| 1 | 1 | | I |
|---|
| 2 | 2 | | 118THCONGRESS |
|---|
| 3 | 3 | | 1 |
|---|
| 4 | 4 | | STSESSION H. R. 6106 |
|---|
| 5 | 5 | | To create a risk framework to evaluate foreign mobile applications of concern, |
|---|
| 6 | 6 | | and for other purposes. |
|---|
| 7 | 7 | | IN THE HOUSE OF REPRESENTATIVES |
|---|
| 8 | 8 | | OCTOBER26, 2023 |
|---|
| 9 | 9 | | Ms. S |
|---|
| 10 | 10 | | HERRILL(for herself, Mr. BERGMAN, Mr. KRISHNAMOORTHI, Mrs. |
|---|
| 11 | 11 | | H |
|---|
| 12 | 12 | | INSON, Mr. NEWHOUSE, Mr. GARAMENDI, Mr. CROW, Mr. FINSTAD, |
|---|
| 13 | 13 | | Mr. C |
|---|
| 14 | 14 | | ARSON, and Ms. TOKUDA) introduced the following bill; which was |
|---|
| 15 | 15 | | referred to the Committee on Armed Services |
|---|
| 16 | 16 | | A BILL |
|---|
| 17 | 17 | | To create a risk framework to evaluate foreign mobile |
|---|
| 18 | 18 | | applications of concern, and for other purposes. |
|---|
| 19 | 19 | | Be it enacted by the Senate and House of Representa-1 |
|---|
| 20 | 20 | | tives of the United States of America in Congress assembled, 2 |
|---|
| 21 | 21 | | SECTION 1. SHORT TITLE. 3 |
|---|
| 22 | 22 | | This Act may be cited as the ‘‘Bolstering America’s 4 |
|---|
| 23 | 23 | | Defenses Against Potentially Perilous Software Act’’ or 5 |
|---|
| 24 | 24 | | the ‘‘BAD APPS Act’’. 6 |
|---|
| 25 | 25 | | SEC. 2. RISK FRAMEWORK FOR FOREIGN MOBILE APPLICA-7 |
|---|
| 26 | 26 | | TIONS OF CONCERN. 8 |
|---|
| 27 | 27 | | (a) I |
|---|
| 28 | 28 | | NGENERAL.—The Secretary of Defense shall— 9 |
|---|
| 29 | 29 | | VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106 |
|---|
| 30 | 30 | | ssavage on DSKBC07HB2PROD with BILLS 2 |
|---|
| 31 | 31 | | •HR 6106 IH |
|---|
| 32 | 32 | | (1) create categorical definitions of foreign mo-1 |
|---|
| 33 | 33 | | bile applications of concern with respect to personnel 2 |
|---|
| 34 | 34 | | or operations of the Department of Defense, distin-3 |
|---|
| 35 | 35 | | guishing among categories such as applications for 4 |
|---|
| 36 | 36 | | shopping, social media, entertainment, or health; 5 |
|---|
| 37 | 37 | | and 6 |
|---|
| 38 | 38 | | (2) create a risk framework with respect to De-7 |
|---|
| 39 | 39 | | partment personnel or operations that assesses each 8 |
|---|
| 40 | 40 | | foreign mobile application (or, if appropriate, group-9 |
|---|
| 41 | 41 | | ing of similar such applications) that is from a coun-10 |
|---|
| 42 | 42 | | try of concern for any potential impact on Depart-11 |
|---|
| 43 | 43 | | mental personnel and Departmental operations, in-12 |
|---|
| 44 | 44 | | corporating considerations of— 13 |
|---|
| 45 | 45 | | (A) the manner and extent of data collec-14 |
|---|
| 46 | 46 | | tion by the application; 15 |
|---|
| 47 | 47 | | (B) the ability of the application to influ-16 |
|---|
| 48 | 48 | | ence the user with the applications content to 17 |
|---|
| 49 | 49 | | the detriment of the United States; 18 |
|---|
| 50 | 50 | | (C) the manner and extent of foreign own-19 |
|---|
| 51 | 51 | | ership or control of the application or data col-20 |
|---|
| 52 | 52 | | lected by the application; 21 |
|---|
| 53 | 53 | | (D) any foreign government interests asso-22 |
|---|
| 54 | 54 | | ciated with the applications; 23 |
|---|
| 55 | 55 | | (E) a software bill of materials with a 24 |
|---|
| 56 | 56 | | focus on known or assessed malicious software 25 |
|---|
| 57 | 57 | | VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106 |
|---|
| 58 | 58 | | ssavage on DSKBC07HB2PROD with BILLS 3 |
|---|
| 59 | 59 | | •HR 6106 IH |
|---|
| 60 | 60 | | embedded in the application, including in prior 1 |
|---|
| 61 | 61 | | versions of the application or in other applica-2 |
|---|
| 62 | 62 | | tions created by the owners of such application; 3 |
|---|
| 63 | 63 | | (F) any known impact from prior use of 4 |
|---|
| 64 | 64 | | the application to Department personnel or op-5 |
|---|
| 65 | 65 | | erations; and 6 |
|---|
| 66 | 66 | | (G) the foreign mobile application of con-7 |
|---|
| 67 | 67 | | cern residing on a United States Government 8 |
|---|
| 68 | 68 | | device or a personally owned device while in 9 |
|---|
| 69 | 69 | | proximity to Department operations or activi-10 |
|---|
| 70 | 70 | | ties or in the personal custody of personnel dur-11 |
|---|
| 71 | 71 | | ing Department sanctioned activities. 12 |
|---|
| 72 | 72 | | (b) C |
|---|
| 73 | 73 | | ONSIDERATIONS.—In developing the categorical 13 |
|---|
| 74 | 74 | | definitions and risk framework described in subsection (a), 14 |
|---|
| 75 | 75 | | the Secretary of Defense— 15 |
|---|
| 76 | 76 | | (1) shall include in the risk framework foreign 16 |
|---|
| 77 | 77 | | mobile applications of concern— 17 |
|---|
| 78 | 78 | | (A) from countries that the Secretary de-18 |
|---|
| 79 | 79 | | termines to be engaged in consistent, unauthor-19 |
|---|
| 80 | 80 | | ized conduct that is detrimental to the national 20 |
|---|
| 81 | 81 | | security or foreign policy of the United States; 21 |
|---|
| 82 | 82 | | (B) that are accessible to be downloaded 22 |
|---|
| 83 | 83 | | from major mobile device application market-23 |
|---|
| 84 | 84 | | places by Department personnel; and 24 |
|---|
| 85 | 85 | | VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106 |
|---|
| 86 | 86 | | ssavage on DSKBC07HB2PROD with BILLS 4 |
|---|
| 87 | 87 | | •HR 6106 IH |
|---|
| 88 | 88 | | (C) originating from, authored in, owned 1 |
|---|
| 89 | 89 | | by, or otherwise associated with countries or en-2 |
|---|
| 90 | 90 | | tities that are designated on the list maintained 3 |
|---|
| 91 | 91 | | and set forth in Supplement No. 4 to part 744 4 |
|---|
| 92 | 92 | | of the Export Administration Regulations; 5 |
|---|
| 93 | 93 | | (2) may include additional countries or indi-6 |
|---|
| 94 | 94 | | vidual foreign mobile applications with malicious and 7 |
|---|
| 95 | 95 | | banned capabilities from other countries to the ex-8 |
|---|
| 96 | 96 | | tent the Secretary determines appropriate; and 9 |
|---|
| 97 | 97 | | (3) shall consider distinguishing within the risk 10 |
|---|
| 98 | 98 | | framework the particular interests of a country de-11 |
|---|
| 99 | 99 | | scribed in paragraph (1) or (2) in the use of a for-12 |
|---|
| 100 | 100 | | eign mobile application of concern of such country 13 |
|---|
| 101 | 101 | | (regardless of device or owner) by— 14 |
|---|
| 102 | 102 | | (A) users located at facilities of the De-15 |
|---|
| 103 | 103 | | partment of Defense of varying levels of sensi-16 |
|---|
| 104 | 104 | | tivity; 17 |
|---|
| 105 | 105 | | (B) users conducting authorized operations 18 |
|---|
| 106 | 106 | | or movements of Department of Defense mate-19 |
|---|
| 107 | 107 | | riel; or 20 |
|---|
| 108 | 108 | | (C) specific civilian employees of the De-21 |
|---|
| 109 | 109 | | partment or contractors whom the Secretary 22 |
|---|
| 110 | 110 | | determines likely to be a target of a foreign 23 |
|---|
| 111 | 111 | | actor. 24 |
|---|
| 112 | 112 | | VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106 |
|---|
| 113 | 113 | | ssavage on DSKBC07HB2PROD with BILLS 5 |
|---|
| 114 | 114 | | •HR 6106 IH |
|---|
| 115 | 115 | | (c) GUIDANCE ANDUPDATES.—The Secretary of De-1 |
|---|
| 116 | 116 | | fense shall— 2 |
|---|
| 117 | 117 | | (1) issue guidance to all Department personnel 3 |
|---|
| 118 | 118 | | incorporating the categories of foreign mobile appli-4 |
|---|
| 119 | 119 | | cations of concern and advising how to mitigate the 5 |
|---|
| 120 | 120 | | risks identified by the risk framework with respect 6 |
|---|
| 121 | 121 | | to such applications; 7 |
|---|
| 122 | 122 | | (2) routinely update the categorical definitions 8 |
|---|
| 123 | 123 | | and risk framework promulgated pursuant to sub-9 |
|---|
| 124 | 124 | | section (a), at least on an annual basis; and 10 |
|---|
| 125 | 125 | | (3) prescribe, if feasible, regulations that appro-11 |
|---|
| 126 | 126 | | priately mitigate risks from applications on devices 12 |
|---|
| 127 | 127 | | provided by the Department of Defense or on any 13 |
|---|
| 128 | 128 | | device used during an activity described in sub-14 |
|---|
| 129 | 129 | | section (b)(3)(B) or at locations described under 15 |
|---|
| 130 | 130 | | (b)(3)(A). 16 |
|---|
| 131 | 131 | | Æ |
|---|
| 132 | 132 | | VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6301 E:\BILLS\H6106.IH H6106 |
|---|
| 133 | 133 | | ssavage on DSKBC07HB2PROD with BILLS |
|---|