Securing Open Source Software Act of 2022

Securing Open Source Software Act of 2022

This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security.

Open source software means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and re-distribution.

Specifically, CISA must

• perform outreach and engagement to bolster the security of open source software;
• support federal efforts to strengthen the security of such software;
• coordinate with nonfederal entities on efforts to ensure the long-term security of such software;
• serve as a public point of contact regarding the security of such software for nonfederal entities; and
• support federal and nonfederal supply chain security efforts by encouraging efforts to bolster open source software security.

CISA must (1) publicly publish a framework, incorporating government, industry, and open source software community frameworks and best practices, for assessing the risk of open source software components; and (2) update the framework at least annually.

The bill provides for a critical infrastructure assessment study and pilot assessment.

CISA's Cybersecurity Advisory Committee may establish a software security subcommittee, including open source software security.

The Office of Management and Budget, in coordination with CISA, the Office of the National Cyber Director, and the General Services Administration, shall issue guidance on the responsibilities of the chief information officers at specified agencies regarding open source software.