Senate committee advances open source software and digital identity bills
Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) oversaw 24 bills reported out of committee Wednesday, including legislation on open source software and critical infrastructure security. Tom Williams / Getty Images
By
Chris Riotta
The Senate Homeland Security and Governmental Affairs Committee approved 24 bills on Wednesday, many of which aim to secure federal systems and enhance government operations around data management and digital identity.
The Senate Homeland Security and Governmental Affairs Committee advanced a series of bills on Wednesday aimed at improving government operations around data management, digital identity and securing critical infrastructure from cyber attacks.
The legislation advanced out of the committee included a bipartisan bill reintroduced last week by Chairman Gary Peters (D-Mich.) that instructs the Cybersecurity and Infrastructure Security Agency to develop a publicly accessible risk framework on open source software components for government and industry.
The Securing Open Source Software Act was first introduced last year following the Log4Shell software vulnerability, which impacted the open source Log4J logging library used to record data from software applications. The vulnerability ultimately affected millions of computers and most enterprise cloud environments, potentially leaving them open to ransomware attacks.
“The Log4j incident demonstrated that we must work to secure open source software against persistent and evolving cybersecurity threats,” said Peters in a statement last week, adding that the bill "will help ensure this widely used software is secure against foreign adversaries and cybercriminals seeking to disrupt our national and economic security.”
The committee also advanced the National Risk Management Act of 2023, which requires the Department of Homeland Security to develop a national risk management cycle and encourages critical infrastructure owners and operators to participate in risk assessments every five years.
"It's pretty clear that there are adversaries that would like to potentially interfere with our critical infrastructure and use that as a weapon," said Sen. Mitt Romney (R-Utah), who co-sponsored the legislation, on Wednesday during the committee hearing.
"We're talking about power grids, pipelines, our defense industrial base, our water systems [and] transportation systems," he said, adding that the bill includes voluntary data collection and information sharing components.
"I believe that companies will be happy to provide this because it's going to be in their best interest, but again, it's voluntary,” he said.
Other bills advanced on Wednesday included the Improving Digital Identity Act, which would establish a task force to develop guidelines for digital identity credentials and create new federal opt-in identity validation services. The Federal Data Center Enhancement Act, which would instruct the Office of Management and Budget to create cybersecurity and sustainability minimum requirements for new federal data centers, also made it out of committee
The Federal Agency Performance Act, reintroduced by Peters, also made it out of committee and would require consistent strategic reviews of agencies' performance goals while aiming to improve transparency by enhancing publicly accessible data that tracks federal progress on long-term objectives.
The committee advanced a total of 24 bills on Wednesday, including others designed to resolve duplicative federal programs, enhance overall public transparency and improve disclosure and reporting guidelines for specific government programs. The bills now move to the full Senate.