight and Accountability, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.

  11. MAY 15, 2023IntroReferral

    Referred to the Committee on Homeland Security, and in addition to the Committee on Oversight and Accountability, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.

Committees

5

Oversight and Government Reform Committee

hsgo00

Referred: Jul 27, 2023

Active

Homeland Security Committee

hshm00

Referred: Jul 27, 2023

Active

Homeland Security Committee

hshm00

Referred: May 17, 2023

Active

Oversight and Government Reform Committee

hsgo00

Referred: May 15, 2023

Active

Homeland Security Committee

hshm00

Referred: May 15, 2023

Active