Today, U.S. Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the "Cyber Supply Chain Management and Transparency Act of 2014." The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.
"As a house is only as strong as its foundation, it's no wonder cyber attacks are on the rise with reports showing 71 percent of software contains components with critical vulnerabilities," said Rep. Royce. "This bill protects our nation's cyber infrastructure by ensuring the building blocks that make it up are secure and uncompromised.”
"I have voiced concerns to the government agencies in charge of healthcare.gov that our nation’s cyber infrastructure was vulnerable and not secure,” said Rep. Jenkins. “But the problem is not limited to one website; the entire federal government lacks guidelines for website security. This vital legislation will put the appropriate checks and balances in place to ensure that the government has the tools it needs to create a more sound and secure system for taxpayers.”
Additionally, the Cyber Supply Chain Management and Transparency Act of 2014 also takes into account future discoveries of open source components with vulnerabilities, like the Heartbleed vulnerability, and mandates that software applications be patchable, or updatable, when the need arises.
For more information, contact:
Saat Alety (Royce) at Saat.Alety@mail.house.gov or (202) 225-4111
Tom Brandt (Jenkins) at Tom.Brandt@mail.house.gov or (202) 225-6601