II
118THCONGRESS
1
STSESSION S. 1500
To amend the Help America Vote Act of 2002 to require the Election
Assistance Commission to provide for the conduct of penetration testing
as part of the testing and certification of voting systems and to provide
for the establishment of an Independent Security Testing and Coordi-
nated Vulnerability Disclosure Pilot Program for Election Systems.
IN THE SENATE OF THE UNITED STATES
MAY9, 2023
Mr. W
ARNER(for himself and Ms. COLLINS) introduced the following bill;
which was read twice and referred to the Committee on Rules and Ad-
ministration
A BILL
To amend the Help America Vote Act of 2002 to require
the Election Assistance Commission to provide for the
conduct of penetration testing as part of the testing
and certification of voting systems and to provide for
the establishment of an Independent Security Testing
and Coordinated Vulnerability Disclosure Pilot Program
for Election Systems.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 2
•S 1500 IS
SECTION 1. SHORT TITLE. 1
This Act may be cited as the ‘‘Strengthening Election 2
Cybersecurity to Uphold Respect for Elections through 3
Independent Testing Act’’ or the ‘‘SECURE IT Act’’. 4
SEC. 2. REQUIRING PENETRATION TESTING AS PART OF 5
THE TESTING AND CERTIFICATION OF VOT-6
ING SYSTEMS. 7
Section 231 of the Help America Vote Act of 2002 8
(52 U.S.C. 20971) is amended by adding at the end the 9
following new subsection: 10
‘‘(e) R
EQUIREDPENETRATIONTESTING.— 11
‘‘(1) I
N GENERAL.—Not later than 180 days 12
after the date of the enactment of this subsection, 13
the Commission shall provide for the conduct of pen-14
etration testing as part of the testing, certification, 15
decertification, and recertification of voting system 16
hardware and software by accredited laboratories 17
under this section. 18
‘‘(2) A
CCREDITATION.—The Director of the 19
National Institute of Standards and Technology 20
shall recommend to the Commission entities the Di-21
rector proposes be accredited to carry out penetra-22
tion testing under this subsection and certify compli-23
ance with the penetration testing-related guidelines 24
required by this subsection. The Commission shall 25
vote on the accreditation of any entity recommended. 26
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 3
•S 1500 IS
The requirements for such accreditation shall be a 1
subset of the requirements for accreditation of lab-2
oratories under subsection (b) and shall only be 3
based on consideration of an entity’s competence to 4
conduct penetration testing under this subsection.’’. 5
SEC. 3. INDEPENDENT SECURITY TESTING AND COORDI-6
NATED CYBERSECURITY VULNERABILITY 7
DISCLOSURE PROGRAM FOR ELECTION SYS-8
TEMS. 9
(a) I
NGENERAL.—Subtitle D of title II of the Help 10
America Vote Act of 2002 (42 U.S.C. 15401 et seq.) is 11
amended by adding at the end the following new part: 12
‘‘PART 7—INDEPENDENT SECURITY TESTING AND 13
COORDINATED CYBERSECURITY VULNER-14
ABILITY DISCLOSURE PILOT PROGRAM FOR 15
ELECTION SYSTEMS 16
‘‘SEC. 297. INDEPENDENT SECURITY TESTING AND COORDI-17
NATED CYBERSECURITY VULNERABILITY 18
DISCLOSURE PILOT PROGRAM FOR ELEC-19
TION SYSTEMS. 20
‘‘(a) I
NGENERAL.— 21
‘‘(1) E
STABLISHMENT.—The Commission, in 22
consultation with the Secretary, shall establish an 23
Independent Security Testing and Coordinated Vul-24
nerability Disclosure Pilot Program for Election Sys-25
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 4
•S 1500 IS
tems (VDP–E) (in this section referred to as the 1
‘program’) in order to test for and disclose cyberse-2
curity vulnerabilities in election systems. 3
‘‘(2) D
URATION.—The program shall be con-4
ducted for a period of 5 years. 5
‘‘(3) R
EQUIREMENTS.—In carrying out the pro-6
gram, the Commission, in consultation with the Sec-7
retary, shall— 8
‘‘(A) establish a mechanism by which an 9
election systems vendor may make their election 10
system (including voting machines and source 11
code) available to cybersecurity researchers par-12
ticipating in the program; 13
‘‘(B) provide for the vetting of cybersecu-14
rity researchers prior to their participation in 15
the program, including the conduct of back-16
ground checks; 17
‘‘(C) establish terms of participation 18
that— 19
‘‘(i) describe the scope of testing per-20
mitted under the program; 21
‘‘(ii) require researchers to— 22
‘‘(I) notify the vendor, the Com-23
mission, and the Secretary of any cy-24
bersecurity vulnerability they identify 25
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 5
•S 1500 IS
with respect to an election system; 1
and 2
‘‘(II) otherwise keep such vulner-3
ability confidential for 180 days after 4
such notification; 5
‘‘(iii) require the good faith participa-6
tion of all participants in the program; and 7
‘‘(iv) require an election system ven-8
dor, after receiving notification of a critical 9
or high vulnerability (as defined by the 10
National Institute of Standards and Tech-11
nology) in an election system of the ven-12
dor, to— 13
‘‘(I) send a patch or propound 14
some other fix or mitigation for such 15
vulnerability to the appropriate State 16
and local election officials, in con-17
sultation with the researcher who dis-18
covered it; and 19
‘‘(II) notify the Commission and 20
the Secretary that such patch has 21
been sent to such officials; 22
‘‘(D) in the case where a patch or fix to 23
address a vulnerability disclosed under subpara-24
VerDate Sep 11 2014 02:42 May 16, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 6
•S 1500 IS
graph (C)(ii)(I) is intended to be applied to a 1
system certified by the Commission, provide— 2
‘‘(i) for the expedited review of such 3
patch or fix within 90 days after receipt by 4
the Commission; and 5
‘‘(ii) if such review is not completed 6
by the last day of such 90 day period, that 7
such patch or fix shall be deemed to be 8
certified by the Commission; and 9
‘‘(E) 180 days after the disclosure of a 10
vulnerability under subparagraph (C)(ii)(I), no-11
tify the Director of the Cybersecurity and In-12
frastructure Security Agency of the vulner-13
ability for inclusion in the database of Common 14
Vulnerabilities and Exposures. 15
‘‘(4) V
OLUNTARY PARTICIPATION ; SAFE HAR-16
BOR.— 17
‘‘(A) V
OLUNTARY PARTICIPATION .—Par-18
ticipation in the program shall be voluntary for 19
election systems vendors and researchers. 20
‘‘(B) S
AFE HARBOR.—When conducting 21
research under this program, such research and 22
subsequent publication shall be considered to 23
be: 24
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 7
•S 1500 IS
‘‘(i) Authorized in accordance with 1
section 1030 of title 18, United States 2
Code (commonly known as the ‘Computer 3
Fraud and Abuse Act’), (and similar State 4
laws), and the election system vendor will 5
not initiate or support legal action against 6
the researcher for accidental, good faith 7
violations of the program. 8
‘‘(ii) Exempt from the anti-circumven-9
tion rule of section 1201 of title 17, United 10
States Code (commonly known as the ‘Dig-11
ital Millennium Copyright Act’), and the 12
election system vendor will not bring a 13
claim against a researcher for circumven-14
tion of technology controls. 15
‘‘(C) R
ULE OF CONSTRUCTION .—Nothing 16
in this paragraph may be construed to limit or 17
otherwise affect any exception to the general 18
prohibition against the circumvention of techno-19
logical measures under subparagraph (A) of 20
section 1201(a)(1) of title 17, United States 21
Code, including with respect to any use that is 22
excepted from that general prohibition by the 23
Librarian of Congress under subparagraphs (B) 24
through (D) of such section 1201(a)(1). 25
VerDate Sep 11 2014 02:42 May 16, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 8
•S 1500 IS
‘‘(5) EXEMPT FROM DISCLOSURE .—Cybersecu-1
rity vulnerabilities discovered under the program 2
shall be exempt from section 552 of title 5, United 3
States Code (commonly referred to as the Freedom 4
of Information Act). 5
‘‘(6) D
EFINITIONS.—In this subsection: 6
‘‘(A) C
YBERSECURITY VULNERABILITY .— 7
The term ‘cybersecurity vulnerability’ means, 8
with respect to an election system, any security 9
vulnerability that affects the election system. 10
‘‘(B) E
LECTION INFRASTRUCTURE .—The 11
term ‘election infrastructure’ means— 12
‘‘(i) storage facilities, polling places, 13
and centralized vote tabulation locations 14
used to support the administration of elec-15
tions for public office; and 16
‘‘(ii) related information and commu-17
nications technology, including— 18
‘‘(I) voter registration databases; 19
‘‘(II) election management sys-20
tems; 21
‘‘(III) voting machines; 22
‘‘(IV) electronic mail and other 23
communications systems (including 24
electronic mail and other systems of 25
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 9
•S 1500 IS
vendors who have entered into con-1
tracts with election agencies to sup-2
port the administration of elections, 3
manage the election process, and re-4
port and display election results); and 5
‘‘(V) other systems used to man-6
age the election process and to report 7
and display election results on behalf 8
of an election agency. 9
‘‘(C) E
LECTION SYSTEM.—The term ‘elec-10
tion system’ means any information system that 11
is part of an election infrastructure, including 12
any related information and communications 13
technology described in subparagraph (B)(ii). 14
‘‘(D) E
LECTION SYSTEM VENDOR .—The 15
term ‘election system vendor’ means any person 16
providing, supporting, or maintaining an elec-17
tion system on behalf of a State or local elec-18
tion official. 19
‘‘(E) I
NFORMATION SYSTEM .—The term 20
‘information system’ has the meaning given the 21
term in section 3502 of title 44, United States 22
Code. 23
‘‘(F) S
ECRETARY.—The term ‘Secretary’ 24
means the Secretary of Homeland Security. 25
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB 10
•S 1500 IS
‘‘(G) SECURITY VULNERABILITY .—The 1
term ‘security vulnerability’ has the meaning 2
given the term in section 102 of the Cybersecu-3
rity Information Sharing Act of 2015 (6 U.S.C. 4
1501).’’. 5
(b) C
LERICALAMENDMENT.—The table of contents 6
of such Act is amended by adding at the end of the items 7
relating to subtitle D of title II the following: 8
‘‘PART 7—INDEPENDENT SECURITYTESTING ANDCOORDINATEDCYBERSE-
CURITYVULNERABILITYDISCLOSUREPROGRAM FORELECTIONSYSTEMS
‘‘Sec. 297. Independent security testing and coordinated cybersecurity vulner-
ability disclosure program for election systems.’’.
Æ
VerDate Sep 11 2014 22:46 May 15, 2023 Jkt 039200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6301 E:\BILLS\S1500.IS S1500
pbinns on DSKJLVW7X2PROD with $$_JOB