Cyber Supply Chain Security

There are many ways to think about enhancing cybersecurity.  One, for example, is the prospect of software liability, which would, drive safer code. Another, interesting take on the problem has just been offered by Representative Ed Royce, the Chairman of the House Committee on Foreign Affairs -- a proposal that he dubs the "Cyber Supply Chain Management and Transparency Act.  The bill is a response to the phenomenon of vulnerabilities in open source code (like the infamous Heartbleed bug) and would, broadly speaking, mandate that all contractors of software, firmware or products to the U.S. Government: "1) provide the procuring agency with a bill of materials of all third party and open source components used - along with their version numbers;  2) demonstrate that those component versions have no known vulnerabilities (NIST CVEs) for which less vulnerable alternatives are available (unless a written exception has been granted); 3) provide secure update mechanisms affording a prompt and agile response when new vulnerabilities are discovered in those products; and, 4) supply said fixes and remediation updates within a reasonable specified time." That's pretty interesting stuff.  I can see some possible arguments against it -- cost being a leading one that comes to mind.  But as an innovative way of addressing cyber security issues without imposing liability,  it deserves serious consideration.  I look forward to the bill's reintroduction next Congress and hearings ...