[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2261 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                S. 2261

      To protect the administration of Federal elections against 
                         cybersecurity threats.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           December 21, 2017

 Mr. Lankford (for himself, Ms. Klobuchar, Mr. Graham, Ms. Harris, Ms. 
  Collins, and Mr. Heinrich) introduced the following bill; which was 
  read twice and referred to the Committee on Rules and Administration

_______________________________________________________________________

                                 A BILL


 
      To protect the administration of Federal elections against 
                         cybersecurity threats.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Secure Elections Act''.

SEC. 2. SENSE OF CONGRESS.

    It is the sense of Congress that--
            (1) under the Constitution of the United States, the States 
        conduct elections, and Congress recognizes the importance of 
        maintaining State leadership in election administration;
            (2) free and fair elections are central to our democracy;
            (3) protecting our elections is a national security 
        priority; and
            (4) an attack on our election systems by a foreign power is 
        a hostile act and should be met with appropriate retaliatory 
        actions, including immediate and severe sanctions.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Advisory panel.--The term ``Advisory Panel'' means the 
        advisory panel of independent experts on election cybersecurity 
        established under section 5(a)(1).
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Rules and Administration, the 
                Committee on Armed Services, the Committee on Homeland 
                Security and Governmental Affairs, the Committee on 
                Appropriations, the Select Committee on Intelligence, 
                the majority leader, and the minority leader of the 
                Senate; and
                    (B) the Committee on House Administration, the 
                Committee on Armed Services, the Committee on Homeland 
                Security, the Committee on Appropriations, the 
                Permanent Select Committee on Intelligence, the 
                Speaker, and the minority leader of the House of 
                Representatives.
            (3) Appropriate federal entities.--The term ``appropriate 
        Federal entities'' means--
                    (A) the Department of Commerce, including the 
                National Institute of Standards and Technology;
                    (B) the Department of Defense;
                    (C) the Department, including the component of the 
                Department that reports to the Under Secretary 
                responsible for overseeing critical infrastructure 
                protection, cybersecurity, and other related programs 
                of the Department;
                    (D) the Department of Justice, including the 
                Federal Bureau of Investigation;
                    (E) the Commission; and
                    (F) the Office of the Director of National 
                Intelligence, the National Security Agency, and such 
                other elements of the intelligence community (as 
                defined in section 3 of the National Security Act of 
                1947 (50 U.S.C. 3003)) as the Director of National 
                Intelligence determines are appropriate.
            (4) Chairman.--The term ``Chairman'' means the Chairman of 
        the Election Assistance Commission.
            (5) Commission.--The term ``Commission'' means the Election 
        Assistance Commission.
            (6) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (7) Election agency.--The term ``election agency'' means 
        any component of a State or any component of a county, 
        municipality, or other subdivision of a State that is 
        responsible for administering Federal elections.
            (8) Election cybersecurity incident.--The term ``election 
        cybersecurity incident'' means any information security 
        incident involving an election system.
            (9) Election cybersecurity threat.--The term ``election 
        cybersecurity threat'' means any cybersecurity threat (as 
        defined in section 102 of the Cybersecurity Information Sharing 
        Act of 2015 (6 U.S.C. 1501)) to an election system.
            (10) Election cybersecurity vulnerability.--The term 
        ``election cybersecurity vulnerability'' means any security 
        vulnerability (as defined in section 102 of the Cybersecurity 
        Information Sharing Act of 2015 (6 U.S.C. 1501)) that affects 
        an election system.
            (11) Election service provider.--The term ``election 
        service provider'' means any person providing, supporting, or 
        maintaining an election system on behalf of an election agency, 
        such as a contractor or vendor.
            (12) Election system.--The term ``election system'' means 
        any information system (as defined in section 3502 of title 44, 
        United States Code) used for the management, support, or 
        administration of a Federal election, such as a voting system, 
        a voter registration website or database, an electronic 
        pollbook, a system for tabulating or reporting election 
        results, or an election agency email system.
            (13) Federal election.--The term ``Federal election'' means 
        any election (as defined in section 301(1) of the Federal 
        Election Campaign Act of 1971 (52 U.S.C. 30101(1)) for Federal 
        office (as defined in section 301(3) of the Federal Election 
        Campaign Act of 1971 (52 U.S.C. 30101(3)).
            (14) Federal entity.--The term ``Federal entity'' means any 
        agency (as defined in section 551 of title 5, United States 
        Code).
            (15) Incident.--The term ``incident'' has the meaning given 
        the term in section 3552 of title 44, United States Code.
            (16) Information security.--The term ``information 
        security'' has the meaning given the term in section 3552 of 
        title 44, United States Code.
            (17) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security, or, upon designation by the Secretary of 
        Homeland Security, the Deputy Secretary of Homeland Security, 
        the Under Secretary responsible for overseeing critical 
        infrastructure protection, cybersecurity, and other related 
        programs of the Department, or a Senate-confirmed official that 
        reports to that Under Secretary.
            (18) State.--The term ``State'' means each of the several 
        States of the United States, the District of Columbia, the 
        Commonwealth of Puerto Rico, Guam, American Samoa, the 
        Commonwealth of Northern Mariana Islands, and the United States 
        Virgin Islands.
            (19) State election official.--The term ``State election 
        official'' means--
                    (A) the chief State election official of a State 
                designated under section 10 of the National Voter 
                Registration Act of 1993 (52 U.S.C. 20509); or
                    (B) in the Commonwealth of Puerto Rico, Guam, 
                American Samoa, the Commonwealth of Northern Mariana 
                Islands, and the United States Virgin Islands, a chief 
                State election official designated by the State for 
                purposes of this Act.
            (20) State law enforcement officer.--The term ``State law 
        enforcement officer'' means the head of a State law enforcement 
        agency, such as an attorney general.
            (21) Voting system.--The term ``voting system'' has the 
        meaning given the term in section 301(b) of the Help America 
        Vote Act of 2002 (52 U.S.C. 21081(b)).

SEC. 4. INFORMATION SHARING.

    (a) Designation of Responsible Federal Entity.--The Secretary shall 
have primary responsibility within the Federal Government for sharing 
information about election cybersecurity incidents, threats, and 
vulnerabilities with Federal entities and with election agencies.
    (b) Presumption of Federal Information Sharing to the Department.--
If a Federal entity receives information about an election 
cybersecurity incident, threat, or vulnerability, the Federal entity 
shall promptly share that information with the Department, unless the 
head of the entity (or a Senate-confirmed official designated by the 
head) makes a specific determination in writing that there is good 
cause to withhold the particular information.
    (c) Presumption of Federal and State Information Sharing From the 
Department.--If the Department receives information about an election 
cybersecurity incident, threat, or vulnerability, unless the Secretary 
makes a specific determination in writing that there is good cause to 
withhold the particular information, the Department shall promptly 
share that information with--
            (1) the appropriate Federal entities;
            (2) all State election agencies;
            (3) all election agencies that have requested ongoing 
        updates on election cybersecurity incidents, threats, or 
        vulnerabilities; and
            (4) all election agencies that may be affected by the risks 
        associated with the particular election cybersecurity incident, 
        threat, or vulnerability.
    (d) Technical Resources for Election Agencies.--In sharing 
information about election cybersecurity incidents, threats, and 
vulnerabilities with election agencies under this section, the 
Department shall, to the extent possible--
            (1) provide cyber threat indicators and defensive measures 
        (as such terms are defined in section 102 of the Cybersecurity 
        Information Sharing Act of 2015 (6 U.S.C. 1501)), such as 
        recommended technical instructions, that assist with protecting 
        against and detecting associated risks;
            (2) identify resources available for protecting against, 
        detecting, responding to, and recovering from associated risks, 
        including technical capabilities of the Department; and
            (3) provide guidance about further sharing of the 
        information.
    (e) Declassification Review.--If the Department receives classified 
information about an election cybersecurity incident, threat, or 
vulnerability--
            (1) the Secretary shall promptly submit a request for 
        expedited declassification review to the head of a Federal 
        entity with authority to conduct the review, consistent with 
        Executive Order 13526 or any successor order; and
            (2) the head of the Federal entity described in paragraph 
        (1) shall promptly conduct the review.
    (f) Role of Non-Federal Entities.--The Department may share 
information about election cybersecurity incidents, threats, and 
vulnerabilities through a non-Federal entity, such as the Multi-State 
Information Sharing and Analysis Center.
    (g) Protection of Personal and Confidential Information.--If a 
Federal entity shares information about an election cybersecurity 
incident, threat, or vulnerability, the Federal entity shall--
            (1) minimize the acquisition, retention, use, and 
        disclosure of personal information of voters, except as 
        necessary to identify, protect against, detect, respond to, or 
        recover from election cybersecurity incidents, threats, and 
        vulnerabilities; and
            (2) take reasonable steps to protect confidential Federal 
        and State information from unauthorized disclosure.
    (h) Duty To Assess Possible Cybersecurity Incidents.--
            (1) Election agencies.--If an election agency becomes aware 
        of the possibility of an election cybersecurity incident, the 
        election agency shall promptly assess whether an election 
        cybersecurity incident occurred and notify the State election 
        official.
            (2) Election service providers.--If an election service 
        provider becomes aware of the possibility of an election 
        cybersecurity incident, the election service provider shall 
        promptly assess whether an election cybersecurity incident 
        occurred and notify the relevant election agencies consistent 
        with subsection (j).
    (i) Information Sharing About Cybersecurity Incidents by Election 
Agencies.--If an election agency has reason to believe that an election 
cybersecurity incident has occurred with respect to an election system 
owned, operated, or maintained by or on behalf of the election agency, 
the election agency shall, in the most expedient time possible and 
without unreasonable delay (in no event longer than 3 calendar days 
after discovery of the incident), provide notification of the election 
cybersecurity incident to the Secretary.
    (j) Information Sharing About Cybersecurity Incidents by Election 
Service Providers.--If an election service provider has reason to 
believe that an election cybersecurity incident may have occurred, or 
that an information security incident related to the role of the 
provider as an election service provider may have occurred, the 
election service provider shall--
            (1) notify the relevant election agencies in the most 
        expedient time possible and without unreasonable delay (in no 
        event longer than 3 calendar days after discovery of the 
        possible incident); and
            (2) cooperate with the election agencies in providing the 
        notifications required under subsections (h)(1) and (i).
    (k) Content of Notification by Election Agencies.--The 
notifications required under subsections (h)(1) and (i)--
            (1) shall include an initial assessment of--
                    (A) the date and duration of the election 
                cybersecurity incident;
                    (B) the circumstances of the election cybersecurity 
                incident, including the specific election systems 
                believed to have been accessed and information 
                acquired; and
                    (C) planned and implemented technical measures to 
                respond to and recover from the incident; and
            (2) shall be updated with additional material information, 
        including technical data, as it becomes available.
    (l) Security Clearance.--Not later than 30 days after the date of 
enactment of this Act, the Secretary--
            (1) shall establish an expedited process for providing 
        appropriate security clearance to State election officials and 
        designated technical personnel employed by State election 
        agencies;
            (2) shall establish an expedited process for providing 
        appropriate security clearance to members of the Commission and 
        designated technical personnel employed by the Commission; and
            (3) shall establish a process for providing appropriate 
        security clearance to personnel at other election agencies.
    (m) Catalog of Cybersecurity Services.--The Secretary--
            (1) shall make publicly available, including on the public 
        website of the Department, a catalog of cybersecurity services 
        that the appropriate Federal agencies can provide to election 
        agencies and a point of contact for each service; and
            (2) may create a classified annex to the catalog and make 
        it available only to election agency personnel with appropriate 
        security clearance.
    (n) Protection From Liability.--Nothing in this Act may be 
construed to provide a cause of action against a State, unit of local 
government, or an election service provider.
    (o) Assessment of Inter-State Information Sharing About Election 
Cybersecurity.--
            (1) In general.--The Secretary and the Chairman, in 
        coordination with the heads of the appropriate Federal entities 
        and appropriate officials of State and local governments, shall 
        conduct an assessment of--
                    (A) the structure and functioning of the Multi-
                State Information Sharing and Analysis Center for 
                purposes of election cybersecurity; and
                    (B) other mechanisms for inter-state information 
                sharing about election cybersecurity.
            (2) Comment from election agencies.--In carrying out the 
        assessment required under paragraph (1), the Secretary and the 
        Chairman shall solicit and consider comments from all State 
        election agencies.
            (3) Distribution.--The Secretary and the Chairman shall 
        jointly issue the assessment required under paragraph (1) to--
                    (A) all election agencies known to the Department 
                and the Commission; and
                    (B) the appropriate congressional committees.
    (p) Congressional Notification.--
            (1) In general.--If an appropriate Federal entity has 
        reason to believe that a significant election cybersecurity 
        incident has occurred, the entity shall--
                    (A) not later than 7 calendar days after the date 
                on which there is a reasonable basis to conclude that 
                the significant incident has occurred, provide 
                notification of the incident to--
                            (i) the appropriate congressional 
                        committees;
                            (ii) the members of the Senate representing 
                        the States affected by the incident; and
                            (iii) the members of the House of 
                        Representatives representing the congressional 
                        districts affected by the incident; and
                    (B) update the initial notification under paragraph 
                (1) within a reasonable period of time after additional 
                information relating to the incident is discovered.
            (2) Reporting threshold.--The Secretary shall--
                    (A) promulgate a uniform definition of a 
                ``significant election cybersecurity incident''; and
                    (B) shall submit the definition promulgated under 
                subparagraph (A) to the appropriate congressional 
                committees.

SEC. 5. ADVISORY PANEL AND GUIDELINES.

    (a) Advisory Panel.--
            (1) In general.--The Secretary shall establish an advisory 
        panel of independent experts on election cybersecurity.
            (2) Membership.--The Advisory Panel shall consist of not 
        less than 9 members, of whom--
                    (A) 5 shall be appointed by the Secretary, in 
                consultation with the Chairman and the Director of the 
                National Institute of Standards and Technology, of whom 
                1 shall be designated as the Chairperson of the 
                Advisory Panel;
                    (B) 1 shall be appointed by the National 
                Association of Secretaries of State;
                    (C) 1 shall be appointed by the National 
                Association of State Election Directors;
                    (D) 1 shall be appointed by the National 
                Association of Counties; and
                    (E) 1 shall be appointed by the National League of 
                Cities.
            (3) Eligibility.--Individuals appointed to the Advisory 
        Panel established under paragraph (1)--
                    (A) may not be officers or employees of the United 
                States;
                    (B) if appointed under paragraph (2)(A), shall 
                possess expertise in cybersecurity; and
                    (C) if appointed under any other subparagraph of 
                paragraph (2), shall possess expertise in 
                cybersecurity, election law, or election 
                administration.
            (4) Terms; vacancies.--Members of the Advisory Panel shall 
        serve for a term set by the Secretary. Any vacancy in the 
        Advisory Panel shall be filled in the same manner as the 
        original appointment.
            (5) Compensation.--Members of the Advisory Panel shall 
        serve on the Advisory Panel without compensation, except that 
        members of the Advisory Panel may be allowed travel expenses, 
        including per diem in lieu of subsistence, at rates authorized 
        for employees of agencies under subchapter I of chapter 57 of 
        title 5, United States Code, while away from their homes or 
        regular places of business in the performance of services for 
        the Advisory Panel.
            (6) Administrative staff.--Upon request of the Advisory 
        Panel, the Secretary shall provide to the Advisory Panel, on a 
        reimbursable basis, the administrative support services 
        necessary for the Advisory Panel to carry out its 
        responsibilities under this Act.
    (b) Guidelines.--
            (1) In general.--The Advisory Panel shall develop a set of 
        guidelines for election cybersecurity, including standards for 
        procuring, maintaining, testing, auditing, operating, and 
        updating election systems.
            (2) Requirements.--In developing the guidelines, the 
        Advisory Panel shall--
                    (A) identify the top risks to election systems;
                    (B) describe how specific technology choices can 
                increase or decrease those risks; and
                    (C) provide recommended policies, best practices, 
                and overall security strategies for identifying, 
                protecting against, detecting, responding to, and 
                recovering from the risks identified under subparagraph 
                (A).
    (c) Grant Program.--The Advisory Panel shall assist the Department 
and the Commission in carrying out the grant program required under 
section 7 by--
            (1) submitting recommendations to the Department about the 
        grant program application process;
            (2) submitting recommendations, including recommended 
        criteria, to the Department for the grant program review 
        process;
            (3) submitting recommendations, including recommended 
        criteria, to the Department for use of remaining grant funds;
            (4) submitting recommendations, including recommended 
        criteria, to the Department for the interim grant program for 
        non-paper equipment replacement; and
            (5) providing any other assistance that the Department or 
        the Commission requests.
    (d) Paper Ballots and Statistical Audits.--The guidelines developed 
under subsection (b) shall include provisions regarding paper ballots 
and statistical audits for Federal elections, including that--
            (1) each vote is made by a paper ballot (marked by hand or 
        device), and the voter has an opportunity to inspect and 
        confirm the marked paper ballot before casting it (consistent 
        with accessibility accommodations); and
            (2) each election result is determined by tabulating marked 
        paper ballots (by hand or device), and prior to certification 
        by a State of the election result, election agencies within the 
        State inspect (by hand and not by device) a random sample of 
        the marked paper ballots and thereby establish high statistical 
        confidence in the election result.
    (e) Issues Considered.--
            (1) In general.--In developing the guidelines required 
        under subsection (b), the Advisory Panel shall consider--
                    (A) applying established cybersecurity best 
                practices to Federal election administration by States 
                and local governments, including appropriate 
                technologies, procedures, and personnel for 
                identifying, protecting against, detecting, responding 
                to, and recovering from cybersecurity events;
                    (B) mechanisms to verify that election systems 
                accurately tabulate ballots, report results, and 
                identify a winner for each election for Federal office, 
                even if computer hardware or software malfunctions due 
                to error or an election cybersecurity incident;
                    (C) specific types of election audits, including 
                procedures and shortcomings for such audits;
                    (D) durational requirements needed to facilitate 
                election audits prior to election certification, 
                including variations in the acceptance of postal 
                ballots, time allowed to cure provisional ballots, and 
                election certification deadlines;
                    (E) providing actionable guidance to election 
                agencies that have not applied for or received grant 
                funds under section 7, and to agencies that seek to 
                implement additional cybersecurity protections;
                    (F) how the guidelines could assist other 
                components of State and local governments; and
                    (G) any other factors that the Advisory Panel 
                determines to be relevant.
            (2) Relationship to voluntary voting guidelines and 
        national institute of standards and technology cybersecurity 
        guidance.--In developing the guidelines required under 
        subsection (b), the Advisory Panel shall consider--
                    (A) the Voluntary Voting Guidelines developed by 
                the Commission; and
                    (B) cybersecurity standards and best practices 
                developed by the National Institute of Standards and 
                Technology, including frameworks, consistent with 
                section 2(c) of the National Institute of Standards and 
                Technology Act (15 U.S.C. 272(c)).
    (f) Public Comment.--The Advisory Panel shall--
            (1) provide a reasonable opportunity for public comment, 
        including through Department publication in the Federal 
        Register, on the guidelines required under subsection (b), 
        including a 45-day opportunity for public comment on a draft of 
        the guidelines before they are submitted under subsection (i), 
        which shall, to the extent practicable, occur concurrently with 
        the other activities of the Advisory Panel under this section; 
        and
            (2) consider the public comments in developing the 
        guidelines.
    (g) Consultation.--In developing the guidelines required under 
subsection (b), the Advisory Panel shall consult with--
            (1) the appropriate Federal entities;
            (2) the Standards Board, Board of Advisors, and Technical 
        Guidelines Development Committee of the Commission;
            (3) the Federal Communications Commission;
            (4) the Federal Trade Commission;
            (5) the National Governors Association;
            (6) the National Association of Secretaries of State;
            (7) the National Association of State Election Directors;
            (8) the National Association of Election Officials;
            (9) the National Association of Counties;
            (10) the National League of Cities;
            (11) the International Association of Government Officials;
            (12) the Multi-State Information Sharing and Analysis 
        Center;
            (13) the National Science Foundation; and
            (14) any other interested entities that the Advisory Panel 
        determines are necessary to the development of the guidelines.
    (h) Submission to Secretary.--Not later than 180 days after the 
date of enactment of this Act, the Advisory Panel shall submit the 
guidelines required under subsection (b) to the Secretary.
    (i) Submission to Congress; Modification.--Not later than 14 
calendar days after the date on which the Secretary receives guidelines 
under subsection (h) or (l), the Secretary shall submit the guidelines 
to the appropriate congressional committees. The Secretary may modify 
the guidelines in advance of submission to Congress if--
            (1) the Secretary determines that there is good cause to 
        modify the guidelines, consistent with the considerations 
        established in subsection (e) and notwithstanding the 
        recommendation of the Advisory Panel; and
            (2) the Secretary submits a written justification of the 
        modification to the Advisory Panel and the appropriate 
        congressional committees.
    (j) Distribution to Election Agencies.--The Secretary shall 
distribute the guidelines required under subsection (b) to all election 
agencies known to the Department and the Commission.
    (k) Publication.--The Secretary shall make the guidelines required 
under subsection (b) available on the public website of the Department.
    (l) Periodic Review.--Not later than January 31, 2019, and once 
every 2 years thereafter, the Advisory Panel shall review and update 
the guidelines required under subsection (b).
    (m) Rule of Construction.--Nothing in the section shall be 
construed to subject the process for developing the guidelines required 
under subsection (b) to subchapter II of chapter 5, and chapter 7, of 
title 5, United States Code (commonly known as the ``Administrative 
Procedure Act'').

SEC. 6. REPORTS TO CONGRESS.

    (a) Reports on Foreign Threats to Elections.--
            (1) In general.--Not later than 30 days after the date of 
        enactment of this Act, and 30 days after the end of each fiscal 
        year thereafter, the Secretary and the Director of National 
        Intelligence, in coordination with the heads of the appropriate 
        Federal entities, shall submit a joint report to the 
        appropriate congressional committees on foreign threats to 
        elections in the United States, including physical and 
        cybersecurity threats.
            (2) Voluntary participation by states.--The Secretary shall 
        solicit and consider comments from all State election agencies. 
        Participation by an election agency in the report under this 
        subsection shall be voluntary and at the discretion of the 
        State.
    (b) Reports on Grant Program.--Not later than 2 years after the 
date of enactment of this Act, and every 4 years thereafter, the 
Comptroller General of the United States shall submit a report to the 
appropriate congressional committees on the Department grant program 
established under section 7, including how grant funds have been 
distributed and used to implement the guidelines required under section 
5(b).

SEC. 7. STATE ELECTION SYSTEM CYBERSECURITY AND MODERNIZATION GRANTS.

    (a) Authority.--
            (1) In general.--The Secretary, acting through the 
        component of the Department that reports to the Under Secretary 
        responsible for overseeing critical infrastructure protection, 
        cybersecurity, and other related programs of the Department, 
        shall award grants to States in accordance with this section.
            (2) Coordination.--
                    (A) In general.--The Secretary shall coordinate 
                with the Commission in carrying out this section.
                    (B) Joint program.--If the Secretary determines 
                that jointly carrying out this section with the 
                Commission would increase State participation and 
                cybersecurity preparedness, the Secretary shall--
                            (i) submit notice of the determination to 
                        the Committee on Homeland Security and 
                        Governmental Affairs of the Senate and the 
                        Committee on Homeland Security of the House of 
                        Representatives; and
                            (ii) enter into a Memorandum of 
                        Understanding with the Commission to carry out 
                        the grant program.
    (b) Application Process.--
            (1) In general.--The Secretary shall--
                    (A) establish a process for States to apply for 
                election system cybersecurity and modernization grants;
                    (B) in establishing the application process, 
                consider the recommendations of the Advisory Panel 
                under section 5(c); and
                    (C) ensure that the application process requires 
                that a State seeking a grant provide a detailed 
                explanation of how election agencies within the State 
                will implement the guidelines established under section 
                5(b).
            (2) Review.--The Secretary--
                    (A) shall fund a State application if the Secretary 
                determines that--
                            (i) the election agencies within the State 
                        will likely implement the guidelines 
                        established under section 5(b);
                            (ii) with respect to the guidelines related 
                        to statistical audits, consistent with section 
                        5(d), the State will complete a statewide pilot 
                        program during a biennial Federal general 
                        election not later than 2022; and
                            (iii) the State will match at least ten 
                        percent of the total grant allocation for 
                        election cybersecurity improvements; and
                    (B) in reviewing a State application, shall 
                consider the recommendations and criteria of the 
                Advisory Panel under section 5(c).
            (3) State implementation.--
                    (A) In general.--A State receiving a grant under 
                this section may adopt any reasonable implementation of 
                the guidelines established under section 5(b).
                    (B) Inconsistency with state law.--If 
                implementation of the guidelines would be inconsistent 
                with State law, the State--
                            (i) shall identify in the application of 
                        the State the legal issue and the guidelines 
                        that the State cannot implement;
                            (ii) shall specify in the application of 
                        the State the amount of grant funds that the 
                        State would spend implementing those guidelines 
                        if the law were not inconsistent; and
                            (iii) shall not spend the amount of grant 
                        funds specified under clause (ii) until the 
                        legal issue is resolved.
            (4) Protection of personal information.--The application 
        process established under this subsection shall not require a 
        State to disclose the personal information of any voter.
    (c) Use of Funds.--
            (1) In general.--Except as provided in paragraph (2), a 
        State receiving a grant under this section shall use the funds 
        received under the grant to implement the guidelines 
        established under section 5(b).
            (2) Remaining funds.--A State may use funds from a grant 
        under this section to improve, upgrade, or acquire hardware, 
        software, or services related to election administration, 
        consistent with the guidelines established under section 5(b), 
        if--
                    (A) the State election official submits a written 
                certification to the Secretary that the election 
                agencies within the State have implemented the 
                guidelines established under section 5(b); and
                    (B) the Secretary, after consideration of the 
                recommendations and criteria of the Advisory Panel 
                under section 5(c), approves the use of funds.
            (3) Prohibition on use for certain voting systems.--Funds 
        received under a grant under this section may not be used for 
        any voting system that records each vote in electronic storage 
        unless the system is an optical scanner that reads paper 
        ballots.
    (d) Contracting Assistance.--Not later than 90 days after the date 
of enactment of this Act, the Administrator of General Services, in 
consultation with the Director of the National Institute of Standards 
and Technology, shall take such actions as may be necessary through 
competitive processes--
            (1) to qualify a set of private sector entities that are 
        capable of assisting the States with identifying, protecting 
        against, detecting, responding to, and recovering from election 
        cybersecurity incidents, threats, and vulnerabilities;
            (2) to establish contract vehicles to enable States to 
        access the services of 1 or more of the private sector 
        organizations after receiving amounts under a grant under this 
        section;
            (3) to ensure that the contract vehicles permit individual 
        States to augment Federal funds with funding otherwise 
        available to the States; and
            (4) to provide a list of qualified entities to the 
        Secretary and Chairman in order to ensure it is readily 
        available to State election officials.
    (e) Limitation on Amount of Grant.--
            (1) In general.--Subject to paragraph (3), the amount of 
        funds provided to a State under a grant under this section 
        shall be equal to the product obtained by multiplying--
                    (A) the total amount appropriated for grants 
                pursuant to the authorization under section 6; by
                    (B) the State allocation percentage for the State 
                (as determined under paragraph (2)).
            (2) State allocation percentage.--The State allocation 
        percentage for a State is the amount (expressed as a 
        percentage) equal to the quotient obtained by dividing--
                    (A) the total voting age population of all States 
                (as reported in the most recent decennial census); by
                    (B) the voting age population of the State (as 
                reported in the most recent decennial census).
            (3) Minimum amount of payment.--The amount determined under 
        this subsection may not be less than--
                    (A) in the case of any of the several States or the 
                District of Columbia, 0.5 percent of the total amount 
                appropriated for grants under this section; or
                    (B) in the case of the Commonwealth of Puerto Rico, 
                Guam, American Samoa, the Commonwealth of Northern 
                Mariana Islands, or the United States Virgin Islands, 
                0.1 percent of such total amount.
            (4) Pro rata reductions.--The Secretary shall make such pro 
        rata reductions to the allocations determined under paragraph 
        (1) as are necessary to comply with the requirements of 
        paragraph (3).
    (f) Interim Grant Program for Election Preparedness.--
            (1) In general.--The Secretary shall award a grant to an 
        election agency, regardless of State submission of an 
        application under subsection (b), that--
                    (A) receives a ``cyber hygiene'' scan, a risk and 
                vulnerability assessment, or a similar cybersecurity 
                evaluation by the Department or a contractor approved 
                by the Department; and
                    (B) not later than November 6, 2018, submits to the 
                Department--
                            (i) the results of the evaluation described 
                        in subparagraph (A);
                            (ii) a plan for rapidly remediating the 
                        vulnerabilities identified by the evaluation, 
                        including specific expenditures; and
                            (iii) in the case of an application by any 
                        election agency of a political subdivision of a 
                        State, a certification of approval from the 
                        State election agency.
            (2) Prioritization for local governments.--A State election 
        agency may authorize some or all other election agencies within 
        the State to apply for interim grants under paragraph (1). If 
        the amount available under paragraph (5) is not sufficient to 
        fund the applications received from election agencies within 
        the State, the State election agency may establish a priority 
        order for funding applications.
            (3) Use of funds.--An election agency that receives a grant 
        under paragraph (1) shall only use the funds received under the 
        grant to implement the remediation plan submitted under 
        paragraph (1)(B)(ii).
            (4) Unavailability of department services.--If an election 
        agency requests an evaluation by the Department consistent with 
        paragraph (1)(A), and the Department is not able to provide the 
        evaluation during the 30-calendar-day period following the 
        request, the agency may--
                    (A) procure a reasonably equivalent evaluation from 
                a private-sector entity; and
                    (B) use funds received from a grant under 
                subparagraph (A) as reimbursement for the cost of the 
                evaluation.
            (5) Limitation on amount of grant; coordination with 
        cybersecurity and modernization grants.--
                    (A) Limitation.--The aggregate amount of grants 
                under this subsection to all election agencies in a 
                State shall not exceed 10 percent of the limitation 
                with respect to such State under subsection (e)(1).
                    (B) Coordination with cybersecurity and 
                modernization grants.--The amount under subsection 
                (e)(1) for purposes of grants under subsection (a)(1) 
                to a State shall be reduced by the amount of grants 
                provided under this subsection to election agencies 
                within the State, less any unused amount returned to 
                the Department.
    (g) Interim Grant Program for Non-Paper Equipment Replacement.--
            (1) In general.--The Secretary shall award grants to States 
        designated under paragraph (2) for the purpose of replacing 
        voting systems that would not be eligible for purchase under 
        subsection (c)(3).
            (2) Eligibility.--Not later than 60 days after the date of 
        enactment of this Act, the Secretary shall develop a list of 
        States in which 10 percent or more of votes in the first 
        Federal election occurring after the date of enactment of this 
        Act are expected to be cast using voting systems that would not 
        be eligible for purchase under subsection (c)(3), and shall 
        submit the list to the appropriate congressional committees.
            (3) Use of funds.--A State election agency that receives 
        funds under paragraph (1) shall only use the funds to replace 
        voting systems that would not be eligible for purchase under 
        subsection (c)(3).
            (4) Application process.--The Secretary shall--
                    (A) establish an application process for States 
                designated under paragraph (2) to apply for grants 
                under this subsection; and
                    (B) consider the recommendations of the Advisory 
                Panel under section 5(c) in establishing the 
                application process; and ensure that a State applying 
                for a grant submits--
                            (i) an inventory of voting systems in the 
                        State that would not be eligible for purchase 
                        under subsection(c)(3);
                            (ii) a plan to expeditiously replace those 
                        voting systems; and
                            (iii) a commitment to State funding for 
                        replacements that is at least equivalent to the 
                        grant amount.
            (5) Review.--The Secretary--
                    (A) shall fund a State application if the Secretary 
                determines that the State will likely replace the 
                voting systems that would not be eligible for purchase 
                under subsection (c)(3); and
                    (B) in reviewing a State application, shall 
                consider the recommendations and criteria of the 
                Advisory Panel under section 5(c).
            (6) Limitations; coordination with cybersecurity and 
        modernization grants.--
                    (A) Limitations.--Of the total amount authorized to 
                be appropriated under subsection (i) for the first 
                fiscal year beginning after the date of enactment of 
                this Act, $186,000,000 shall be used for grants awarded 
                under this subsection.
                    (B) Formula for grant amounts.--The grant amount 
                made available to each State shall be set according to 
                the proportional formula described in subsection (e), 
                as applied to the list of States designated under 
                paragraph (2) and the number of votes cast in those 
                States using voting systems that would not be eligible 
                for purchase under subsection (c)(3).
                    (C) Coordination with cybersecurity and 
                modernization grants.--If the Secretary determines that 
                no additional State will receive a grant under this 
                paragraph, the Secretary shall reallocate any amounts 
                remaining under subparagraph (A) to the cybersecurity 
                and modernization grant program established under this 
                section.
    (h) Financial Assistance for Auditing Expenses.--
            (1) In general.--The Secretary shall award grants to States 
        that, in order to implement the guidelines established under 
        section 5(b), inspect (by hand and not by device) a number of 
        marked paper ballots in a Federal election that is greater than 
        5 percent of the voting age population within the State (in the 
        case of national or statewide office) or district covered by 
        the election.
            (2) Application process.--The Secretary shall establish an 
        application process for a State that qualifies under paragraph 
        (1) to apply for a grant to reimburse its expenses associated 
        with inspecting (by hand and not by device) paper ballots in 
        excess of 5 percent of the voting age population within the 
        State (in the case of national or statewide office) or district 
        covered by the election.
            (3) Local governments.--A State election agency may 
        authorize some or all other election agencies within the State 
        to apply for grants under paragraph (1).
            (4) Timing; distribution.--The Secretary shall award grants 
        under this subsection on January 31, 2019, and every 2 years 
        thereafter. If the amount appropriated for carrying out this 
        subsection is insufficient to fund the grants, the Secretary 
        shall fund them according to the proportional formula described 
        in subsection (e), as applied to the States seeking grants 
        under this subsection and the number of marked paper ballots 
        that were inspected by hand in excess of 5 percent of the 
        voting age population within the State (in the case of national 
        or statewide office) or district covered by the election.
            (5) Limitation.--Of the total amount authorized to be 
        appropriated under subsection (i), $5,000,000 shall be used for 
        grants under this subsection.
    (i) Authorization of Appropriations.--
            (1) In general.--There is authorized to be appropriated to 
        the Department $386,000,000 to carry out this section for 
        fiscal year 2018.
            (2) Availability.--Any amounts appropriated pursuant to 
        paragraph (1) shall remain available without fiscal year 
        limitation until expended.
            (3) Funding source.--
                    (A) Definitions.--In this paragraph--
                            (i) the terms ``agency'', ``closeout'', and 
                        ``Federal grant award'' have the meanings given 
                        those terms in section 2 of the Grants 
                        Oversight and New Efficiency Act (Public Law 
                        114-117; 130 Stat. 6); and
                            (ii) the term ``Director'' means the 
                        Director of the Office of Management and 
                        Budget.
                    (B) Closeout of expired and undisbursed federal 
                grants.--Not later than 1 year after the date of 
                enactment of this Act, the Director shall promulgate 
                procedures requiring the head of each agency to 
                promptly conduct a closeout of each Federal grant 
                award.
                    (C) Related reports.--In promulgating the 
                procedures required under subparagraph (B), the 
                Director shall consider the recommendations and data in 
                the reports required to be submitted under section 2 of 
                the Grants Oversight and New Efficiency Act (Public Law 
                114-117; 130 Stat. 6) and section 530 of the Commerce, 
                Justice, Science, and Related Agencies Appropriations 
                Act, 2016 (Public Law 114-113; 129 Stat. 2329), and 
                similar reports.
                    (D) Expiration.--The procedures required under 
                subparagraph (B) shall expire 4 years after the date on 
                which the procedures are promulgated.

SEC. 8. HACK THE ELECTION PROGRAM.

    (a) Establishment.--Not later than 1 year after the date of 
enactment of this Act, the Secretary shall establish a program to 
improve election system cybersecurity by facilitating and encouraging 
assessments by independent technical experts, in cooperation with 
election agencies and election service providers, to identify and 
report election cybersecurity vulnerabilities.
    (b) Voluntary Participation.--Participation in the Hack the 
Election program shall be entirely voluntary for election agencies and 
election service providers.
    (c) Input From Election Agencies.--In developing the Hack the 
Election program under this section, the Secretary shall solicit input 
from election agencies, and shall encourage election agencies to 
participate.
    (d) Activities.--In establishing the program required under 
subsection (a), the Secretary shall--
            (1) establish a recurring competition for independent 
        technical experts to assess election systems for the purpose of 
        identifying and reporting election cybersecurity 
        vulnerabilities;
            (2) establish an expeditious process by which independent 
        technical experts can qualify to participate in the 
        competition;
            (3) establish a schedule of awards (monetary or non-
        monetary) for reports of previously unidentified election 
        cybersecurity vulnerabilities discovered by independent 
        technical experts during the competition;
            (4) establish a process for election agencies and election 
        service providers to voluntarily participate in the program by 
        designating specific election systems, periods of time, and 
        circumstances for assessment by independent technical experts; 
        and
            (5) promptly notify election agencies and election service 
        providers about relevant election cybersecurity vulnerabilities 
        discovered through the competition, and provide technical 
        assistance in remedying the vulnerabilities.
    (e) Use of Service Providers.--The Secretary may award competitive 
contracts as necessary to manage the program required under subsection 
(a).
    (f) Consultation.--In developing the program required under 
subsection (a), the Secretary shall consult with--
            (1) the Attorney General to address possible liability for 
        participating individuals under section 1030 of title 18, 
        United States Code, section 1201 of title 17, United States 
        Code, or other relevant Federal law; and
            (2) the relevant offices at the Department of Defense that 
        were responsible for launching the 2016 ``Hack the Pentagon'' 
        pilot program and subsequent Department of Defense bug bounty 
        programs.
                                 <all>