Cyber Supply Chain Management and Transparency Act of 2014 - Requires the Office of Management and Budget (OMB) to issue guidelines for agencies that contract to acquire software, firmware, or products containing a third party or open source binary component.
Requires binary component contracts to include clauses requiring:
Directs the OMB to issue guidance requiring agencies: (1) to replace components with currently known vulnerabilities and to remove or repair any new vulnerable components that become known; and (2) to migrate to patchable, repairable, and fixable products.
Requires agencies to provide the Department of Homeland Security (DHS) with a list of each known vulnerable component in any product in use by the agencies.
Directs DHS to issue an annual confidential report describing the security vulnerabilities of projects that created any known vulnerable component. Requires the report to assess the integrity of component suppliers for the incidence of security vulnerabilities for use by other agencies.
Requires agencies, within 30 months after enactment of this Act, to report to Congress regarding the completion of the removal of each known vulnerable or defective component.
Directs other entities of the U.S. government to replace vulnerable components with less vulnerable alternatives.
[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5793 Introduced in House (IH)]
113th CONGRESS
2d Session
H. R. 5793
To ensure the integrity of any software, firmware, or product developed
for or purchased by the United States Government that uses a third
party or open source component, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
December 4, 2014
Mr. Royce (for himself and Ms. Jenkins) introduced the following bill;
which was referred to the Committee on Oversight and Government Reform
_______________________________________________________________________
A BILL
To ensure the integrity of any software, firmware, or product developed
for or purchased by the United States Government that uses a third
party or open source component, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Supply Chain Management and
Transparency Act of 2014''.
SEC. 2. SOFTWARE, FIRMWARE, OR PRODUCT WITH KNOWN SECURITY
VULNERABILITIES OR DEFECTS.
(a) OMB Guidelines Required.--
(1) Clauses required in software, firmware, or product
contracts for software, firmware, or product created with a
binary component.--Not later than 180 days after the date of
the enactment of this Act, the Director of the Office of
Management and Budget, in consultation with the Secretary of
Defense, the Secretary of Homeland Security, and any other
intelligence or national security agency the Director
determines to be necessary, shall issue guidelines for each
agency that require including the following clauses in any
contract for the acquisition of software, firmware, or product
that contains a binary component:
(A) Component list.--A clause that requires the
inclusion of a comprehensive and confidentially
supplied list, or a bill of materials, of each binary
component of the software, firmware, or product that is
used in the software, firmware, or product.
(B) Verification required.--A clause that requires
the contractor providing the software, firmware, or
product--
(i) to verify that the software, firmware,
or product does not contain any known security
vulnerabilities or defects that are listed in
the National Institute of Standards and
Technology National Vulnerability Database and
any additional database selected by the
Director of the Office of Management and Budget
(that is credible and similar to the National
Vulnerability Database) that tracks security
vulnerabilities and defects in a binary
component, and that is necessary to capture a
wider list of binary components (with known
security vulnerabilities or defects and for
which a less vulnerable alternative is
available); and
(ii) to notify the purchasing agency of any
known security vulnerabilities or defects
discovered through the verification required
under clause (i).
(C) Waiver.--A clause that requires--
(i) a contractor to submit a written
application, and obtain a waiver, for each
binary component that is known to be vulnerable
from the head of the purchasing agency; and
(ii) if the head of the purchasing agency
approves the waiver, such head shall provide
the contractor with a written statement that
the agency accepts all of the risk associated
with the use of such binary component.
(D) Updates.--A clause that requires such software,
firmware, or product to be written or designed in a
manner that allows for any future security
vulnerability or defect in any part of the software,
firmware, or product to be easily patched, updated, or
replaced to fix the vulnerability or defect in the
software, firmware, or product.
(E) Timely repair.--A clause that requires the
contractor to provide a repair in a timely manner with
regard to any new security vulnerability discovered
through any of the databases described in subparagraph
(B).
(2) Disclosure of security vulnerability or defect.--Not
later than 180 days after the date of the enactment of this
Act, the Director of the Office of Management and Budget shall
issue guidelines for each agency with respect to any software,
firmware, or product in use by the United States Government
that contains a binary component that requires each agency to
have a process--
(A) to replace any currently known vulnerable
binary component; and
(B) to remove and repair any new vulnerable binary
component after such component becomes known pursuant
to paragraph (1)(B).
(3) Agency guidelines.--
(A) Software, firmware, or product that can not be
fixed or patched.--Not later than 220 days after the
date of the enactment of this Act, the Director of the
Office of Management and Budget shall issue guidelines
for each agency with respect to any software, firmware,
or product that contains a known vulnerable binary
component--
(i) that can not be fixed, patched, or
updated; and
(ii) that requires such component, to
migrate to patchable, repairable, and fixable
products.
(B) Inventory of existing software, firmware, or
product with a known vulnerable binary component.--Not
later than 20 months after the date of the enactment of
this Act, the Director of the Office of Budget of
Management shall instruct each agency to provide the
relevant office in the Department of Homeland Security
with a list of each known vulnerable binary in any
software, firmware or product in use by each agency.
(C) Analysis of project integrity and annual
report.--Not later than twelve months after all lists
described in subparagraph (B) are provided to the
Department of Homeland Security, the Secretary of
Homeland Security shall issue an annual confidential
report describing the security vulnerabilities of the
projects that created any known vulnerable binary
component in any list described in subparagraph (B) and
through the verification required under paragraph
(1)(B). The report shall assess the integrity of binary
component suppliers for the incidence of security
vulnerabilities, the severity, the mean time to
remediate such vulnerabilities that can be applied to
assess the security of binary projects and suppliers,
for use by other agencies.
(b) Report on Removal of Binary Component With Known Security
Vulnerability or Defect.--Not later than 30 months after the date of
the enactment of this Act, the head of each agency shall submit to each
relevant Committee of jurisdiction in the House of Representatives and
the Senate a report on the completion of the removal of each binary
component with known security vulnerabilities or defects in the agency
and shall include a classified version of this report for the Permanent
Select Committee on Intelligence and the Committees on Armed Services,
Foreign Affairs, and Homeland Security of the House of Representatives
and the Select Committee on Intelligence and the Committees on Armed
Services, Foreign Affairs, and Homeland Security and Governmental
Affairs of the Senate. The report shall also detail the policies,
procedures, and processes by which a newly discovered vulnerable binary
component is replaced in software, firmware, and products in use by the
United States Government.
(c) Other Entities of the United States Government.--Any other
entity of the United States Government--
(1) shall replace any vulnerable binary component with
another less vulnerable alternative in any software, firmware,
or product in use by the entity; and
(2) shall begin such replacement process with critical
systems.
(d) Definitions.--In this section:
(1) Agency.--The term ``agency'' has the meaning given that
term in section 551(1) of title 5, United States Code.
(2) Binary component.--The term ``binary component'' means
a third party or open source component.
<all>
Introduced in House
Introduced in House
Sponsor introductory remarks on measure. (CR E1743-1745)
Referred to the House Committee on Oversight and Government Reform.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line