Bill Overview
Title: Securing Open Source Software Act of 2022
Description: This bill sets forth the duties of the Cybersecurity and Infrastructure Security Agency (CISA) regarding open source software security. Open source software means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and re-distribution. Specifically, CISA must perform outreach and engagement to bolster the security of open source software; support federal efforts to strengthen the security of such software; coordinate with nonfederal entities on efforts to ensure the long-term security of such software; serve as a public point of contact regarding the security of such software for nonfederal entities; and support federal and nonfederal supply chain security efforts by encouraging efforts to bolster open source software security. CISA must (1) publicly publish a framework, incorporating government, industry, and open source software community frameworks and best practices, for assessing the risk of open source software components; and (2) update the framework at least annually. The bill provides for a critical infrastructure assessment study and pilot assessment. CISA's Cybersecurity Advisory Committee may establish a software security subcommittee, including open source software security. The Office of Management and Budget, in coordination with CISA, the Office of the National Cyber Director, and the General Services Administration, shall issue guidance on the responsibilities of the chief information officers at specified agencies regarding open source software.
Sponsors: Sen. Peters, Gary C. [D-MI]
Target Audience
Population: people who use, develop, or rely on open source software
Estimated Size: 150000000
- Open source software is widely used globally, impacting developers, businesses, and governmental operations across different sectors.
- The security measures and frameworks introduced by this bill will directly affect those who use, modify, and contribute to open source software development.
- Increasing security in open source software has the potential to make digital ecosystems safer for all users, therefore globally affecting billions of software users.
- Specifically, software developers who contribute to or rely on open source software will be most directly impacted by the changes proposed in this bill.
Reasoning
- The target population for this policy is those involved in open source software, estimated to affect roughly 150 million Americans from various sectors, including government, businesses, and individual developers.
- The allocated budget will primarily target outreach, engagement, and framework development, which primarily influences the operational cost and time developers spend on security.
- The policy's reach, focusing on open source security, suggests that its impact will be significantly observed among U.S. software developers who often rely on or contribute to open source projects.
- Small companies and individual developers may initially experience lower impacts, while larger organizations and government-related projects, typically having the resources to readily adopt such frameworks, could see more immediate changes.
Simulated Interviews
Open Source Software Developer (California)
Age: 32 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 8/20
Statement of Opinion:
- The increased focus on security might add extra work initially, but if it means safer tools, it's worth it.
- I hope this doesn't slow down development timelines significantly.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 7 |
Software Engineer (Washington)
Age: 28 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 10.0 years
Commonness: 6/20
Statement of Opinion:
- This policy will be beneficial for government projects where security is crucial.
- It might require us to align more with standardized security protocols.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 9 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 8 |
| Year 20 | 8 | 7 |
IT Manager for a Small Business (New York)
Age: 45 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 7.0 years
Commonness: 10/20
Statement of Opinion:
- Policies like this can help us protect our customer data.
- We might need to allocate resources to ensure compliance.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 5 |
Educator at a Technical College (Texas)
Age: 52 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 3.0 years
Commonness: 5/20
Statement of Opinion:
- This policy gives more credibility to open source software as a safe choice.
- Curriculums may need updating to include new security frameworks.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 7 | 7 |
| Year 20 | 7 | 6 |
Project Manager at a Tech Company (Colorado)
Age: 39 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 8.0 years
Commonness: 7/20
Statement of Opinion:
- We might see benefits in terms of reduced vulnerabilities and security incidents.
- Implementing new security standards could delay ongoing projects.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 6 |
Recent Computer Science Graduate (Oregon)
Age: 25 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 10.0 years
Commonness: 9/20
Statement of Opinion:
- The policy may offer new opportunities to learn about security in my field.
- Could lead to more job openings focused on securing open source software.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 8 | 6 |
Cybersecurity Analyst (Illinois)
Age: 41 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 15.0 years
Commonness: 5/20
Statement of Opinion:
- The policy aims directly at what my job is about — securing software.
- It could drive demand for cybersecurity expertise.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 9 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 8 |
| Year 20 | 9 | 7 |
Entrepreneur (Georgia)
Age: 30 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 4/20
Statement of Opinion:
- This policy may provide reassurance to potential partners about security.
- Could increase costs if we need to hire security roles or consultants.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 7 |
| Year 5 | 7 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 7 | 6 |
Director of IT at a large corporation (Massachusetts)
Age: 60 | Gender: male
Wellbeing Before Policy: 8
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- It could streamline how we evaluate software risks by providing consistent frameworks.
- The policy is likely to lead to more standardization.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 8 | 8 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 8 |
| Year 20 | 9 | 7 |
Operations Consultant for Nonprofits (Florida)
Age: 37 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 4.0 years
Commonness: 6/20
Statement of Opinion:
- Nonprofits could benefit from improved security without huge cost overheads.
- The challenge will be adapting smaller organizations to new standards.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 7 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 7 | 7 |
Cost Estimates
Year 1: $30000000 (Low: $25000000, High: $35000000)
Year 2: $30000000 (Low: $25000000, High: $35000000)
Year 3: $32000000 (Low: $27000000, High: $37000000)
Year 5: $35000000 (Low: $29000000, High: $41000000)
Year 10: $40000000 (Low: $32000000, High: $48000000)
Year 100: $60000000 (Low: $48000000, High: $72000000)
Key Considerations
- The scope of CISA's expanded duties and the need for skilled personnel to implement security measures effectively.
- Ensuring continued collaboration with both federal and nonfederal entities to optimize resources.
- Potential challenges in keeping the risk assessment framework relevant and effective amidst rapid software development cycles.