[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6106 Introduced in House (IH)]
<DOC>
118th CONGRESS
1st Session
H. R. 6106
To create a risk framework to evaluate foreign mobile applications of
concern, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
October 26, 2023
Ms. Sherrill (for herself, Mr. Bergman, Mr. Krishnamoorthi, Mrs.
Hinson, Mr. Newhouse, Mr. Garamendi, Mr. Crow, Mr. Finstad, Mr. Carson,
and Ms. Tokuda) introduced the following bill; which was referred to
the Committee on Armed Services
_______________________________________________________________________
A BILL
To create a risk framework to evaluate foreign mobile applications of
concern, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Bolstering America's Defenses
Against Potentially Perilous Software Act'' or the ``BAD APPS Act''.
SEC. 2. RISK FRAMEWORK FOR FOREIGN MOBILE APPLICATIONS OF CONCERN.
(a) In General.--The Secretary of Defense shall--
(1) create categorical definitions of foreign mobile
applications of concern with respect to personnel or operations
of the Department of Defense, distinguishing among categories
such as applications for shopping, social media, entertainment,
or health; and
(2) create a risk framework with respect to Department
personnel or operations that assesses each foreign mobile
application (or, if appropriate, grouping of similar such
applications) that is from a country of concern for any
potential impact on Departmental personnel and Departmental
operations, incorporating considerations of--
(A) the manner and extent of data collection by the
application;
(B) the ability of the application to influence the
user with the applications content to the detriment of
the United States;
(C) the manner and extent of foreign ownership or
control of the application or data collected by the
application;
(D) any foreign government interests associated
with the applications;
(E) a software bill of materials with a focus on
known or assessed malicious software embedded in the
application, including in prior versions of the
application or in other applications created by the
owners of such application;
(F) any known impact from prior use of the
application to Department personnel or operations; and
(G) the foreign mobile application of concern
residing on a United States Government device or a
personally owned device while in proximity to
Department operations or activities or in the personal
custody of personnel during Department sanctioned
activities.
(b) Considerations.--In developing the categorical definitions and
risk framework described in subsection (a), the Secretary of Defense--
(1) shall include in the risk framework foreign mobile
applications of concern--
(A) from countries that the Secretary determines to
be engaged in consistent, unauthorized conduct that is
detrimental to the national security or foreign policy
of the United States;
(B) that are accessible to be downloaded from major
mobile device application marketplaces by Department
personnel; and
(C) originating from, authored in, owned by, or
otherwise associated with countries or entities that
are designated on the list maintained and set forth in
Supplement No. 4 to part 744 of the Export
Administration Regulations;
(2) may include additional countries or individual foreign
mobile applications with malicious and banned capabilities from
other countries to the extent the Secretary determines
appropriate; and
(3) shall consider distinguishing within the risk framework
the particular interests of a country described in paragraph
(1) or (2) in the use of a foreign mobile application of
concern of such country (regardless of device or owner) by--
(A) users located at facilities of the Department
of Defense of varying levels of sensitivity;
(B) users conducting authorized operations or
movements of Department of Defense materiel; or
(C) specific civilian employees of the Department
or contractors whom the Secretary determines likely to
be a target of a foreign actor.
(c) Guidance and Updates.--The Secretary of Defense shall--
(1) issue guidance to all Department personnel
incorporating the categories of foreign mobile applications of
concern and advising how to mitigate the risks identified by
the risk framework with respect to such applications;
(2) routinely update the categorical definitions and risk
framework promulgated pursuant to subsection (a), at least on
an annual basis; and
(3) prescribe, if feasible, regulations that appropriately
mitigate risks from applications on devices provided by the
Department of Defense or on any device used during an activity
described in subsection (b)(3)(B) or at locations described
under (b)(3)(A).
<all>