Lawmakers on Wednesday passed a series of bills to give the Cybersecurity and Infrastructure Security Agency new responsibilities when it comes safeguarding open source software, protecting U.S. critical infrastructure and expanding the cybersecurity workforce.
The Senate Homeland Security and Governmental Affairs Committee advanced a bill that would require CISA to maintain a commercial public satellite system clearinghouse and create voluntary cybersecurity recommendations for the space sector. Additionally, the committee advanced legislation requiring CISA to create a pilot civilian cyber reserve program to respond to incidents.
The House Homeland Security Committee advanced legislation that would require CISA to work with the open source community to better secure it as well as create a framework to assess the general risks of open source components for federal agencies. The House advanced another bill that would give CISA the authority to train employees at DHS that aren’t currently in cybersecurity positions to move to such a role.
The slew of legislation and the focus on CISA comes as both the Biden administration and Congress are trying to address the litany of cybersecurity risks that threaten critical infrastructure as a result of decades of inaction from government and industry’s overall lack of responsiveness to patching vulnerable systems. The agency has been propped up as the go-to solution and coordinator for all things cyber, but many Republicans in both the House and Senate scoffed during Wednesday’s markups at giving CISA more responsibilities and authorities.
Sen. Rand Paul, R-Ky., said Congress should be limiting CISA’s power “not expanding them.” Concerns about CISA’s authorities is likely to be a growing pressure point among Republicans that have expressed concerns about CISA becoming a regulatory agency.
The Securing Open Source Software Act of 2023 which is also a Senate companion bill, was a direct response by the Log4Shell vulnerability found in the popular open source tool from Apache’s Log4J logging tool that is used throughout industry.
“This bipartisan, bicameral effort is critical to improving how the Federal government manages its risk stemming from the use of open source software, the bedrock of our digital ecosystem,” said Chairman Mark Green, R-Tenn.
The issues protecting open source programs, which are largely driven by volunteer developers, was a key consideration by the Biden administration which held a summit with leaders in the community. Additionally, the Log4Shell vulnerability was the inaugural topic for DHS’s Cyber Safety Review Board.
The bill would require CISA to engage with the open source community, hire employees who have experience with open source programs and help both federal agencies and the private sector with coordinated vulnerability disclosures. Additionally, it would require CISA to develop a framework to assess the risks of open source components, including an assessment of each open source software component used “directly or indirectly by federal agencies.”
The satellite bill would also require the Comptroller General to report to Congress on federal efforts to protect satellite systems. CISA would also be required to create voluntary cybersecurity recommendations for the satellite systems, which also include transmission links between satellites and ground support. The National Space Council, meanwhile, is required to establish a strategy outlining federal roles and responsibilities for agencies.