[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5358 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 5358
To direct the Secretary of Homeland Security to establish an election
research program to test the security of election systems, and for
other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 24, 2021
Mr. Bacon introduced the following bill; which was referred to the
Committee on House Administration, and in addition to the Committee on
Homeland Security, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To direct the Secretary of Homeland Security to establish an election
research program to test the security of election systems, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. ELECTION RESEARCH PROGRAM.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following new section:
``SEC. 2218. ELECTION RESEARCH PROGRAM.
``(a) Establishment of Election Research Program.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this section, the Secretary, in
coordination with the heads of election service providers,
shall establish and administer an election research program to
test each election system provided by each election service
provider (under fair, reasonable, and nondiscriminatory terms)
on behalf of an election agency to identify potentially
vulnerable information.
``(2) Testing.--In carrying out the program required under
paragraph (1), qualified independent security researchers shall
apply the methodology developed pursuant to paragraph (3) to
each election system provided pursuant to paragraph (1) to
identify potentially vulnerable information.
``(3) Methodology.--The Secretary, in consultation with the
Director, shall develop a methodology to be used by independent
security researchers to test each election system provided by
each election solution provider to identify potentially
vulnerable information.
``(4) Qualifications for qualified independent
researcher.--The Secretary, in consultation with the Director
of the Cybersecurity and Infrastructure Security Agency, shall
establish the qualifications for the independent security
researchers referred to in subsection paragraph (3).
``(b) Coordinated Vulnerability Disclosure Guidelines.--Not later
than 180 days after the date of the enactment of this section, the
Secretary, in consultation with the Commissioners of the Election
Assistance Commission, cybersecurity researchers, and covered industry
experts, shall establish policies and procedures for the processing and
resolution of potentially vulnerable information relating to an
election system, to the extent practicable, aligned with Standards
29147 and 30111 of the International Standards Organization,
including--
``(1) processes for an election service provider to--
``(A) receive information relating to potentially
vulnerable information relating to an election system;
and
``(B) disseminate resolution information relating
to potentially vulnerable information relating to an
election system; and
``(2) guidance, such as the Guide to Vulnerability
Reporting for America's Election Administrators, with respect
to the information items to be produced through the
implementation of the vulnerability disclosure process of the
election service provider.
``(c) Definitions.--In this section:
``(1) Covered field.--The term `covered field' means
computer science, engineering, information science, information
systems management, mathematics, operations research,
statistics, or technology management.
``(2) Covered industry expert.--The term `covered industry
expert' means an individual who has--
``(A) successfully completed 2 full years of
progressively higher level graduate education leading
to a Master's or equivalent graduate degree from an
accredited institution of higher education (given the
meaning of such term in section 101 of the Higher
Education Act of 1965 (20 U.S.C. 1001)) in a covered
field; or
``(B) a degree that requires at least 24 semester
hours in a covered field required the development or
adaptation of applications, systems or networks.
``(3) Director.--The term `Director' means the Director of
the National Institute of Standards and Technology.
``(4) Election agency.--The term `election agency' means
the Federal Election Commission.
``(5) Election service provider.--The term `covered
election service provider' means a private sector entity which
develops, manufactures, sells, and/or implements and maintains
technology that enables the administration of elections.
Including but not limited to, voting systems, electronic
pollbooks, election management systems, and voter registration
systems.
``(6) Election system.--The term `election system' means--
``(A) the total combination of mechanical,
electromechanical, or electronic equipment (including
the software, firmware, and documentation required to
program, control, and support the equipment) that is
used to--
``(i) define ballots;
``(ii) cast and count votes;
``(iii) report or display election results;
and
``(iv) maintain and produce any audit trail
information; and
``(B) the practices and associated documentation
used to--
``(i) identify system components and
versions of such components;
``(ii) test the system during its
development and maintenance;
``(iii) maintain records of system errors
and defects;
``(iv) determine specific system changes to
be made to a system after the initial
qualification of the system; and
``(v) make available any materials to the
voter (such as notices, instructions, forms, or
paper ballots).
``(7) Potentially vulnerable information.--The term
`potential vulnerability information' means a flaw in code or
design that creates a potential point of security compromise
for an endpoint or network.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by inserting after the
item relating to section 2217 the following new item:
``2218. Election research program.''.
<all>