Text: S.2593 — 115th Congress (2017-2018)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (03/22/2018)


115th CONGRESS
2d Session
S. 2593


To protect the administration of Federal elections against cybersecurity threats.


IN THE SENATE OF THE UNITED STATES

March 22, 2018

Mr. Lankford (for himself, Ms. Klobuchar, Mr. Graham, Ms. Harris, Ms. Collins, Mr. Heinrich, Mr. Burr, and Mr. Warner) introduced the following bill; which was read twice and referred to the Committee on Rules and Administration


A BILL

To protect the administration of Federal elections against cybersecurity threats.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Secure Elections Act”.

SEC. 2. Sense of Congress.

It is the sense of Congress that—

(1) the States conduct elections and should maintain control of and responsibility for them;

(2) it is important to maintain State leadership in election administration;

(3) free and fair elections are central to our democracy;

(4) protecting our elections is a national security priority; and

(5) an attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions.

SEC. 3. Definitions.

In this Act:

(1) ADVISORY PANEL.—The term “Advisory Panel” means the advisory panel of independent experts on election cybersecurity established under section 5(a)(1).

(2) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—

(A) the Committee on Rules and Administration, the Committee on Armed Services, the Committee on Homeland Security and Governmental Affairs, the Committee on Appropriations, the Select Committee on Intelligence, the majority leader, and the minority leader of the Senate; and

(B) the Committee on House Administration, the Committee on Armed Services, the Committee on Homeland Security, the Committee on Appropriations, the Permanent Select Committee on Intelligence, the Speaker, and the minority leader of the House of Representatives.

(3) APPROPRIATE FEDERAL ENTITIES.—The term “appropriate Federal entities” means—

(A) the Department of Commerce, including the National Institute of Standards and Technology;

(B) the Department of Defense;

(C) the Department, including the component of the Department that reports to the Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and other related programs of the Department;

(D) the Department of Justice, including the Federal Bureau of Investigation;

(E) the Commission; and

(F) the Office of the Director of National Intelligence, the National Security Agency, and such other elements of the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) as the Director of National Intelligence determines are appropriate.

(4) CHAIRMAN.—The term “Chairman” means the Chairman of the Election Assistance Commission.

(5) COMMISSION.—The term “Commission” means the Election Assistance Commission.

(6) DEPARTMENT.—The term “Department” means the Department of Homeland Security.

(7) ELECTION AGENCY.—The term “election agency” means any component of a State or any component of a county, municipality, or other subdivision of a State that is responsible for administering Federal elections.

(8) ELECTION CYBERSECURITY INCIDENT.—The term “election cybersecurity incident” means any incident involving an election system.

(9) ELECTION CYBERSECURITY THREAT.—The term “election cybersecurity threat” means any cybersecurity threat (as defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) to an election system.

(10) ELECTION CYBERSECURITY VULNERABILITY.—The term “election cybersecurity vulnerability” means any security vulnerability (as defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) that affects an election system.

(11) ELECTION SERVICE PROVIDER.—The term “election service provider” means any person providing, supporting, or maintaining an election system on behalf of an election agency, such as a contractor or vendor.

(12) ELECTION SYSTEM.—The term “election system” means a voting system, an election management system, a voter registration website or database, an electronic pollbook, a system for tabulating or reporting election results, an election agency communications system, or any other information system (as defined in section 3502 of title 44, United States Code) that the Secretary identifies as central to the management, support, or administration of a Federal election.

(13) FEDERAL ELECTION.—The term “Federal election” means any election (as defined in section 301(1) of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101(1))) for Federal office (as defined in section 301(3) of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101(3))).

(14) FEDERAL ENTITY.—The term “Federal entity” means any agency (as defined in section 551 of title 5, United States Code).

(15) INCIDENT.—The term “incident” has the meaning given the term in section 227(a) of the Homeland Security Act of 2002 (6 U.S.C. 148(a)).

(16) SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.

(17) STATE.—The term “State” means each of the several States of the United States, the District of Columbia, the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, and the United States Virgin Islands.

(18) STATE ELECTION OFFICIAL.—The term “State election official” means—

(A) the chief State election official of a State designated under section 10 of the National Voter Registration Act of 1993 (52 U.S.C. 20509); or

(B) in the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, and the United States Virgin Islands, a chief State election official designated by the State for purposes of this Act.

(19) STATE LAW ENFORCEMENT OFFICER.—The term “State law enforcement officer” means the head of a State law enforcement agency, such as an attorney general.

(20) VOTING SYSTEM.—The term “voting system” has the meaning given the term in section 301(b) of the Help America Vote Act of 2002 (52 U.S.C. 21081(b)).

SEC. 4. Information sharing.

(a) Designation of responsible Federal entity.—The Secretary shall have primary responsibility within the Federal Government for sharing information about election cybersecurity incidents, threats, and vul­ner­a­bil­i­ties with Federal entities and with election agencies.

(b) Presumption of Federal information sharing to the department.—If a Federal entity receives information about an election cybersecurity incident, threat, or vulnerability, the Federal entity shall promptly share that information with the Department, unless the head of the entity (or a Senate-confirmed official designated by the head) makes a specific determination in writing that there is good cause to withhold the particular information.

(c) Presumption of Federal and State information sharing from the department.—If the Department receives information about an election cybersecurity incident, threat, or vulnerability, the Department shall promptly share that information with—

(1) the appropriate Federal entities;

(2) all State election agencies;

(3) to the maximum extent practicable, all election agencies that have requested ongoing updates on election cybersecurity incidents, threats, or vulnerabilities; and

(4) to the maximum extent practicable, all election agencies that may be affected by the risks associated with the particular election cybersecurity incident, threat, or vulnerability.

(d) Technical resources for election agencies.—In sharing information about election cybersecurity incidents, threats, and vulnerabilities with election agencies under this section, the Department shall, to the maximum extent practicable—

(1) provide cyber threat indicators and defensive measures (as such terms are defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)), such as recommended technical instructions, that assist with preventing, mitigating, and detecting threats or vulnerabilities;

(2) identify resources available for protecting against, detecting, responding to, and recovering from associated risks, including technical capabilities of the Department; and

(3) provide guidance about further sharing of the information.

(e) Declassification review.—If the Department receives classified information about an election cybersecurity incident, threat, or vulnerability—

(1) the Secretary shall promptly submit a request for expedited declassification review to the head of a Federal entity with authority to conduct the review, consistent with Executive Order 13526 or any successor order, unless the Secretary determines that such a request would be inappropriate; and

(2) the head of the Federal entity described in paragraph (1) shall promptly conduct the review.

(f) Role of non-Federal entities.—The Department may share information about election cybersecurity incidents, threats, and vulnerabilities through a non-Federal entity.

(g) Protection of personal and confidential information.—

(1) IN GENERAL.—If a Federal entity shares information relating to an election cybersecurity incident, threat, or vulnerability, the Federal entity shall, within Federal information systems (as defined in section 3502 of title 44, United States Code) of the entity—

(A) minimize the acquisition, use, and disclosure of personal information of voters, except as necessary to identify, protect against, detect, respond to, or recover from election cybersecurity incidents, threats, and vulnerabilities;

(B) notwithstanding any other provision of law, prohibit the retention of personal information of voters, such as—

(i) voter registration information, including physical address, email address, and telephone number;

(ii) political party affiliation or registration information; and

(iii) voter history, including registration status or election participation; and

(C) protect confidential Federal and State information from unauthorized disclosure.

(2) EXEMPTION FROM DISCLOSURE.—Information relating to an election cybersecurity incident, threat, or vulnerability, such as personally identifiable information of reporting persons or individuals affected by such incident, threat, or vulnerability, shared by or with the Federal Government shall be—

(A) deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records; and

(B) withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records.

(h) Duty To assess possible cybersecurity incidents.—

(1) ELECTION AGENCIES.—If an election agency becomes aware of the possibility of an election cybersecurity incident, the election agency shall promptly assess whether an election cybersecurity incident occurred and notify the State election official.

(2) ELECTION SERVICE PROVIDERS.—If an election service provider becomes aware of the possibility of an election cybersecurity incident, the election service provider shall promptly assess whether an election cybersecurity incident occurred and notify the relevant election agencies consistent with subsection (j).

(i) Information sharing about cybersecurity incidents by election agencies.—If an election agency has reason to believe that an election cybersecurity incident has occurred with respect to an election system owned, operated, or maintained by or on behalf of the election agency, the election agency shall, in the most expedient time possible and without unreasonable delay, provide notification of the election cybersecurity incident to the Department.

(j) Information sharing about cybersecurity incidents by election service providers.—If an election service provider has reason to believe that an election cybersecurity incident may have occurred, or that an incident related to the role of the provider as an election service provider may have occurred, the election service provider shall—

(1) notify the relevant election agencies in the most expedient time possible and without unreasonable delay; and

(2) cooperate with the election agencies in providing the notifications required under subsections (h)(1) and (i).

(k) Content of notification by election agencies.—The notifications required under subsections (h)(1) and (i)—

(1) shall include an initial assessment of—

(A) the date, time, and duration of the election cybersecurity incident;

(B) the circumstances of the election cybersecurity incident, including the specific election systems believed to have been accessed and information acquired; and

(C) planned and implemented technical measures to respond to and recover from the incident; and

(2) shall be updated with additional material information, including technical data, as it becomes available.

(l) Security clearance.—Not later than 30 days after the date of enactment of this Act, the Secretary—

(1) shall establish an expedited process for providing appropriate security clearance to State election officials and designated technical personnel employed by State election agencies;

(2) shall establish an expedited process for providing appropriate security clearance to members of the Commission and designated technical personnel employed by the Commission; and

(3) shall establish a process for providing appropriate security clearance to personnel at other election agencies.

(m) Protection from liability.—Nothing in this Act may be construed to provide a cause of action against a State, unit of local government, or an election service provider.

(n) Assessment of inter-State information sharing about election cybersecurity.—

(1) IN GENERAL.—The Secretary and the Chairman, in coordination with the heads of the appropriate Federal entities and appropriate officials of State and local governments, shall conduct an assessment of—

(A) the structure and functioning of the Multi-State Information Sharing and Analysis Center for purposes of election cybersecurity; and

(B) other mechanisms for inter-state information sharing about election cybersecurity.

(2) COMMENT FROM ELECTION AGENCIES.—In carrying out the assessment required under paragraph (1), the Secretary and the Chairman shall solicit and consider comments from all State election agencies.

(3) DISTRIBUTION.—The Secretary and the Chairman shall jointly issue the assessment required under paragraph (1) to—

(A) all election agencies known to the Department and the Commission; and

(B) the appropriate congressional committees.

(o) Congressional notification.—

(1) IN GENERAL.—If an appropriate Federal entity has reason to believe that a significant election cybersecurity incident has occurred, the entity shall—

(A) not later than 7 calendar days after the date on which there is a reasonable basis to conclude that the significant incident has occurred, provide notification of the incident to the appropriate congressional committees; and

(B) update the initial notification under paragraph (1) within a reasonable period of time after additional information relating to the incident is discovered.

(2) REPORTING THRESHOLD.—The Secretary shall—

(A) promulgate a uniform definition of a “significant election cybersecurity incident”; and

(B) shall submit the definition promulgated under subparagraph (A) to the appropriate congressional committees.

SEC. 5. Advisory panel and guidelines.

(a) Advisory Panel.—

(1) IN GENERAL.—The Commission shall establish an advisory panel of independent experts on election cybersecurity.

(2) MEMBERSHIP.—The Advisory Panel shall consist of not less than 9 members, of whom—

(A) one shall be appointed by the Chairman, in consultation with the Secretary and the Director of the National Institute of Standards and Technology, and shall be designated as the Chairman of the advisory panel;

(B) four shall be appointed by the Chairman, in consultation with the Secretary; and

(C) four shall be appointed by the Secretary, in consultation with the Chairman and the Director of the National Institute of Standards and Technology.

(3) ELIGIBILITY.—Individuals appointed to the Advisory Panel established under paragraph (1)—

(A) may not be officers or employees of the United States;

(B) if appointed under paragraph (2)(A), shall possess expertise in election law, election administration, or cybersecurity; and

(C) if appointed under subparagraph (B) or (C) of paragraph (2), shall possess expertise in cybersecurity.

(4) TERMS; VACANCIES.—Members of the Advisory Panel shall serve for a term set by the Commission. Any vacancy in the Advisory Panel shall be filled in the same manner as the original appointment.

(5) COMPENSATION.—Members of the Advisory Panel shall serve on the Advisory Panel without compensation, except that members of the Advisory Panel may be allowed travel expenses, including per diem in lieu of subsistence, at rates authorized for employees of agencies under subchapter I of chapter 57 of title 5, United States Code, while away from their homes or regular places of business in the performance of services for the Advisory Panel.

(6) ADMINISTRATIVE STAFF.—Upon request of the Advisory Panel, the Commission shall provide to the Advisory Panel, on a reimbursable basis, the administrative support services necessary for the Advisory Panel to carry out its responsibilities under this Act.

(b) Guidelines.—

(1) IN GENERAL.—The Advisory Panel shall develop a set of guidelines for election cybersecurity, including standards for procuring, maintaining, testing, auditing, operating, and updating election systems.

(2) REQUIREMENTS.—In developing the guidelines, the Advisory Panel shall—

(A) identify the top risks to election systems;

(B) describe how specific technology choices can increase or decrease those risks; and

(C) provide recommended policies, best practices, and overall security strategies for identifying, protecting against, detecting, responding to, and recovering from the risks identified under subparagraph (A).

(c) Grant program.—The Advisory Panel shall assist the Commission and the Department in carrying out the grant program required under section 7 by—

(1) submitting recommendations to the Commission about the grant program application process;

(2) submitting recommendations, including recommended criteria, to the Commission for the grant program review process;

(3) submitting recommendations, including recommended criteria, to the Commission for use of remaining grant funds;

(4) submitting recommendations, including recommended criteria, to the Commission for the interim grant program for non-paper equipment replacement; and

(5) providing any other assistance that the Commission or the Department requests.

(d) Voting systems and statistical audits.—The guidelines developed under subsection (b) shall include provisions regarding voting systems and statistical audits for Federal elections, including that—

(1) each vote is cast using a voting system that—

(A) would be eligible to be purchased under section 7(f); and

(B) allows the voter an opportunity to inspect and confirm the marked ballot before casting it (consistent with accessibility requirements); and

(2) each election result is determined by tabulating marked ballots (by hand or device), and prior to certification by a State of the election result, election agencies within the State inspect (by hand and not by device) a random sample of the marked ballots and thereby establish high statistical confidence in the election result.

(e) Issues considered.—

(1) IN GENERAL.—In developing the guidelines required under subsection (b), the Advisory Panel shall consider—

(A) applying established cybersecurity best practices to Federal election administration by States and local governments, including appropriate technologies, procedures, and personnel for identifying, protecting against, detecting, responding to, and recovering from cybersecurity events;

(B) mechanisms to verify that election systems accurately tabulate ballots, report results, and identify a winner for each election for Federal office, even if there is an error or fault in the voting system;

(C) specific types of election audits, including procedures and shortcomings for such audits;

(D) durational requirements needed to facilitate election audits prior to election certification, including variations in the acceptance of postal ballots, time allowed to cure provisional ballots, and election certification deadlines;

(E) providing actionable guidance to election agencies that have not applied for or received grant funds under section 7, and to agencies that seek to implement additional cybersecurity protections;

(F) how the guidelines could assist other components of State and local governments; and

(G) any other factors that the Advisory Panel determines to be relevant.

(2) RELATIONSHIP TO VOLUNTARY VOTING SYSTEM GUIDELINES AND NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY GUIDANCE.—In developing the guidelines required under subsection (b), the Advisory Panel shall consider—

(A) the voluntary voting system guidelines developed by the Commission; and

(B) cybersecurity standards and best practices developed by the National Institute of Standards and Technology, including frameworks, consistent with section 2(c) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)).

(f) Public comment.—The Advisory Panel shall—

(1) provide a reasonable opportunity for public comment, including through Commission publication in the Federal Register, on the guidelines required under subsection (b), including a 45-day opportunity for public comment on a draft of the guidelines before they are submitted under subsection (i), which shall, to the extent practicable, occur concurrently with the other activities of the Advisory Panel under this section; and

(2) consider the public comments in developing the guidelines.

(g) Consultation.—In developing the guidelines required under subsection (b), the Advisory Panel shall consult with—

(1) the appropriate Federal entities;

(2) the Standards Board, Board of Advisors, and Technical Guidelines Development Committee of the Commission;

(3) the Federal Communications Commission;

(4) the Federal Trade Commission;

(5) the National Governors Association;

(6) the National Association of Secretaries of State;

(7) the National Association of State Election Directors;

(8) the National Association of Election Officials;

(9) the National Association of Counties;

(10) the National League of Cities;

(11) the International Association of Government Officials;

(12) the Multi-State Information Sharing and Analysis Center;

(13) the National Science Foundation; and

(14) any other interested entities that the Advisory Panel determines are necessary to the development of the guidelines.

(h) Submission to Commission.—Not later than 180 days after the date of enactment of this Act, the Advisory Panel shall submit the guidelines required under subsection (b) to the Commission.

(i) Submission to Congress; modification.—Not later than 14 calendar days after the date on which the Commission receives guidelines under subsection (h) or (l), the Commission shall submit the guidelines to the appropriate congressional committees. The Commission may modify the guidelines in advance of submission to Congress if—

(1) the Commission determines that there is good cause to modify the guidelines, consistent with the considerations established in subsection (e) and notwithstanding the recommendation of the Advisory Panel; and

(2) the Commission submits a written justification of the modification to the Advisory Panel and the appropriate congressional committees.

(j) Distribution to election agencies.—The Commission shall distribute the guidelines required under subsection (b) to all election agencies known to the Commission and the Department.

(k) Publication.—The Commission shall make the guidelines required under subsection (b) available on the public website of the Department.

(l) Periodic review.—Not later than January 31, 2019, and once every 2 years thereafter, the Advisory Panel shall review and update the guidelines required under subsection (b).

(m) Rule of construction.—Nothing in this section shall be construed to subject the process for developing the guidelines required under subsection (b) to subchapter II of chapter 5, and chapter 7, of title 5, United States Code (commonly known as the “Administrative Procedure Act”).

(n) Conforming amendment.—Section 202 of the Help America Vote Act of 2002 (52 U.S.C. 20921) is amended by striking “and” at the end of paragraph (5), by striking the period at the end of paragraph (6) and inserting “; and”, and by adding at the end the following new paragraph:

“(7) establishing the advisory panel of independent experts on election cybersecurity under section 5(a)(1) of the Secure Elections Act”..”.

SEC. 6. Reports to Congress.

(a) Reports on foreign threats to elections.—

(1) IN GENERAL.—Not later than 30 days after the date of enactment of this Act, and 30 days after the end of each fiscal year thereafter, the Secretary and the Director of National Intelligence, in coordination with the heads of the appropriate Federal entities, shall submit a joint report to the appropriate congressional committees on foreign threats to elections in the United States, including physical and cybersecurity threats.

(2) VOLUNTARY PARTICIPATION BY STATES.—The Secretary shall solicit and consider comments from all State election agencies. Participation by an election agency in the report under this subsection shall be voluntary and at the discretion of the State.

(b) Reports on grant program.—

(1) IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and, subject to paragraph (2), every 4 years thereafter, the Comptroller General of the United States shall submit a report to the appropriate congressional committees on the grant program established under section 7, including how grant funds have been distributed and used to implement the guidelines required under section 5(b).

(2) SUNSET.—If the Comptroller General determines that over 90 percent of the funds appropriated under section 7(h)(1) have been expended by the States, the reporting requirement in paragraph (1) shall cease to be effective after the Comptroller General submits a final report.

SEC. 7. State election system cybersecurity and modernization grants.

(a) Authority.—

(1) IN GENERAL.—The Commission shall award grants in accordance with this section.

(2) COORDINATION.—

(A) IN GENERAL.—The Commission shall coordinate with the Secretary in carrying out this section.

(B) JOINT PROGRAM.—If the Chairman determines that jointly carrying out this section with the Secretary would increase State participation and cybersecurity preparedness, the Chairman shall—

(i) submit notice of the determination to the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives; and

(ii) enter into a Memorandum of Understanding with the Secretary to carry out the grant program.

(b) Cybersecurity and modernization grants.—

(1) APPLICATION PROCESS.—

(A) IN GENERAL.—The Commission shall—

(i) establish a process for States to apply for election system cybersecurity and modernization grants;

(ii) in establishing the application process, consider the recommendations of the Advisory Panel under section 5(c); and

(iii) ensure that the application process requires that a State seeking a grant provide a detailed explanation of how election agencies within the State will implement the guidelines established under section 5(b).

(B) REVIEW.—The Commission—

(i) shall fund a State application submitted under subparagraph (A) if the Commission determines that—

(I) the election agencies within the State will likely implement the guidelines established under section 5(b);

(II) with respect to the guidelines related to statistical audits, consistent with section 5(d), the State will complete a statewide pilot program during a biennial Federal general election not later than 2022; and

(III) the State will match at least ten percent of the total grant allocation for election cybersecurity improvements; and

(ii) in reviewing a State application, shall consider the recommendations and criteria of the Advisory Panel under section 5(c).

(C) STATE IMPLEMENTATION.—

(i) IN GENERAL.—A State receiving a grant under this subsection may adopt any reasonable implementation of the guidelines established under section 5(b).

(ii) INCONSISTENCY WITH STATE LAW.—If implementation of the guidelines would be inconsistent with State law, the State shall—

(I) identify in the application of the State the legal issue and the guidelines that the State cannot implement;

(II) specify in the application of the State the amount of grant funds that the State would spend implementing those guidelines if the law were not inconsistent; and

(III) not spend the amount of grant funds specified under subclause (II) until the legal issue is resolved.

(D) PROTECTION OF PERSONAL INFORMATION.—The application process established under this paragraph shall not require a State to disclose the personal information of any voter.

(2) USE OF FUNDS.—

(A) IN GENERAL.—Except as provided in subparagraph (B), a State receiving a grant under this subsection shall use the funds received under the grant to implement the guidelines established under section 5(b).

(B) REMAINING FUNDS.—A State may use funds from a grant under this subsection to improve, upgrade, or acquire hardware, software, or services for the purposes of improving administration of Federal elections, consistent with the guidelines established under section 5(b), if—

(i) the State election official submits a written certification to the Commission that the election agencies within the State have implemented the guidelines established under section 5(b); and

(ii) the Commission, after consideration of the recommendations and criteria of the Advisory Panel under section 5(c), approves the use of funds.

(3) LIMITATION ON AMOUNT OF GRANTS.—

(A) IN GENERAL.—Subject to subparagraph (C), the amount of funds provided to a State under a grant under this subsection shall be equal to the product obtained by multiplying—

(i) the total amount appropriated for grants pursuant to the authorization under subsection (h) reduced by the amounts described in subsections (d)(6) and (e)(5); by

(ii) the State allocation percentage for the State (as determined under paragraph (2)).

(B) STATE ALLOCATION PERCENTAGE.—The State allocation percentage for a State is the amount (expressed as a percentage) equal to the quotient obtained by dividing—

(i) the total voting age population of all States (as reported in the most recent decennial census); by

(ii) the voting age population of the State (as reported in the most recent decennial census).

(C) MINIMUM AMOUNT OF PAYMENT.—The amount determined under this subsection may not be less than—

(i) in the case of any of the several States or the District of Columbia, 0.5 percent of the total amount appropriated for grants under this section; or

(ii) in the case of the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, or the United States Virgin Islands, 0.1 percent of such total amount.

(D) PRO RATA REDUCTIONS.—The Commission shall make such pro rata reductions to the allocations determined under subparagraph (A) as are necessary to comply with the requirements of subparagraph (C).

(4) GRANTS FOR LOCAL JURISDICTIONS.—

(A) ELIGIBILITY.—If a State notifies the Commission that it will not apply for election system cybersecurity and modernization grants under this subsection, the Commission shall award grants to election agencies within the State.

(B) APPLICATION PROCESS.—The Commission shall establish a process for election agencies that are eligible under subparagraph (A) to apply for election system cybersecurity and modernization grants, consistent with the application process for States established under paragraph (1).

(C) USE OF FUNDS.—An election agency that receives a grant under this subsection is subject to the use of funds restrictions in paragraph (2).

(D) LIMITATION ON AMOUNT OF GRANT.—The amount of funds provided to an election agency under a grant under this subsection shall be equal to the amount obtained by multiplying the amount available to the State under paragraph (3) by the quotient obtained by dividing—

(i) the voting age population of the State (as reported in the most recent decennial census) who would cast their ballots in a Federal election using voting systems operated by the election agency (under current State law); by

(ii) the voting age population of the State (as reported in the most recent decennial census).

(c) Interim grant program for election preparedness.—

(1) IN GENERAL.—The Commission, in consultation with the Secretary, shall award a grant to an election agency, regardless of State submission of an application under subsection (b)(1)(A), that—

(A) receives a “cyber hygiene” scan, a risk and vulnerability assessment, or a similar cybersecurity evaluation by the Department or a contractor approved by the Department; and

(B) not later than November 6, 2018, submits to the Commission and the Department—

(i) the results of the evaluation described in subparagraph (A);

(ii) a plan for rapidly remediating the vulnerabilities identified by the evaluation, including specific expenditures; and

(iii) in the case of an application by any election agency of a political subdivision of a State, a certification of approval from the State election agency.

(2) PRIORITIZATION FOR LOCAL GOVERNMENTS.—A State election agency may authorize some or all other election agencies within the State to apply for interim grants under paragraph (1). If the amount available under paragraph (5) is not sufficient to fund the applications received from election agencies within the State, the State election agency may establish a priority order for funding applications.

(3) USE OF FUNDS.—An election agency that receives a grant under paragraph (1) shall only use the funds received under the grant to implement the remediation plan submitted under paragraph (1)(B)(ii).

(4) UNAVAILABILITY OF DEPARTMENT SERVICES.—If an election agency requests an evaluation by the Department consistent with paragraph (1)(A), and the Department is not able to provide the evaluation during the 30-calendar-day period following the request, the agency may—

(A) procure a reasonably equivalent evaluation from a private-sector entity; and

(B) use funds received from a grant under paragraph (1) as reimbursement for the cost of the evaluation.

(5) LIMITATION ON AMOUNT OF GRANT; COORDINATION WITH CYBERSECURITY AND MODERNIZATION GRANTS.—

(A) LIMITATION.—The aggregate amount of grants under this subsection to all election agencies in a State shall not exceed 10 percent of the limitation with respect to such State under subsection (b)(3).

(B) COORDINATION WITH CYBERSECURITY AND MODERNIZATION GRANTS.—The amount under subsection (b)(3) for purposes of grants under subsection (b) to a State shall be reduced by the amount of grants provided under this subsection to election agencies within the State, less any unused amount returned to the Department.

(d) Interim grant program for non-Paper equipment replacement.—

(1) IN GENERAL.—The Commission shall award grants to States designated under paragraph (2) for the purpose of replacing voting systems that would not be eligible for purchase under subsection (f).

(2) ELIGIBILITY.—Not later than 60 days after the date of enactment of this Act, the Commission shall develop a list of States in which 10 percent or more of votes in the first Federal election occurring after the date of enactment of this Act are expected to be cast using voting systems that would not be eligible for purchase under subsection (f), and shall submit the list to the appropriate congressional committees.

(3) APPLICATION PROCESS.—The Commission shall—

(A) establish an application process for States designated under paragraph (2) to apply for grants under this subsection; and

(B) consider the recommendations of the Advisory Panel under section 5(c) in establishing the application process; and ensure that a State applying for a grant submits—

(i) an inventory of voting systems in the State that would not be eligible for purchase under subsection (f);

(ii) a plan to expeditiously replace those voting systems; and

(iii) a commitment to State funding for replacements that is at least equivalent to the grant amount.

(4) REVIEW.—The Commission—

(A) shall fund a State application if the Commission determines that the State will likely replace the voting systems that would not be eligible for purchase under subsection (f); and

(B) in reviewing a State application, shall consider the recommendations and criteria of the Advisory Panel under section 5(c).

(5) USE OF FUNDS.—A State election agency that receives funds under paragraph (1) shall only use the funds to replace voting systems that would not be eligible for purchase under subsection (f).

(6) LIMITATIONS; COORDINATION WITH CYBERSECURITY AND MODERNIZATION GRANTS.—

(A) LIMITATIONS.—Of the total amount authorized to be appropriated under subsection (h), $186,000,000 shall be used for grants awarded under this subsection.

(B) FORMULA FOR GRANT AMOUNTS.—The grant amount made available to each State shall be set according to the proportional formula described in subsection (b)(3), as applied to the list of States designated under paragraph (2) and the number of votes cast in those States using voting systems that would not be eligible for purchase under subsection (f).

(C) COORDINATION WITH CYBERSECURITY AND MODERNIZATION GRANTS.—If the Secretary determines that no additional State will receive a grant under this paragraph, the Secretary shall reallocate any amounts remaining under subparagraph (A) to the cybersecurity and modernization grant program under subsection (b).

(7) GRANTS FOR LOCAL JURISDICTIONS.—

(A) ELIGIBILITY.—If a State designated under paragraph (2) notifies the Commission that it will not apply for grants under this subsection, the Commission shall award grants to election agencies within such State.

(B) APPLICATION PROCESS.—The Commission shall establish a process for election agencies that are eligible under subparagraph (A) to apply for grants under this subsection, consistent with the application process for States established under paragraph (3).

(C) REVIEW.—The Commission shall review applications of election agencies under this paragraph in a similar manner to the manner required for applications by States under paragraph (4).

(D) USE OF FUNDS.—An election agency that receives a grant under this subsection is subject to the use of funds restrictions in paragraph (5).

(E) LIMITATION ON AMOUNT OF GRANT.—The amount of funds provided to an election agency under a grant under this subsection shall be equal to the amount obtained by multiplying the amount available to the State under paragraph (6)(B) by the quotient obtained by dividing—

(i) the voting age population of the State (as reported in the most recent decennial census) who would cast their ballots in a Federal election using voting systems that are operated by the election agency (under current State law) and that would not be eligible for purchase under subsection (f); by

(ii) the voting age population of the State (as reported in the most recent decennial census) who would cast their ballots in a Federal election using voting systems that would not be eligible for purchase under subsection (f).

(e) Financial assistance for auditing expenses.—

(1) IN GENERAL.—The Commission shall award grants to reimburse States that conduct statistical audits of a proportionally large number of ballots in close Federal elections if the statistical audit—

(A) is consistent with the guidelines established under section 5(b); and

(B) includes the inspection (by hand and not by device) of an amount of paper ballots in excess of 5 percent of the voting age population within the State (in the case of national or statewide office) or district covered by the election.

(2) APPLICATIONS PROCESS.—

(A) IN GENERAL.—A State seeking a grant under this subsection shall submit an application in such form and manner and at such time as the Commission may require.

(B) LOCAL GOVERNMENTS.—A State election agency may authorize some or all other election agencies within the State to apply for grants under paragraph (1). The Commission shall establish rules for the application of paragraphs (3) and (4)(B) to agencies requesting grants under this subparagraph.

(3) LIMITATION ON AMOUNT OF GRANTS.—The amount of funds provided under a grant under this subsection shall be equal to the cost of the statistical audit, less the cost of inspecting (by hand and not by device) a number of ballots equal to 5 percent of—

(A) in the case of an election for a national or statewide office, the voting age population within the State; or

(B) in the case of an election for any other office, the voting age population within the district covered by the election.

(4) TIMING; DISTRIBUTION.—

(A) IN GENERAL.—The Commission shall award grants under this subsection on January 31, 2019, and every 2 years thereafter.

(B) INSUFFICIENT FUNDS.—If the amount appropriated for carrying out this subsection is insufficient to fund the grants, the Commission shall fund such grants according to the proportional formula described in subsection (b)(3), as applied to the States seeking grants under this subsection and the number of marked paper ballots that were inspected by hand in excess of 5 percent of the voting age population within the State (in the case of national or statewide office) or district covered by the election.

(5) LIMITATION.—Of the total amount authorized to be appropriated under subsection (h), $5,000,000 shall be used for grants under this subsection.

(f) Prohibition on use for certain voting systems.—

(1) IN GENERAL.—Funds received under a grant under this section may not be used for any voting system that records each vote in electronic storage, unless the system is an optical scanner that reads paper ballots.

(2) ELECTRONIC USER INTERFACES.—Funds received under a grant under this section may be used for a voting system with an electronic user interface provided that the voting system is consistent with clause (i).

(g) Contracting assistance.—Not later than 90 days after the date of enactment of this Act, the Administrator of General Services, in consultation with the Director of the National Institute of Standards and Technology, shall take such actions as may be necessary through competitive processes—

(1) to qualify a set of private sector entities that are capable of assisting States with identifying, protecting against, detecting, responding to, and recovering from election cybersecurity incidents, threats, and vulnerabilities;

(2) to establish contract vehicles to enable States to access the services of 1 or more of the private sector organizations after receiving amounts under a grant under this section;

(3) to ensure that the contract vehicles permit individual States to augment Federal funds with funding otherwise available to the States; and

(4) to provide a list of qualified entities to the Chairman and Secretary in order to ensure it is readily available to State election officials.

(h) Authorization of appropriations.—

(1) IN GENERAL.—There is authorized to be appropriated to the Commission $386,000,000 to carry out this section for fiscal year 2018.

(2) AVAILABILITY.—Any amounts appropriated pursuant to paragraph (1) shall remain available without fiscal year limitation until expended.

(3) FUNDING SOURCE.—

(A) DEFINITIONS.—In this paragraph—

(i) the terms “agency”, “closeout”, and “Federal grant award” have the meanings given those terms in section 2 of the Grants Oversight and New Efficiency Act (Public Law 114–117; 130 Stat. 6); and

(ii) the term “Director” means the Director of the Office of Management and Budget.

(B) CLOSEOUT OF EXPIRED AND UNDISBURSED FEDERAL GRANTS.—Not later than 1 year after the date of enactment of this Act, the Director shall promulgate procedures requiring the head of each agency to promptly conduct a closeout of each Federal grant award.

(C) RELATED REPORTS.—In promulgating the procedures required under subparagraph (B), the Director shall consider the recommendations and data in the reports required to be submitted under section 2 of the Grants Oversight and New Efficiency Act (Public Law 114–117; 130 Stat. 6) and section 530 of the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2016 (Public Law 114–113; 129 Stat. 2329), and similar reports.

(D) EXPIRATION.—The procedures required under subparagraph (B) shall expire 4 years after the date on which the procedures are promulgated.

(i) Conforming amendment.—Section 202(7) of the Help America Vote Act of 2002 (52 U.S.C. 20921), as amended by section 5, is amended by inserting “and carrying out the grant programs under section 7 of such Act” after “Secure Elections Act”.