Lawmakers introduce bill to tackle open-source software

A pair of influential senators have devised a plan to beef up the federal government’s approach to securing open-source software, or tools that developers create for free public consumption.

Driving the news: Senate Homeland Security Committee leaders Gary Peters (D-Mich.) and Rob Portman (R-Ohio) introduced a bill Thursday requiring CISA to develop a risk framework laying out how the federal government relies on open-source code.

• The bill comes after researchers discovered a security vulnerability in popular open-source code Log4j in December, which CISA estimates affected millions of devices.
• The Washington Post first reported on the bill before its introduction.

Between the lines: Since last year’s Log4j vulnerability, both the federal government and industry have been scrambling to figure out how to toughen open-source software.

• Open-source developers often don’t have the time to constantly update and patch their creations against new vulnerabilities.
• But companies rely heavily on these free resources when building out their own tools since they cover basics like logging tasks.
• The Open Source Security Foundation rolled out a project to better secure at least 10,000 open-source projects, and the White House hosted a meeting in January with private- and public-sector partners to discuss the issue further.

Details: Peters and Portman’s Securing Open Source Software Act would require CISA and other federal offices to tackle the issue in a few ways:

• CISA would need to develop a risk framework within a year for federal government uses of open-source software.
• CISA would also have to hire a set of open-source security developers to better defend against future cyber threats targeting this code.

• The Office of Management and Budget would issue guidance for how federal agencies secure open-source software.

The intrigue: Peters and Portman have been behind some of the most influential pieces of cybersecurity legislation in the last few years, so this bill could stand a good chance of making it through Congress.

• Earlier this year, President Biden signed into law a bill from the duo requiring all critical infrastructure operators to report cyber incidents to the federal government within 72 hours.
• The lawmakers plan to hold a committee vote on the bill next week, according to the Post.

Yes, but: Congress faces a truncated legislative schedule as the midterm elections approach, leaving little time for the lawmakers to get their bill passed before a new session begins.

Sign up for Axios’ cybersecurity newsletter Codebook here.