fI
118THCONGRESS
2
DSESSION H. R. 7447
To amend the Help America Vote Act of 2002 to require the Election
Assistance Commission to provide for the conduct of penetration testing
as part of the testing and certification of voting systems and to provide
for the establishment of an Independent Security Testing and Coordi-
nated Vulnerability Disclosure Pilot Program for Election Systems.
IN THE HOUSE OF REPRESENTATIVES
FEBRUARY23, 2024
Ms. S
PANBERGER(for herself and Mr. VALADAO) introduced the following bill;
which was referred to the Committee on House Administration, and in
addition to the Committee on Science, Space, and Technology, for a pe-
riod to be subsequently determined by the Speaker, in each case for con-
sideration of such provisions as fall within the jurisdiction of the com-
mittee concerned
A BILL
To amend the Help America Vote Act of 2002 to require
the Election Assistance Commission to provide for the
conduct of penetration testing as part of the testing
and certification of voting systems and to provide for
the establishment of an Independent Security Testing
and Coordinated Vulnerability Disclosure Pilot Program
for Election Systems.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 2
•HR 7447 IH
SECTION 1. SHORT TITLE. 1
This Act may be cited as the ‘‘Strengthening Election 2
Cybersecurity to Uphold Respect for Elections through 3
Independent Testing Act’’ or the ‘‘SECURE IT Act’’. 4
SEC. 2. REQUIRING PENETRATION TESTING AS PART OF 5
THE TESTING AND CERTIFICATION OF VOT-6
ING SYSTEMS. 7
Section 231 of the Help America Vote Act of 2002 8
(52 U.S.C. 20971) is amended by adding at the end the 9
following new subsection: 10
‘‘(e) R
EQUIREDPENETRATIONTESTING.— 11
‘‘(1) I
N GENERAL.—Not later than 180 days 12
after the date of the enactment of this subsection, 13
the Commission shall provide for the conduct of pen-14
etration testing as part of the testing, certification, 15
decertification, and recertification of voting system 16
hardware and software by accredited laboratories 17
under this section. 18
‘‘(2) A
CCREDITATION.—The Director of the 19
National Institute of Standards and Technology 20
shall recommend to the Commission entities the Di-21
rector proposes be accredited to carry out penetra-22
tion testing under this subsection and certify compli-23
ance with the penetration testing-related guidelines 24
required by this subsection. The Commission shall 25
vote on the accreditation of any entity recommended. 26
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 3
•HR 7447 IH
The requirements for such accreditation shall be a 1
subset of the requirements for accreditation of lab-2
oratories under subsection (b) and shall only be 3
based on consideration of an entity’s competence to 4
conduct penetration testing under this subsection.’’. 5
SEC. 3. INDEPENDENT SECURITY TESTING AND COORDI-6
NATED CYBERSECURITY VULNERABILITY 7
DISCLOSURE PROGRAM FOR ELECTION SYS-8
TEMS. 9
(a) I
NGENERAL.—Subtitle D of title II of the Help 10
America Vote Act of 2002 (42 U.S.C. 15401 et seq.) is 11
amended by adding at the end the following new part: 12
‘‘PART 7—INDEPENDENT SECURITY TESTING AND 13
COORDINATED CYBERSECURITY VULNER-14
ABILITY DISCLOSURE PILOT PROGRAM FOR 15
ELECTION SYSTEMS 16
‘‘SEC. 297. INDEPENDENT SECURITY TESTING AND COORDI-17
NATED CYBERSECURITY VULNERABILITY 18
DISCLOSURE PILOT PROGRAM FOR ELEC-19
TION SYSTEMS. 20
‘‘(a) E
STABLISHMENT.—The Commission, in con-21
sultation with the Secretary, shall establish an Inde-22
pendent Security Testing and Coordinated Vulnerability 23
Disclosure Pilot Program for Election Systems (VDP–E) 24
(in this section referred to as the ‘program’) in order to 25
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 4
•HR 7447 IH
test for and disclose cybersecurity vulnerabilities in elec-1
tion systems. 2
‘‘(b) D
URATION.—The program shall be conducted 3
for a period of 5 years. 4
‘‘(c) R
EQUIREMENTS.—In carrying out the program, 5
the Commission, in consultation with the Secretary, 6
shall— 7
‘‘(1) establish a mechanism by which an elec-8
tion systems vendor may make their election system 9
(including voting machines and source code) avail-10
able to cybersecurity researchers participating in the 11
program; 12
‘‘(2) provide for the vetting of cybersecurity re-13
searchers prior to their participation in the program, 14
including the conduct of background checks; 15
‘‘(3) establish terms of participation that— 16
‘‘(A) describe the scope of testing per-17
mitted under the program; 18
‘‘(B) require researchers to— 19
‘‘(i) notify the vendor, the Commis-20
sion, and the Secretary of any cybersecu-21
rity vulnerability they identify with respect 22
to an election system; and 23
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 5
•HR 7447 IH
‘‘(ii) otherwise keep such vulnerability 1
confidential for 180 days after such notifi-2
cation; 3
‘‘(C) require the good faith participation of 4
all participants in the program; and 5
‘‘(D) require an election system vendor, 6
after receiving notification of a critical or high 7
vulnerability (as defined by the National Insti-8
tute of Standards and Technology) in an elec-9
tion system of the vendor, to— 10
‘‘(i) send a patch or propound some 11
other fix or mitigation for such vulner-12
ability to the appropriate State and local 13
election officials, in consultation with the 14
researcher who discovered it; and 15
‘‘(ii) notify the Commission and the 16
Secretary that such patch has been sent to 17
such officials; 18
‘‘(4) in the case where a patch or fix to address 19
a vulnerability disclosed under paragraph (3)(B)(i) 20
is intended to be applied to a system certified by the 21
Commission, provide— 22
‘‘(A) for the expedited review of such patch 23
or fix within 90 days after receipt by the Com-24
mission; and 25
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 6
•HR 7447 IH
‘‘(B) if such review is not completed by the 1
last day of such 90-day period, that such patch 2
or fix shall be deemed to be certified by the 3
Commission; and 4
‘‘(5) 180 days after the disclosure of a vulner-5
ability under paragraph (3)(B)(i), notify the Direc-6
tor of the Cybersecurity and Infrastructure Security 7
Agency of the vulnerability for inclusion in the data-8
base of Common Vulnerabilities and Exposures. 9
‘‘(d) V
OLUNTARYPARTICIPATION; SAFEHARBOR.— 10
‘‘(1) V
OLUNTARY PARTICIPATION .—Participa-11
tion in the program shall be voluntary for election 12
systems vendors and researchers. 13
‘‘(2) S
AFE HARBOR .—Research conducted 14
under the program, and any subsequent publication 15
of such research, shall be treated as follows: 16
‘‘(A) The research and publication shall be 17
treated as authorized in accordance with section 18
1030 of title 18, United States Code (commonly 19
known as the ‘Computer Fraud and Abuse 20
Act’), (and similar State laws), and the election 21
system vendor will not initiate or support legal 22
action against the researcher for accidental, 23
good faith violations of the program. 24
VerDate Sep 11 2014 01:33 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 7
•HR 7447 IH
‘‘(B) The research and publication shall be 1
exempt from the anti-circumvention rule of sec-2
tion 1201 of title 17, United States Code (com-3
monly known as the ‘Digital Millennium Copy-4
right Act’), and the election system vendor will 5
not bring a claim against a researcher for cir-6
cumvention of technology controls. 7
‘‘(3) R
ULE OF CONSTRUCTION .—Nothing in 8
this subsection may be construed to limit or other-9
wise affect any exception to the general prohibition 10
against the circumvention of technological measures 11
under subparagraph (A) of section 1201(a)(1) of 12
title 17, United States Code, including with respect 13
to any use that is excepted from that general prohi-14
bition by the Librarian of Congress under subpara-15
graphs (B) through (D) of such section 1201(a)(1). 16
‘‘(4) E
XEMPT FROM DISCLOSURE .—Cybersecu-17
rity vulnerabilities discovered under the program 18
shall be exempt from section 552 of title 5, United 19
States Code (commonly referred to as the Freedom 20
of Information Act). 21
‘‘(e) D
EFINITIONS.—In this section: 22
‘‘(1) C
YBERSECURITY VULNERABILITY .—The 23
term ‘cybersecurity vulnerability’ means, with re-24
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 8
•HR 7447 IH
spect to an election system, any security vulner-1
ability that affects the election system. 2
‘‘(2) E
LECTION INFRASTRUCTURE .—The term 3
‘election infrastructure’ means— 4
‘‘(A) storage facilities, polling places, and 5
centralized vote tabulation locations used to 6
support the administration of elections for pub-7
lic office; and 8
‘‘(B) related information and communica-9
tions technology, including— 10
‘‘(i) voter registration databases; 11
‘‘(ii) election management systems; 12
‘‘(iii) voting machines; 13
‘‘(iv) electronic mail and other com-14
munications systems (including electronic 15
mail and other systems of vendors who 16
have entered into contracts with election 17
agencies to support the administration of 18
elections, manage the election process, and 19
report and display election results); and 20
‘‘(v) other systems used to manage 21
the election process and to report and dis-22
play election results on behalf of an elec-23
tion agency. 24
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS 9
•HR 7447 IH
‘‘(3) ELECTION SYSTEM.—The term ‘election 1
system’ means any information system that is part 2
of an election infrastructure, including any related 3
information and communications technology de-4
scribed in paragraph (2)(B). 5
‘‘(4) E
LECTION SYSTEM VENDOR .—The term 6
‘election system vendor’ means any person providing, 7
supporting, or maintaining an election system on be-8
half of a State or local election official. 9
‘‘(5) I
NFORMATION SYSTEM .—The term ‘infor-10
mation system’ has the meaning given the term in 11
section 3502 of title 44, United States Code. 12
‘‘(6) S
ECRETARY.—The term ‘Secretary’ means 13
the Secretary of Homeland Security. 14
‘‘(7) S
ECURITY VULNERABILITY .—The term 15
‘security vulnerability’ has the meaning given the 16
term in section 102 of the Cybersecurity Information 17
Sharing Act of 2015 (6 U.S.C. 1501).’’. 18
(b) C
LERICALAMENDMENT.—The table of contents 19
of such Act is amended by adding at the end of the items 20
relating to subtitle D of title II the following: 21
‘‘PART 7—INDEPENDENT SECURITYTESTING ANDCOORDINATEDCYBERSE-
CURITYVULNERABILITYDISCLOSUREPROGRAM FORELECTIONSYSTEMS
‘‘Sec. 297. Independent security testing and coordinated cybersecurity vulner-
ability disclosure program for election systems.’’.
Æ
VerDate Sep 11 2014 01:28 Feb 29, 2024 Jkt 049200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6301 E:\BILLS\H7447.IH H7447
ssavage on LAPJG3WLY3PROD with BILLS