I
118THCONGRESS
1
STSESSION H. R. 6106
To create a risk framework to evaluate foreign mobile applications of concern,
and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
OCTOBER26, 2023
Ms. S
HERRILL(for herself, Mr. BERGMAN, Mr. KRISHNAMOORTHI, Mrs.
H
INSON, Mr. NEWHOUSE, Mr. GARAMENDI, Mr. CROW, Mr. FINSTAD,
Mr. C
ARSON, and Ms. TOKUDA) introduced the following bill; which was
referred to the Committee on Armed Services
A BILL
To create a risk framework to evaluate foreign mobile
applications of concern, and for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘Bolstering America’s 4
Defenses Against Potentially Perilous Software Act’’ or 5
the ‘‘BAD APPS Act’’. 6
SEC. 2. RISK FRAMEWORK FOR FOREIGN MOBILE APPLICA-7
TIONS OF CONCERN. 8
(a) I
NGENERAL.—The Secretary of Defense shall— 9
VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106
ssavage on DSKBC07HB2PROD with BILLS 2
•HR 6106 IH
(1) create categorical definitions of foreign mo-1
bile applications of concern with respect to personnel 2
or operations of the Department of Defense, distin-3
guishing among categories such as applications for 4
shopping, social media, entertainment, or health; 5
and 6
(2) create a risk framework with respect to De-7
partment personnel or operations that assesses each 8
foreign mobile application (or, if appropriate, group-9
ing of similar such applications) that is from a coun-10
try of concern for any potential impact on Depart-11
mental personnel and Departmental operations, in-12
corporating considerations of— 13
(A) the manner and extent of data collec-14
tion by the application; 15
(B) the ability of the application to influ-16
ence the user with the applications content to 17
the detriment of the United States; 18
(C) the manner and extent of foreign own-19
ership or control of the application or data col-20
lected by the application; 21
(D) any foreign government interests asso-22
ciated with the applications; 23
(E) a software bill of materials with a 24
focus on known or assessed malicious software 25
VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106
ssavage on DSKBC07HB2PROD with BILLS 3
•HR 6106 IH
embedded in the application, including in prior 1
versions of the application or in other applica-2
tions created by the owners of such application; 3
(F) any known impact from prior use of 4
the application to Department personnel or op-5
erations; and 6
(G) the foreign mobile application of con-7
cern residing on a United States Government 8
device or a personally owned device while in 9
proximity to Department operations or activi-10
ties or in the personal custody of personnel dur-11
ing Department sanctioned activities. 12
(b) C
ONSIDERATIONS.—In developing the categorical 13
definitions and risk framework described in subsection (a), 14
the Secretary of Defense— 15
(1) shall include in the risk framework foreign 16
mobile applications of concern— 17
(A) from countries that the Secretary de-18
termines to be engaged in consistent, unauthor-19
ized conduct that is detrimental to the national 20
security or foreign policy of the United States; 21
(B) that are accessible to be downloaded 22
from major mobile device application market-23
places by Department personnel; and 24
VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106
ssavage on DSKBC07HB2PROD with BILLS 4
•HR 6106 IH
(C) originating from, authored in, owned 1
by, or otherwise associated with countries or en-2
tities that are designated on the list maintained 3
and set forth in Supplement No. 4 to part 744 4
of the Export Administration Regulations; 5
(2) may include additional countries or indi-6
vidual foreign mobile applications with malicious and 7
banned capabilities from other countries to the ex-8
tent the Secretary determines appropriate; and 9
(3) shall consider distinguishing within the risk 10
framework the particular interests of a country de-11
scribed in paragraph (1) or (2) in the use of a for-12
eign mobile application of concern of such country 13
(regardless of device or owner) by— 14
(A) users located at facilities of the De-15
partment of Defense of varying levels of sensi-16
tivity; 17
(B) users conducting authorized operations 18
or movements of Department of Defense mate-19
riel; or 20
(C) specific civilian employees of the De-21
partment or contractors whom the Secretary 22
determines likely to be a target of a foreign 23
actor. 24
VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H6106.IH H6106
ssavage on DSKBC07HB2PROD with BILLS 5
•HR 6106 IH
(c) GUIDANCE ANDUPDATES.—The Secretary of De-1
fense shall— 2
(1) issue guidance to all Department personnel 3
incorporating the categories of foreign mobile appli-4
cations of concern and advising how to mitigate the 5
risks identified by the risk framework with respect 6
to such applications; 7
(2) routinely update the categorical definitions 8
and risk framework promulgated pursuant to sub-9
section (a), at least on an annual basis; and 10
(3) prescribe, if feasible, regulations that appro-11
priately mitigate risks from applications on devices 12
provided by the Department of Defense or on any 13
device used during an activity described in sub-14
section (b)(3)(B) or at locations described under 15
(b)(3)(A). 16
Æ
VerDate Sep 11 2014 20:19 Oct 28, 2023 Jkt 049200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6301 E:\BILLS\H6106.IH H6106
ssavage on DSKBC07HB2PROD with BILLS