US
Us Congress Senate Bill SB1500

Us Congress 2023-2024 Regular Session

Us Congress Senate Bill SB1500 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 II
22 118THCONGRESS
33 1
44 STSESSION S. 1500
55 To amend the Help America Vote Act of 2002 to require the Election
66 Assistance Commission to provide for the conduct of penetration testing
77 as part of the testing and certification of voting systems and to provide
88 for the establishment of an Independent Security Testing and Coordi-
99 nated Vulnerability Disclosure Pilot Program for Election Systems.
1010 IN THE SENATE OF THE UNITED STATES
1111 MAY9, 2023
1212 Mr. W
1313 ARNER(for himself and Ms. COLLINS) introduced the following bill;
1414 which was read twice and referred to the Committee on Rules and Ad-
1515 ministration
1616 A BILL
1717 To amend the Help America Vote Act of 2002 to require
1818 the Election Assistance Commission to provide for the
1919 conduct of penetration testing as part of the testing
2020 and certification of voting systems and to provide for
2121 the establishment of an Independent Security Testing
2222 and Coordinated Vulnerability Disclosure Pilot Program
2323 for Election Systems.
2424 Be it enacted by the Senate and House of Representa-1
2525 tives of the United States of America in Congress assembled, 2
2626 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
2727 pbinns on DSKJLVW7X2PROD with $$_JOB 2
2828 •S 1500 IS
2929 SECTION 1. SHORT TITLE. 1
3030 This Act may be cited as the ‘‘Strengthening Election 2
3131 Cybersecurity to Uphold Respect for Elections through 3
3232 Independent Testing Act’’ or the ‘‘SECURE IT Act’’. 4
3333 SEC. 2. REQUIRING PENETRATION TESTING AS PART OF 5
3434 THE TESTING AND CERTIFICATION OF VOT-6
3535 ING SYSTEMS. 7
3636 Section 231 of the Help America Vote Act of 2002 8
3737 (52 U.S.C. 20971) is amended by adding at the end the 9
3838 following new subsection: 10
3939 ‘‘(e) R
4040 EQUIREDPENETRATIONTESTING.— 11
4141 ‘‘(1) I
4242 N GENERAL.—Not later than 180 days 12
4343 after the date of the enactment of this subsection, 13
4444 the Commission shall provide for the conduct of pen-14
4545 etration testing as part of the testing, certification, 15
4646 decertification, and recertification of voting system 16
4747 hardware and software by accredited laboratories 17
4848 under this section. 18
4949 ‘‘(2) A
5050 CCREDITATION.—The Director of the 19
5151 National Institute of Standards and Technology 20
5252 shall recommend to the Commission entities the Di-21
5353 rector proposes be accredited to carry out penetra-22
5454 tion testing under this subsection and certify compli-23
5555 ance with the penetration testing-related guidelines 24
5656 required by this subsection. The Commission shall 25
5757 vote on the accreditation of any entity recommended. 26
5858 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
5959 pbinns on DSKJLVW7X2PROD with $$_JOB 3
6060 •S 1500 IS
6161 The requirements for such accreditation shall be a 1
6262 subset of the requirements for accreditation of lab-2
6363 oratories under subsection (b) and shall only be 3
6464 based on consideration of an entity’s competence to 4
6565 conduct penetration testing under this subsection.’’. 5
6666 SEC. 3. INDEPENDENT SECURITY TESTING AND COORDI-6
6767 NATED CYBERSECURITY VULNERABILITY 7
6868 DISCLOSURE PROGRAM FOR ELECTION SYS-8
6969 TEMS. 9
7070 (a) I
7171 NGENERAL.—Subtitle D of title II of the Help 10
7272 America Vote Act of 2002 (42 U.S.C. 15401 et seq.) is 11
7373 amended by adding at the end the following new part: 12
7474 ‘‘PART 7—INDEPENDENT SECURITY TESTING AND 13
7575 COORDINATED CYBERSECURITY VULNER-14
7676 ABILITY DISCLOSURE PILOT PROGRAM FOR 15
7777 ELECTION SYSTEMS 16
7878 ‘‘SEC. 297. INDEPENDENT SECURITY TESTING AND COORDI-17
7979 NATED CYBERSECURITY VULNERABILITY 18
8080 DISCLOSURE PILOT PROGRAM FOR ELEC-19
8181 TION SYSTEMS. 20
8282 ‘‘(a) I
8383 NGENERAL.— 21
8484 ‘‘(1) E
8585 STABLISHMENT.—The Commission, in 22
8686 consultation with the Secretary, shall establish an 23
8787 Independent Security Testing and Coordinated Vul-24
8888 nerability Disclosure Pilot Program for Election Sys-25
8989 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
9090 pbinns on DSKJLVW7X2PROD with $$_JOB 4
9191 •S 1500 IS
9292 tems (VDP–E) (in this section referred to as the 1
9393 ‘program’) in order to test for and disclose cyberse-2
9494 curity vulnerabilities in election systems. 3
9595 ‘‘(2) D
9696 URATION.—The program shall be con-4
9797 ducted for a period of 5 years. 5
9898 ‘‘(3) R
9999 EQUIREMENTS.—In carrying out the pro-6
100100 gram, the Commission, in consultation with the Sec-7
101101 retary, shall— 8
102102 ‘‘(A) establish a mechanism by which an 9
103103 election systems vendor may make their election 10
104104 system (including voting machines and source 11
105105 code) available to cybersecurity researchers par-12
106106 ticipating in the program; 13
107107 ‘‘(B) provide for the vetting of cybersecu-14
108108 rity researchers prior to their participation in 15
109109 the program, including the conduct of back-16
110110 ground checks; 17
111111 ‘‘(C) establish terms of participation 18
112112 that— 19
113113 ‘‘(i) describe the scope of testing per-20
114114 mitted under the program; 21
115115 ‘‘(ii) require researchers to— 22
116116 ‘‘(I) notify the vendor, the Com-23
117117 mission, and the Secretary of any cy-24
118118 bersecurity vulnerability they identify 25
119119 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
120120 pbinns on DSKJLVW7X2PROD with $$_JOB 5
121121 •S 1500 IS
122122 with respect to an election system; 1
123123 and 2
124124 ‘‘(II) otherwise keep such vulner-3
125125 ability confidential for 180 days after 4
126126 such notification; 5
127127 ‘‘(iii) require the good faith participa-6
128128 tion of all participants in the program; and 7
129129 ‘‘(iv) require an election system ven-8
130130 dor, after receiving notification of a critical 9
131131 or high vulnerability (as defined by the 10
132132 National Institute of Standards and Tech-11
133133 nology) in an election system of the ven-12
134134 dor, to— 13
135135 ‘‘(I) send a patch or propound 14
136136 some other fix or mitigation for such 15
137137 vulnerability to the appropriate State 16
138138 and local election officials, in con-17
139139 sultation with the researcher who dis-18
140140 covered it; and 19
141141 ‘‘(II) notify the Commission and 20
142142 the Secretary that such patch has 21
143143 been sent to such officials; 22
144144 ‘‘(D) in the case where a patch or fix to 23
145145 address a vulnerability disclosed under subpara-24
146146 VerDate Sep 11 2014 02:42 May 16, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
147147 pbinns on DSKJLVW7X2PROD with $$_JOB 6
148148 •S 1500 IS
149149 graph (C)(ii)(I) is intended to be applied to a 1
150150 system certified by the Commission, provide— 2
151151 ‘‘(i) for the expedited review of such 3
152152 patch or fix within 90 days after receipt by 4
153153 the Commission; and 5
154154 ‘‘(ii) if such review is not completed 6
155155 by the last day of such 90 day period, that 7
156156 such patch or fix shall be deemed to be 8
157157 certified by the Commission; and 9
158158 ‘‘(E) 180 days after the disclosure of a 10
159159 vulnerability under subparagraph (C)(ii)(I), no-11
160160 tify the Director of the Cybersecurity and In-12
161161 frastructure Security Agency of the vulner-13
162162 ability for inclusion in the database of Common 14
163163 Vulnerabilities and Exposures. 15
164164 ‘‘(4) V
165165 OLUNTARY PARTICIPATION ; SAFE HAR-16
166166 BOR.— 17
167167 ‘‘(A) V
168168 OLUNTARY PARTICIPATION .—Par-18
169169 ticipation in the program shall be voluntary for 19
170170 election systems vendors and researchers. 20
171171 ‘‘(B) S
172172 AFE HARBOR.—When conducting 21
173173 research under this program, such research and 22
174174 subsequent publication shall be considered to 23
175175 be: 24
176176 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
177177 pbinns on DSKJLVW7X2PROD with $$_JOB 7
178178 •S 1500 IS
179179 ‘‘(i) Authorized in accordance with 1
180180 section 1030 of title 18, United States 2
181181 Code (commonly known as the ‘Computer 3
182182 Fraud and Abuse Act’), (and similar State 4
183183 laws), and the election system vendor will 5
184184 not initiate or support legal action against 6
185185 the researcher for accidental, good faith 7
186186 violations of the program. 8
187187 ‘‘(ii) Exempt from the anti-circumven-9
188188 tion rule of section 1201 of title 17, United 10
189189 States Code (commonly known as the ‘Dig-11
190190 ital Millennium Copyright Act’), and the 12
191191 election system vendor will not bring a 13
192192 claim against a researcher for circumven-14
193193 tion of technology controls. 15
194194 ‘‘(C) R
195195 ULE OF CONSTRUCTION .—Nothing 16
196196 in this paragraph may be construed to limit or 17
197197 otherwise affect any exception to the general 18
198198 prohibition against the circumvention of techno-19
199199 logical measures under subparagraph (A) of 20
200200 section 1201(a)(1) of title 17, United States 21
201201 Code, including with respect to any use that is 22
202202 excepted from that general prohibition by the 23
203203 Librarian of Congress under subparagraphs (B) 24
204204 through (D) of such section 1201(a)(1). 25
205205 VerDate Sep 11 2014 02:42 May 16, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
206206 pbinns on DSKJLVW7X2PROD with $$_JOB 8
207207 •S 1500 IS
208208 ‘‘(5) EXEMPT FROM DISCLOSURE .—Cybersecu-1
209209 rity vulnerabilities discovered under the program 2
210210 shall be exempt from section 552 of title 5, United 3
211211 States Code (commonly referred to as the Freedom 4
212212 of Information Act). 5
213213 ‘‘(6) D
214214 EFINITIONS.—In this subsection: 6
215215 ‘‘(A) C
216216 YBERSECURITY VULNERABILITY .— 7
217217 The term ‘cybersecurity vulnerability’ means, 8
218218 with respect to an election system, any security 9
219219 vulnerability that affects the election system. 10
220220 ‘‘(B) E
221221 LECTION INFRASTRUCTURE .—The 11
222222 term ‘election infrastructure’ means— 12
223223 ‘‘(i) storage facilities, polling places, 13
224224 and centralized vote tabulation locations 14
225225 used to support the administration of elec-15
226226 tions for public office; and 16
227227 ‘‘(ii) related information and commu-17
228228 nications technology, including— 18
229229 ‘‘(I) voter registration databases; 19
230230 ‘‘(II) election management sys-20
231231 tems; 21
232232 ‘‘(III) voting machines; 22
233233 ‘‘(IV) electronic mail and other 23
234234 communications systems (including 24
235235 electronic mail and other systems of 25
236236 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
237237 pbinns on DSKJLVW7X2PROD with $$_JOB 9
238238 •S 1500 IS
239239 vendors who have entered into con-1
240240 tracts with election agencies to sup-2
241241 port the administration of elections, 3
242242 manage the election process, and re-4
243243 port and display election results); and 5
244244 ‘‘(V) other systems used to man-6
245245 age the election process and to report 7
246246 and display election results on behalf 8
247247 of an election agency. 9
248248 ‘‘(C) E
249249 LECTION SYSTEM.—The term ‘elec-10
250250 tion system’ means any information system that 11
251251 is part of an election infrastructure, including 12
252252 any related information and communications 13
253253 technology described in subparagraph (B)(ii). 14
254254 ‘‘(D) E
255255 LECTION SYSTEM VENDOR .—The 15
256256 term ‘election system vendor’ means any person 16
257257 providing, supporting, or maintaining an elec-17
258258 tion system on behalf of a State or local elec-18
259259 tion official. 19
260260 ‘‘(E) I
261261 NFORMATION SYSTEM .—The term 20
262262 ‘information system’ has the meaning given the 21
263263 term in section 3502 of title 44, United States 22
264264 Code. 23
265265 ‘‘(F) S
266266 ECRETARY.—The term ‘Secretary’ 24
267267 means the Secretary of Homeland Security. 25
268268 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
269269 pbinns on DSKJLVW7X2PROD with $$_JOB 10
270270 •S 1500 IS
271271 ‘‘(G) SECURITY VULNERABILITY .—The 1
272272 term ‘security vulnerability’ has the meaning 2
273273 given the term in section 102 of the Cybersecu-3
274274 rity Information Sharing Act of 2015 (6 U.S.C. 4
275275 1501).’’. 5
276276 (b) C
277277 LERICALAMENDMENT.—The table of contents 6
278278 of such Act is amended by adding at the end of the items 7
279279 relating to subtitle D of title II the following: 8
280280 ‘‘PART 7—INDEPENDENT SECURITYTESTING ANDCOORDINATEDCYBERSE-
281281 CURITYVULNERABILITYDISCLOSUREPROGRAM FORELECTIONSYSTEMS
282282 ‘‘Sec. 297. Independent security testing and coordinated cybersecurity vulner-
283283 ability disclosure program for election systems.’’.
284284 Æ
285285 VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6301 E:\BILLS\S1500.IS S1500
286286 pbinns on DSKJLVW7X2PROD with $$_JOB