Bill > HR5793

This bill, the Cyber Supply Chain Management and Transparency Act of 2014, aims to strengthen the security of software, firmware, and products used by the U.S. Government by requiring the Office of Management and Budget (OMB) to issue guidelines for government agencies. These guidelines will mandate that contracts for software, firmware, or products containing "binary components" – which are defined as third-party or open-source components – must include specific clauses. These clauses will require contractors to provide a detailed list of all binary components used, verify that these components do not have known security vulnerabilities listed in databases like the National Institute of Standards and Technology (NIST) National Vulnerability Database, and notify the agency of any discovered vulnerabilities. The bill also includes provisions for waivers for vulnerable components, requiring agencies to accept the associated risks, and ensures that software is designed to allow for easy patching and updating of security flaws. Furthermore, agencies will be required to have processes in place to replace or repair vulnerable binary components, and to migrate away from unfixable vulnerable products. The bill also mandates the creation of an inventory of existing vulnerable components and an annual report from the Department of Homeland Security assessing the security of binary component suppliers. Finally, it requires agencies to report on the removal of vulnerable binary components and to prioritize critical systems in this replacement process.