Title 42 — The Public Health and WelfareRelease 119-73

§18933 Software security and authentication

Title 42 › Chapter CHAPTER 163— - RESEARCH AND DEVELOPMENT, COMPETITION, AND INNOVATION › Subchapter SUBCHAPTER II— - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FOR THE FUTURE › Part Part A— - Measurement Research › § 18933

Last updated Apr 6, 2026|Official source

Summary

The Director must give severity scores to vulnerabilities in open source software and make voluntary guidance to help repository maintainers find and fix those problems. The Director must also do research and testing to make AI-based cybersecurity better, including making training data for AI defenses and testing different network designs to see what improves security. The Director must make sure all Institute software is digitally signed and kept up so people can confirm it is real and unchanged when they install or run it. If funding is available, the Director must help train Federal Inspectors General and their staff who do the annual security review required under section 3555 of title 44. The Director must work with industry, schools, and other agencies to create software security outcomes and practices for the full software lifecycle and promote their voluntary use.

Full Legal Text

Title 42, §18933

The Public Health and Welfare — Source: USLM XML via OLRC

(a)The Director shall assign severity metrics to identified vulnerabilities with open source software and produce voluntary guidance to assist the entities that maintain open source software repositories to discover and mitigate vulnerabilities.

(b)The Director shall carry out research and testing to improve the effectiveness of artificial intelligence-enabled cybersecurity, including by generating optimized data sets to train artificial intelligence defense systems and evaluating the performance of varying network architectures at strengthening network security.

(c)The Director shall ensure all software released by the Institute is digitally signed and maintained to enable stakeholders to verify its authenticity and integrity upon installation and execution.

(d)Subject to available funding, the Director shall provide technical assistance to improve the education and training of individual Federal agency Inspectors General and staff who are responsible for the annual independent evaluation they are required to perform of the information security program and practices of Federal agencies under section 3555 of title 44.

(e)(1)The Director shall, in coordination with industry, academia, and other Federal agencies, as appropriate, develop a set of security outcomes and practices, including security controls, control enhancements, supplemental guidance, or other supporting information to enable software developers and operators to identify, assess, and manage cybersecurity risks over the full lifecycle of software products.

(2)The Director shall conduct outreach and coordination activities to share technical expertise with Federal agencies, relevant industry stakeholders, and standards development organizations, as appropriate, to encourage the voluntary adoption of the software lifecycle security practices by Federal agencies and industry stakeholders.

Reference

Citations & Metadata

Citation

42 U.S.C. § 18933

Title 42 — The Public Health and Welfare

Last Updated

Apr 6, 2026

Release point: 119-73