US
Us Congress House Bill HB7447

Us Congress 2023-2024 Regular Session

Us Congress House Bill HB7447 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 fI
22 118THCONGRESS
33 2
44 DSESSION H. R. 7447
55 To amend the Help America Vote Act of 2002 to require the Election
66 Assistance Commission to provide for the conduct of penetration testing
77 as part of the testing and certification of voting systems and to provide
88 for the establishment of an Independent Security Testing and Coordi-
99 nated Vulnerability Disclosure Pilot Program for Election Systems.
1010 IN THE HOUSE OF REPRESENTATIVES
1111 FEBRUARY23, 2024
1212 Ms. S
1313 PANBERGER(for herself and Mr. VALADAO) introduced the following bill;
1414 which was referred to the Committee on House Administration, and in
1515 addition to the Committee on Science, Space, and Technology, for a pe-
1616 riod to be subsequently determined by the Speaker, in each case for con-
1717 sideration of such provisions as fall within the jurisdiction of the com-
1818 mittee concerned
1919 A BILL
2020 To amend the Help America Vote Act of 2002 to require
2121 the Election Assistance Commission to provide for the
2222 conduct of penetration testing as part of the testing
2323 and certification of voting systems and to provide for
2424 the establishment of an Independent Security Testing
2525 and Coordinated Vulnerability Disclosure Pilot Program
2626 for Election Systems.
2727 Be it enacted by the Senate and House of Representa-1
2828 tives of the United States of America in Congress assembled, 2
2929 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
3030 ssavage on LAPJG3WLY3PROD with BILLS 2
3131 •HR 7447 IH
3232 SECTION 1. SHORT TITLE. 1
3333 This Act may be cited as the ‘‘Strengthening Election 2
3434 Cybersecurity to Uphold Respect for Elections through 3
3535 Independent Testing Act’’ or the ‘‘SECURE IT Act’’. 4
3636 SEC. 2. REQUIRING PENETRATION TESTING AS PART OF 5
3737 THE TESTING AND CERTIFICATION OF VOT-6
3838 ING SYSTEMS. 7
3939 Section 231 of the Help America Vote Act of 2002 8
4040 (52 U.S.C. 20971) is amended by adding at the end the 9
4141 following new subsection: 10
4242 ‘‘(e) R
4343 EQUIREDPENETRATIONTESTING.— 11
4444 ‘‘(1) I
4545 N GENERAL.—Not later than 180 days 12
4646 after the date of the enactment of this subsection, 13
4747 the Commission shall provide for the conduct of pen-14
4848 etration testing as part of the testing, certification, 15
4949 decertification, and recertification of voting system 16
5050 hardware and software by accredited laboratories 17
5151 under this section. 18
5252 ‘‘(2) A
5353 CCREDITATION.—The Director of the 19
5454 National Institute of Standards and Technology 20
5555 shall recommend to the Commission entities the Di-21
5656 rector proposes be accredited to carry out penetra-22
5757 tion testing under this subsection and certify compli-23
5858 ance with the penetration testing-related guidelines 24
5959 required by this subsection. The Commission shall 25
6060 vote on the accreditation of any entity recommended. 26
6161 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
6262 ssavage on LAPJG3WLY3PROD with BILLS 3
6363 •HR 7447 IH
6464 The requirements for such accreditation shall be a 1
6565 subset of the requirements for accreditation of lab-2
6666 oratories under subsection (b) and shall only be 3
6767 based on consideration of an entity’s competence to 4
6868 conduct penetration testing under this subsection.’’. 5
6969 SEC. 3. INDEPENDENT SECURITY TESTING AND COORDI-6
7070 NATED CYBERSECURITY VULNERABILITY 7
7171 DISCLOSURE PROGRAM FOR ELECTION SYS-8
7272 TEMS. 9
7373 (a) I
7474 NGENERAL.—Subtitle D of title II of the Help 10
7575 America Vote Act of 2002 (42 U.S.C. 15401 et seq.) is 11
7676 amended by adding at the end the following new part: 12
7777 ‘‘PART 7—INDEPENDENT SECURITY TESTING AND 13
7878 COORDINATED CYBERSECURITY VULNER-14
7979 ABILITY DISCLOSURE PILOT PROGRAM FOR 15
8080 ELECTION SYSTEMS 16
8181 ‘‘SEC. 297. INDEPENDENT SECURITY TESTING AND COORDI-17
8282 NATED CYBERSECURITY VULNERABILITY 18
8383 DISCLOSURE PILOT PROGRAM FOR ELEC-19
8484 TION SYSTEMS. 20
8585 ‘‘(a) E
8686 STABLISHMENT.—The Commission, in con-21
8787 sultation with the Secretary, shall establish an Inde-22
8888 pendent Security Testing and Coordinated Vulnerability 23
8989 Disclosure Pilot Program for Election Systems (VDP–E) 24
9090 (in this section referred to as the ‘program’) in order to 25
9191 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
9292 ssavage on LAPJG3WLY3PROD with BILLS 4
9393 •HR 7447 IH
9494 test for and disclose cybersecurity vulnerabilities in elec-1
9595 tion systems. 2
9696 ‘‘(b) D
9797 URATION.—The program shall be conducted 3
9898 for a period of 5 years. 4
9999 ‘‘(c) R
100100 EQUIREMENTS.—In carrying out the program, 5
101101 the Commission, in consultation with the Secretary, 6
102102 shall— 7
103103 ‘‘(1) establish a mechanism by which an elec-8
104104 tion systems vendor may make their election system 9
105105 (including voting machines and source code) avail-10
106106 able to cybersecurity researchers participating in the 11
107107 program; 12
108108 ‘‘(2) provide for the vetting of cybersecurity re-13
109109 searchers prior to their participation in the program, 14
110110 including the conduct of background checks; 15
111111 ‘‘(3) establish terms of participation that— 16
112112 ‘‘(A) describe the scope of testing per-17
113113 mitted under the program; 18
114114 ‘‘(B) require researchers to— 19
115115 ‘‘(i) notify the vendor, the Commis-20
116116 sion, and the Secretary of any cybersecu-21
117117 rity vulnerability they identify with respect 22
118118 to an election system; and 23
119119 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
120120 ssavage on LAPJG3WLY3PROD with BILLS 5
121121 •HR 7447 IH
122122 ‘‘(ii) otherwise keep such vulnerability 1
123123 confidential for 180 days after such notifi-2
124124 cation; 3
125125 ‘‘(C) require the good faith participation of 4
126126 all participants in the program; and 5
127127 ‘‘(D) require an election system vendor, 6
128128 after receiving notification of a critical or high 7
129129 vulnerability (as defined by the National Insti-8
130130 tute of Standards and Technology) in an elec-9
131131 tion system of the vendor, to— 10
132132 ‘‘(i) send a patch or propound some 11
133133 other fix or mitigation for such vulner-12
134134 ability to the appropriate State and local 13
135135 election officials, in consultation with the 14
136136 researcher who discovered it; and 15
137137 ‘‘(ii) notify the Commission and the 16
138138 Secretary that such patch has been sent to 17
139139 such officials; 18
140140 ‘‘(4) in the case where a patch or fix to address 19
141141 a vulnerability disclosed under paragraph (3)(B)(i) 20
142142 is intended to be applied to a system certified by the 21
143143 Commission, provide— 22
144144 ‘‘(A) for the expedited review of such patch 23
145145 or fix within 90 days after receipt by the Com-24
146146 mission; and 25
147147 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
148148 ssavage on LAPJG3WLY3PROD with BILLS 6
149149 •HR 7447 IH
150150 ‘‘(B) if such review is not completed by the 1
151151 last day of such 90-day period, that such patch 2
152152 or fix shall be deemed to be certified by the 3
153153 Commission; and 4
154154 ‘‘(5) 180 days after the disclosure of a vulner-5
155155 ability under paragraph (3)(B)(i), notify the Direc-6
156156 tor of the Cybersecurity and Infrastructure Security 7
157157 Agency of the vulnerability for inclusion in the data-8
158158 base of Common Vulnerabilities and Exposures. 9
159159 ‘‘(d) V
160160 OLUNTARYPARTICIPATION; SAFEHARBOR.— 10
161161 ‘‘(1) V
162162 OLUNTARY PARTICIPATION .—Participa-11
163163 tion in the program shall be voluntary for election 12
164164 systems vendors and researchers. 13
165165 ‘‘(2) S
166166 AFE HARBOR .—Research conducted 14
167167 under the program, and any subsequent publication 15
168168 of such research, shall be treated as follows: 16
169169 ‘‘(A) The research and publication shall be 17
170170 treated as authorized in accordance with section 18
171171 1030 of title 18, United States Code (commonly 19
172172 known as the ‘Computer Fraud and Abuse 20
173173 Act’), (and similar State laws), and the election 21
174174 system vendor will not initiate or support legal 22
175175 action against the researcher for accidental, 23
176176 good faith violations of the program. 24
177177 VerDate Sep 11 2014 01:33 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
178178 ssavage on LAPJG3WLY3PROD with BILLS 7
179179 •HR 7447 IH
180180 ‘‘(B) The research and publication shall be 1
181181 exempt from the anti-circumvention rule of sec-2
182182 tion 1201 of title 17, United States Code (com-3
183183 monly known as the ‘Digital Millennium Copy-4
184184 right Act’), and the election system vendor will 5
185185 not bring a claim against a researcher for cir-6
186186 cumvention of technology controls. 7
187187 ‘‘(3) R
188188 ULE OF CONSTRUCTION .—Nothing in 8
189189 this subsection may be construed to limit or other-9
190190 wise affect any exception to the general prohibition 10
191191 against the circumvention of technological measures 11
192192 under subparagraph (A) of section 1201(a)(1) of 12
193193 title 17, United States Code, including with respect 13
194194 to any use that is excepted from that general prohi-14
195195 bition by the Librarian of Congress under subpara-15
196196 graphs (B) through (D) of such section 1201(a)(1). 16
197197 ‘‘(4) E
198198 XEMPT FROM DISCLOSURE .—Cybersecu-17
199199 rity vulnerabilities discovered under the program 18
200200 shall be exempt from section 552 of title 5, United 19
201201 States Code (commonly referred to as the Freedom 20
202202 of Information Act). 21
203203 ‘‘(e) D
204204 EFINITIONS.—In this section: 22
205205 ‘‘(1) C
206206 YBERSECURITY VULNERABILITY .—The 23
207207 term ‘cybersecurity vulnerability’ means, with re-24
208208 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
209209 ssavage on LAPJG3WLY3PROD with BILLS 8
210210 •HR 7447 IH
211211 spect to an election system, any security vulner-1
212212 ability that affects the election system. 2
213213 ‘‘(2) E
214214 LECTION INFRASTRUCTURE .—The term 3
215215 ‘election infrastructure’ means— 4
216216 ‘‘(A) storage facilities, polling places, and 5
217217 centralized vote tabulation locations used to 6
218218 support the administration of elections for pub-7
219219 lic office; and 8
220220 ‘‘(B) related information and communica-9
221221 tions technology, including— 10
222222 ‘‘(i) voter registration databases; 11
223223 ‘‘(ii) election management systems; 12
224224 ‘‘(iii) voting machines; 13
225225 ‘‘(iv) electronic mail and other com-14
226226 munications systems (including electronic 15
227227 mail and other systems of vendors who 16
228228 have entered into contracts with election 17
229229 agencies to support the administration of 18
230230 elections, manage the election process, and 19
231231 report and display election results); and 20
232232 ‘‘(v) other systems used to manage 21
233233 the election process and to report and dis-22
234234 play election results on behalf of an elec-23
235235 tion agency. 24
236236 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
237237 ssavage on LAPJG3WLY3PROD with BILLS 9
238238 •HR 7447 IH
239239 ‘‘(3) ELECTION SYSTEM.—The term ‘election 1
240240 system’ means any information system that is part 2
241241 of an election infrastructure, including any related 3
242242 information and communications technology de-4
243243 scribed in paragraph (2)(B). 5
244244 ‘‘(4) E
245245 LECTION SYSTEM VENDOR .—The term 6
246246 ‘election system vendor’ means any person providing, 7
247247 supporting, or maintaining an election system on be-8
248248 half of a State or local election official. 9
249249 ‘‘(5) I
250250 NFORMATION SYSTEM .—The term ‘infor-10
251251 mation system’ has the meaning given the term in 11
252252 section 3502 of title 44, United States Code. 12
253253 ‘‘(6) S
254254 ECRETARY.—The term ‘Secretary’ means 13
255255 the Secretary of Homeland Security. 14
256256 ‘‘(7) S
257257 ECURITY VULNERABILITY .—The term 15
258258 ‘security vulnerability’ has the meaning given the 16
259259 term in section 102 of the Cybersecurity Information 17
260260 Sharing Act of 2015 (6 U.S.C. 1501).’’. 18
261261 (b) C
262262 LERICALAMENDMENT.—The table of contents 19
263263 of such Act is amended by adding at the end of the items 20
264264 relating to subtitle D of title II the following: 21
265265 ‘‘PART 7—INDEPENDENT SECURITYTESTING ANDCOORDINATEDCYBERSE-
266266 CURITYVULNERABILITYDISCLOSUREPROGRAM FORELECTIONSYSTEMS
267267 ‘‘Sec. 297. Independent security testing and coordinated cybersecurity vulner-
268268 ability disclosure program for election systems.’’.
269269 Æ
270270 VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6301 E:\BILLS\H7447.IH H7447
271271 ssavage on LAPJG3WLY3PROD with BILLS