I
118THCONGRESS
1
STSESSION H. R. 285
To amend the Homeland Security Act of 2002 to provide for the remediation
of cybersecurity vulnerabilities, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
JANUARY11, 2023
Ms. J
ACKSONLEEintroduced the following bill; which was referred to the
Committee on Homeland Security
A BILL
To amend the Homeland Security Act of 2002 to provide
for the remediation of cybersecurity vulnerabilities, and
for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘Cybersecurity Vulner-4
ability Remediation Act’’. 5
SEC. 2. CYBERSECURITY VULNERABILITIES. 6
Section 2209 of the Homeland Security Act of 2002 7
(6 U.S.C. 659) is amended— 8
(1) in subsection (a)— 9
VerDate Sep 11 2014 04:45 Jan 21, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H285.IH H285
pbinns on DSKJLVW7X2PROD with $$_JOB 2
•HR 285 IH
(A) by redesignating paragraphs (6) 1
through (9) as paragraphs (7) through (10), re-2
spectively; and 3
(B) by inserting after paragraph (5) the 4
following new paragraph: 5
‘‘(6) the term ‘cybersecurity vulnerability’ has 6
the meaning given the term ‘security vulnerability’ 7
in section 102 of the Cybersecurity Information 8
Sharing Act of 2015 (6 U.S.C. 1501); and’’; 9
(2) in subsection (c)— 10
(A) in paragraph (5)— 11
(i) in subparagraph (A), by striking 12
‘‘and’’ after the semicolon at the end; 13
(ii) by redesignating subparagraphs 14
(B) and (C) as subparagraphs (C) and 15
(D), respectively; 16
(iii) by inserting after subparagraph 17
(A) the following new subparagraph: 18
‘‘(B) sharing mitigation protocols to counter cy-19
bersecurity vulnerabilities pursuant to subsection 20
(n); and’’; and 21
(iv) in subparagraph (C), as so redes-22
ignated, by inserting ‘‘and mitigation pro-23
tocols to counter cybersecurity 24
VerDate Sep 11 2014 04:45 Jan 21, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H285.IH H285
pbinns on DSKJLVW7X2PROD with $$_JOB 3
•HR 285 IH
vulnerabilities in accordance with subpara-1
graph (B)’’ before ‘‘with Federal’’; and 2
(B) in paragraph (9), by inserting ‘‘mitiga-3
tion protocols to counter cybersecurity 4
vulnerabilities,’’ after ‘‘measures,’’; 5
(3) by redesignating the second subsections (p) 6
and (q) (relating to coordination on cybersecurity for 7
SLITT entities and a report, respectively) as sub-8
sections (r) and (s), respectively; and 9
(4) by adding at the end the following new sub-10
section: 11
‘‘(t) P
ROTOCOLSTOCOUNTERCERTAINCYBERSE-12
CURITYVULNERABILITIES.—The Director may, as appro-13
priate, identify, develop, and disseminate actionable proto-14
cols to mitigate cybersecurity vulnerabilities to informa-15
tion systems and industrial control systems, including in 16
circumstances in which such vulnerabilities exist because 17
software or hardware is no longer supported by a ven-18
dor.’’. 19
SEC. 3. REPORT ON CYBERSECURITY VULNERABILITIES. 20
(a) R
EPORT.—Not later than one year after the date 21
of the enactment of this Act, the Director of the Cyberse-22
curity and Infrastructure Security Agency of the Depart-23
ment of Homeland Security shall submit to the Committee 24
on Homeland Security of the House of Representatives 25
VerDate Sep 11 2014 04:45 Jan 21, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H285.IH H285
pbinns on DSKJLVW7X2PROD with $$_JOB 4
•HR 285 IH
and the Committee on Homeland Security and Govern-1
mental Affairs of the Senate a report on how the Agency 2
carries out subsection (n) of section 2209 of the Homeland 3
Security Act of 2002 to coordinate vulnerability disclo-4
sures, including disclosures of cybersecurity vulnerabilities 5
(as such term is defined in such section), and subsection 6
(t) of such section (as added by section 2) to disseminate 7
actionable protocols to mitigate cybersecurity 8
vulnerabilities to information systems and industrial con-9
trol systems, that includes the following: 10
(1) A description of the policies and procedures 11
relating to the coordination of vulnerability disclo-12
sures. 13
(2) A description of the levels of activity in fur-14
therance of such subsections (n) and (t) of such sec-15
tion 2209. 16
(3) Any plans to make further improvements to 17
how information provided pursuant to such sub-18
sections can be shared (as such term is defined in 19
such section 2209) between the Department and in-20
dustry and other stakeholders. 21
(4) Any available information on the degree to 22
which such information was acted upon by industry 23
and other stakeholders. 24
VerDate Sep 11 2014 04:45 Jan 21, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H285.IH H285
pbinns on DSKJLVW7X2PROD with $$_JOB 5
•HR 285 IH
(5) A description of how privacy and civil lib-1
erties are preserved in the collection, retention, use, 2
and sharing of vulnerability disclosures. 3
(b) F
ORM.—The report required under subsection (b) 4
shall be submitted in unclassified form but may contain 5
a classified annex. 6
SEC. 4. COMPETITION RELATING TO CYBERSECURITY 7
VULNERABILITIES. 8
The Under Secretary for Science and Technology of 9
the Department of Homeland Security, in consultation 10
with the Director of the Cybersecurity and Infrastructure 11
Security Agency of the Department, may establish an in-12
centive-based program that allows industry, individuals, 13
academia, and others to compete in identifying remedi-14
ation solutions for cybersecurity vulnerabilities (as such 15
term is defined in section 2209 of the Homeland Security 16
Act of 2002, as amended by section 2) to information sys-17
tems (as such term is defined in such section 2209) and 18
industrial control systems, including supervisory control 19
and data acquisition systems. 20
Æ
VerDate Sep 11 2014 04:45 Jan 21, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6301 E:\BILLS\H285.IH H285
pbinns on DSKJLVW7X2PROD with $$_JOB