Review - S 917 Reported in Senate – Open-Source Software Security

Earlier this month, the Senate Homeland Security and Governmental Affairs Committee published their report on S 917 [removed from paywall], the Securing Open Source Software Act of 2023. The Committee considered the bill on March 29^th, 2023, and recommended the bill favorably without amendment. Subsequently, with the agreement of the Chair and Ranking Member, several technical corrections were made and included in the reported version of the bill. The bill has been placed on the Senate’s Calendar and could be considered by the Senate at any time.

The bill establishes several areas of responsibility for CISA regarding open-source software security. No funding is authorized in the bill. This bill is very similar to S 4913 that was introduced by Peters last session. That bill was reported by the Senate Homeland Security and Governmental Affairs Committee, but no further action was taken.

Moving Forward

With the publication of this Report, the bill is now cleared for consideration by the full Senate. With the strong, bipartisan support in Committee {only one vote against the bill, Sen Paul (R,KY)}, I would suspect that there would be similar bipartisan support in the full Senate. This means that the bill would have little problem moving through the cloture process. Unfortunately, I do not think that the Senate leadership would feel that this bill is important enough to take up the time it would take to move this bill through regular order. The best prospects for this bill would be for consideration under the unanimous consent process (though there is already one potential vote against it, by a Senator who is well known for his willingness to voice objections to a unanimous consent motion) or inclusion in an authorization or spending bill.

Commentary

While CISA is almost certainly the agency to which the burden of open-source software monitoring should be assigned within the federal government, this bill does little to address the larger societal problem of open-source vulnerabilities. A more appropriate way to deal with the issue would be to place the burden of open-source vulnerability management on the folks that directly benefit from the use of open-source software: the vendors that short-cut their software development process by using open-source software.

This could be accomplished by requiring vendors selling software, or equipment containing software, to publicly disclose on a publicly searchable internet site, for each supported version of software (including firmware, BIOS, or applications) offered or provided to the federal government, a listing of each piece of open-source software (including version number) used in their software, along with a listing of publicly known, uncorrected vulnerabilities found in the open-source software used in that product. This public listing would allow companies and individuals to access vulnerability information about their currently owned products and influence future software purchases.

 

For more details about the content of the Committee Report, including the changes made in the reported version of the bill and a discussion about the CBO cost estimates for implementing the bill’s requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-917-reported-in-senate - subscription required.