[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7447 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 7447
To amend the Help America Vote Act of 2002 to require the Election
Assistance Commission to provide for the conduct of penetration testing
as part of the testing and certification of voting systems and to
provide for the establishment of an Independent Security Testing and
Coordinated Vulnerability Disclosure Pilot Program for Election
Systems.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 23, 2024
Ms. Spanberger (for herself and Mr. Valadao) introduced the following
bill; which was referred to the Committee on House Administration, and
in addition to the Committee on Science, Space, and Technology, for a
period to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
committee concerned
_______________________________________________________________________
A BILL
To amend the Help America Vote Act of 2002 to require the Election
Assistance Commission to provide for the conduct of penetration testing
as part of the testing and certification of voting systems and to
provide for the establishment of an Independent Security Testing and
Coordinated Vulnerability Disclosure Pilot Program for Election
Systems.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Election Cybersecurity
to Uphold Respect for Elections through Independent Testing Act'' or
the ``SECURE IT Act''.
SEC. 2. REQUIRING PENETRATION TESTING AS PART OF THE TESTING AND
CERTIFICATION OF VOTING SYSTEMS.
Section 231 of the Help America Vote Act of 2002 (52 U.S.C. 20971)
is amended by adding at the end the following new subsection:
``(e) Required Penetration Testing.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this subsection, the Commission shall
provide for the conduct of penetration testing as part of the
testing, certification, decertification, and recertification of
voting system hardware and software by accredited laboratories
under this section.
``(2) Accreditation.--The Director of the National
Institute of Standards and Technology shall recommend to the
Commission entities the Director proposes be accredited to
carry out penetration testing under this subsection and certify
compliance with the penetration testing-related guidelines
required by this subsection. The Commission shall vote on the
accreditation of any entity recommended. The requirements for
such accreditation shall be a subset of the requirements for
accreditation of laboratories under subsection (b) and shall
only be based on consideration of an entity's competence to
conduct penetration testing under this subsection.''.
SEC. 3. INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY
VULNERABILITY DISCLOSURE PROGRAM FOR ELECTION SYSTEMS.
(a) In General.--Subtitle D of title II of the Help America Vote
Act of 2002 (42 U.S.C. 15401 et seq.) is amended by adding at the end
the following new part:
``PART 7--INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY
VULNERABILITY DISCLOSURE PILOT PROGRAM FOR ELECTION SYSTEMS
``SEC. 297. INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY
VULNERABILITY DISCLOSURE PILOT PROGRAM FOR ELECTION
SYSTEMS.
``(a) Establishment.--The Commission, in consultation with the
Secretary, shall establish an Independent Security Testing and
Coordinated Vulnerability Disclosure Pilot Program for Election Systems
(VDP-E) (in this section referred to as the `program') in order to test
for and disclose cybersecurity vulnerabilities in election systems.
``(b) Duration.--The program shall be conducted for a period of 5
years.
``(c) Requirements.--In carrying out the program, the Commission,
in consultation with the Secretary, shall--
``(1) establish a mechanism by which an election systems
vendor may make their election system (including voting
machines and source code) available to cybersecurity
researchers participating in the program;
``(2) provide for the vetting of cybersecurity researchers
prior to their participation in the program, including the
conduct of background checks;
``(3) establish terms of participation that--
``(A) describe the scope of testing permitted under
the program;
``(B) require researchers to--
``(i) notify the vendor, the Commission,
and the Secretary of any cybersecurity
vulnerability they identify with respect to an
election system; and
``(ii) otherwise keep such vulnerability
confidential for 180 days after such
notification;
``(C) require the good faith participation of all
participants in the program; and
``(D) require an election system vendor, after
receiving notification of a critical or high
vulnerability (as defined by the National Institute of
Standards and Technology) in an election system of the
vendor, to--
``(i) send a patch or propound some other
fix or mitigation for such vulnerability to the
appropriate State and local election officials,
in consultation with the researcher who
discovered it; and
``(ii) notify the Commission and the
Secretary that such patch has been sent to such
officials;
``(4) in the case where a patch or fix to address a
vulnerability disclosed under paragraph (3)(B)(i) is intended
to be applied to a system certified by the Commission,
provide--
``(A) for the expedited review of such patch or fix
within 90 days after receipt by the Commission; and
``(B) if such review is not completed by the last
day of such 90-day period, that such patch or fix shall
be deemed to be certified by the Commission; and
``(5) 180 days after the disclosure of a vulnerability
under paragraph (3)(B)(i), notify the Director of the
Cybersecurity and Infrastructure Security Agency of the
vulnerability for inclusion in the database of Common
Vulnerabilities and Exposures.
``(d) Voluntary Participation; Safe Harbor.--
``(1) Voluntary participation.--Participation in the
program shall be voluntary for election systems vendors and
researchers.
``(2) Safe harbor.--Research conducted under the program,
and any subsequent publication of such research, shall be
treated as follows:
``(A) The research and publication shall be treated
as authorized in accordance with section 1030 of title
18, United States Code (commonly known as the `Computer
Fraud and Abuse Act'), (and similar State laws), and
the election system vendor will not initiate or support
legal action against the researcher for accidental,
good faith violations of the program.
``(B) The research and publication shall be exempt
from the anti-circumvention rule of section 1201 of
title 17, United States Code (commonly known as the
`Digital Millennium Copyright Act'), and the election
system vendor will not bring a claim against a
researcher for circumvention of technology controls.
``(3) Rule of construction.--Nothing in this subsection may
be construed to limit or otherwise affect any exception to the
general prohibition against the circumvention of technological
measures under subparagraph (A) of section 1201(a)(1) of title
17, United States Code, including with respect to any use that
is excepted from that general prohibition by the Librarian of
Congress under subparagraphs (B) through (D) of such section
1201(a)(1).
``(4) Exempt from disclosure.--Cybersecurity
vulnerabilities discovered under the program shall be exempt
from section 552 of title 5, United States Code (commonly
referred to as the Freedom of Information Act).
``(e) Definitions.--In this section:
``(1) Cybersecurity vulnerability.--The term `cybersecurity
vulnerability' means, with respect to an election system, any
security vulnerability that affects the election system.
``(2) Election infrastructure.--The term `election
infrastructure' means--
``(A) storage facilities, polling places, and
centralized vote tabulation locations used to support
the administration of elections for public office; and
``(B) related information and communications
technology, including--
``(i) voter registration databases;
``(ii) election management systems;
``(iii) voting machines;
``(iv) electronic mail and other
communications systems (including electronic
mail and other systems of vendors who have
entered into contracts with election agencies
to support the administration of elections,
manage the election process, and report and
display election results); and
``(v) other systems used to manage the
election process and to report and display
election results on behalf of an election
agency.
``(3) Election system.--The term `election system' means
any information system that is part of an election
infrastructure, including any related information and
communications technology described in paragraph (2)(B).
``(4) Election system vendor.--The term `election system
vendor' means any person providing, supporting, or maintaining
an election system on behalf of a State or local election
official.
``(5) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44,
United States Code.
``(6) Secretary.--The term `Secretary' means the Secretary
of Homeland Security.
``(7) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in section 102 of
the Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).''.
(b) Clerical Amendment.--The table of contents of such Act is
amended by adding at the end of the items relating to subtitle D of
title II the following:
``PART 7--Independent Security Testing and Coordinated Cybersecurity
Vulnerability Disclosure Program for Election Systems
``Sec. 297. Independent security testing and coordinated cybersecurity
vulnerability disclosure program for
election systems.''.
<all>