[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1500 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 1500
To amend the Help America Vote Act of 2002 to require the Election
Assistance Commission to provide for the conduct of penetration testing
as part of the testing and certification of voting systems and to
provide for the establishment of an Independent Security Testing and
Coordinated Vulnerability Disclosure Pilot Program for Election
Systems.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 9, 2023
Mr. Warner (for himself and Ms. Collins) introduced the following bill;
which was read twice and referred to the Committee on Rules and
Administration
_______________________________________________________________________
A BILL
To amend the Help America Vote Act of 2002 to require the Election
Assistance Commission to provide for the conduct of penetration testing
as part of the testing and certification of voting systems and to
provide for the establishment of an Independent Security Testing and
Coordinated Vulnerability Disclosure Pilot Program for Election
Systems.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Election Cybersecurity
to Uphold Respect for Elections through Independent Testing Act'' or
the ``SECURE IT Act''.
SEC. 2. REQUIRING PENETRATION TESTING AS PART OF THE TESTING AND
CERTIFICATION OF VOTING SYSTEMS.
Section 231 of the Help America Vote Act of 2002 (52 U.S.C. 20971)
is amended by adding at the end the following new subsection:
``(e) Required Penetration Testing.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this subsection, the Commission shall
provide for the conduct of penetration testing as part of the
testing, certification, decertification, and recertification of
voting system hardware and software by accredited laboratories
under this section.
``(2) Accreditation.--The Director of the National
Institute of Standards and Technology shall recommend to the
Commission entities the Director proposes be accredited to
carry out penetration testing under this subsection and certify
compliance with the penetration testing-related guidelines
required by this subsection. The Commission shall vote on the
accreditation of any entity recommended. The requirements for
such accreditation shall be a subset of the requirements for
accreditation of laboratories under subsection (b) and shall
only be based on consideration of an entity's competence to
conduct penetration testing under this subsection.''.
SEC. 3. INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY
VULNERABILITY DISCLOSURE PROGRAM FOR ELECTION SYSTEMS.
(a) In General.--Subtitle D of title II of the Help America Vote
Act of 2002 (42 U.S.C. 15401 et seq.) is amended by adding at the end
the following new part:
``PART 7--INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY
VULNERABILITY DISCLOSURE PILOT PROGRAM FOR ELECTION SYSTEMS
``SEC. 297. INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY
VULNERABILITY DISCLOSURE PILOT PROGRAM FOR ELECTION
SYSTEMS.
``(a) In General.--
``(1) Establishment.--The Commission, in consultation with
the Secretary, shall establish an Independent Security Testing
and Coordinated Vulnerability Disclosure Pilot Program for
Election Systems (VDP-E) (in this section referred to as the
`program') in order to test for and disclose cybersecurity
vulnerabilities in election systems.
``(2) Duration.--The program shall be conducted for a
period of 5 years.
``(3) Requirements.--In carrying out the program, the
Commission, in consultation with the Secretary, shall--
``(A) establish a mechanism by which an election
systems vendor may make their election system
(including voting machines and source code) available
to cybersecurity researchers participating in the
program;
``(B) provide for the vetting of cybersecurity
researchers prior to their participation in the
program, including the conduct of background checks;
``(C) establish terms of participation that--
``(i) describe the scope of testing
permitted under the program;
``(ii) require researchers to--
``(I) notify the vendor, the
Commission, and the Secretary of any
cybersecurity vulnerability they
identify with respect to an election
system; and
``(II) otherwise keep such
vulnerability confidential for 180 days
after such notification;
``(iii) require the good faith
participation of all participants in the
program; and
``(iv) require an election system vendor,
after receiving notification of a critical or
high vulnerability (as defined by the National
Institute of Standards and Technology) in an
election system of the vendor, to--
``(I) send a patch or propound some
other fix or mitigation for such
vulnerability to the appropriate State
and local election officials, in
consultation with the researcher who
discovered it; and
``(II) notify the Commission and
the Secretary that such patch has been
sent to such officials;
``(D) in the case where a patch or fix to address a
vulnerability disclosed under subparagraph (C)(ii)(I)
is intended to be applied to a system certified by the
Commission, provide--
``(i) for the expedited review of such
patch or fix within 90 days after receipt by
the Commission; and
``(ii) if such review is not completed by
the last day of such 90 day period, that such
patch or fix shall be deemed to be certified by
the Commission; and
``(E) 180 days after the disclosure of a
vulnerability under subparagraph (C)(ii)(I), notify the
Director of the Cybersecurity and Infrastructure
Security Agency of the vulnerability for inclusion in
the database of Common Vulnerabilities and Exposures.
``(4) Voluntary participation; safe harbor.--
``(A) Voluntary participation.--Participation in
the program shall be voluntary for election systems
vendors and researchers.
``(B) Safe harbor.--When conducting research under
this program, such research and subsequent publication
shall be considered to be:
``(i) Authorized in accordance with section
1030 of title 18, United States Code (commonly
known as the `Computer Fraud and Abuse Act'),
(and similar State laws), and the election
system vendor will not initiate or support
legal action against the researcher for
accidental, good faith violations of the
program.
``(ii) Exempt from the anti-circumvention
rule of section 1201 of title 17, United States
Code (commonly known as the `Digital Millennium
Copyright Act'), and the election system vendor
will not bring a claim against a researcher for
circumvention of technology controls.
``(C) Rule of construction.--Nothing in this
paragraph may be construed to limit or otherwise affect
any exception to the general prohibition against the
circumvention of technological measures under
subparagraph (A) of section 1201(a)(1) of title 17,
United States Code, including with respect to any use
that is excepted from that general prohibition by the
Librarian of Congress under subparagraphs (B) through
(D) of such section 1201(a)(1).
``(5) Exempt from disclosure.--Cybersecurity
vulnerabilities discovered under the program shall be exempt
from section 552 of title 5, United States Code (commonly
referred to as the Freedom of Information Act).
``(6) Definitions.--In this subsection:
``(A) Cybersecurity vulnerability.--The term
`cybersecurity vulnerability' means, with respect to an
election system, any security vulnerability that
affects the election system.
``(B) Election infrastructure.--The term `election
infrastructure' means--
``(i) storage facilities, polling places,
and centralized vote tabulation locations used
to support the administration of elections for
public office; and
``(ii) related information and
communications technology, including--
``(I) voter registration databases;
``(II) election management systems;
``(III) voting machines;
``(IV) electronic mail and other
communications systems (including
electronic mail and other systems of
vendors who have entered into contracts
with election agencies to support the
administration of elections, manage the
election process, and report and
display election results); and
``(V) other systems used to manage
the election process and to report and
display election results on behalf of
an election agency.
``(C) Election system.--The term `election system'
means any information system that is part of an
election infrastructure, including any related
information and communications technology described in
subparagraph (B)(ii).
``(D) Election system vendor.--The term `election
system vendor' means any person providing, supporting,
or maintaining an election system on behalf of a State
or local election official.
``(E) Information system.--The term `information
system' has the meaning given the term in section 3502
of title 44, United States Code.
``(F) Secretary.--The term `Secretary' means the
Secretary of Homeland Security.
``(G) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in
section 102 of the Cybersecurity Information Sharing
Act of 2015 (6 U.S.C. 1501).''.
(b) Clerical Amendment.--The table of contents of such Act is
amended by adding at the end of the items relating to subtitle D of
title II the following:
``PART 7--Independent Security Testing and Coordinated Cybersecurity
Vulnerability Disclosure Program for Election Systems
``Sec. 297. Independent security testing and coordinated cybersecurity
vulnerability disclosure program for
election systems.''.
<all>