Senate HSGAC Okays Open Source, Data Center, Digital ID Bills
The Senate Homeland Security and Governmental Affairs Committee voted today to approve several bills that impact government technology use including legislation on open source software security, Federal data center security, and digital identification.
Open Source Software Bill Cleared
Bipartisan legislation that aims to ensure the security of open source software used by the Federal government advanced out of the committee today.
The Securing Open Source Software Act – which would task the Cybersecurity and Infrastructure Security Agency (CISA) with ensuring that open source software is used safely and securely by the Federal government, critical infrastructure entities, and others – passed with an 11-1 vote during the committee’s March 29 business meeting.
The bill was offered last week by Sen. Gary Peters, D-Mich., chairman of the committee, and Sen. Josh Hawley, R-Mo.
The committee’s ranking member, Sen. Rand Paul, R-Ky., was the one “nay” vote against the measure. Sen. Paul cited on-going concern from the Republican party about CISA’s “excessive regulation.”
“CISA seems to be at the center of every new revelation about efforts to censor disfavored speech. Rather than giving them more power, we should be investigating what they have been doing and limiting their power,” Sen. Paul said. “I’m also concerned that this bill will create Federal regulation of open source software and kill a thriving area of innovation.”
The bill was reintroduced last week and comes after the Log4j vulnerability – which has been found in open source code – affected Federal systems and millions of computers worldwide in December 2021.
The legislation calls on CISA to develop a risk framework to evaluate how open source code is used by the Federal government, as well as critical infrastructure owners and operators. It also calls on the agency to hire open source software experts who can address cyber incidents like the Log4j vulnerability when they arise.
Chairman Peters authored similar legislation that advanced to the Senate last year, but Congress failed to convene a vote on the bill before the 117th session ended.
National Risk Management Act Passed
In other action during a markup session today, the committee voted 11-1 today to advance the National Risk Management Act to the Senate floor.
The bill sponsored by Sens. Maggie Hassan, D-N.H., and Mitt Romney, R-Utah, calls on CISA to create a report that identifies, assesses, and prioritizes risk to critical infrastructure. It also tasks the President with creating a national critical infrastructure resilience strategy.
Sen. Paul proposed an amendment to the legislation, asking that the bill only task the president with creating a national critical infrastructure resilience strategy.
Sen. Paul again cited his distrust towards CISA and argued that removing the provision that calls on the agency to create a report that collects information on the nation’s critical infrastructure “helps ensure that the privacy of individuals and organizations is protected.”
“It’s important that CISA periodically receive information and update its risk assessments and the strategy for mitigating these evolving risks,” Sen. Hassan said during the committee meeting.
“This bill provides a transparent process for CISA to accept information from all stakeholders and allows, does not require, industry owners and operators to submit additional information that they believe CISA should consider,” she said. “We’d be doing our communities a disservice to force them to rely on old, outdated assessments and strategies.”
Sen. Romney added to her comment, saying, “This is basically saying that we’d like to have an assessment to our cyber risks to critical infrastructure.”
“It’s making an assessment on an every five year basis of how vulnerable we are. The data we’re collecting is all done voluntarily,” he said.
Sen. Paul’s amendment failed, and the senator cast the only negative vote for the National Risk Management Act.
Panel Okays Bill to Secure Fed Data Centers
The Federal Data Center Enhancement Act received a unanimous, 12-0 vote for passage during today’s markup session.
The bill – which aims to boost the physical and digital security of Federal data centers against potential threats – will move to the full Senate for consideration.
A bipartisan group of senators – Sens. Jacky Rosen, D-Nev., Peters, and John Cornyn, R-Texas – reintroduced the legislation last week.
The Federal Data Center Enhancement Act would require the Office of Management and Budget to work with Federal agencies to coordinate a government-wide effort to develop strong minimum requirements for cybersecurity, resiliency, availability, and sustainability for new Federal data centers.
“I’m happy to see the committee pass my bipartisan Federal Data Center Enhancement Act,” Sen. Rosen said today.
“With the increasing threat of cyberattacks and natural disasters, we must ensure the integrity of our nation’s critical information by protecting data centers,” she continued. “Our bipartisan bill will enact a new set of security and resiliency standards to help keep our data safe, which is important to both our personal security and our national security.”
Digital Identities Bill Approved
The Improving Digital Identity Act advanced out of the committee today by a vote of 11-1. The bill – which would establish an Improving Digital Identity Task Force – now heads to the full Senate for consideration.
The legislation aims to establish a government-wide effort to develop secure methods for governmental agencies to protect the privacy and security of individuals and support reliable, interoperable digital identity verification in the public and private sectors.
It would provide opportunities for states, local, tribal, and territorial governments to win grants to upgrade systems that provide drivers’ licenses or other types of identity credentials.
The legislation also calls on the Government Accountability Office to conduct a report on the estimated potential savings, due to the increased adoption and widespread use of digital identification.
Sen. Paul cast the one opposing vote.
