[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2593 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 2593

      To protect the administration of Federal elections against 
                         cybersecurity threats.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 22, 2018

 Mr. Lankford (for himself, Ms. Klobuchar, Mr. Graham, Ms. Harris, Ms. 
    Collins, Mr. Heinrich, Mr. Burr, and Mr. Warner) introduced the 
 following bill; which was read twice and referred to the Committee on 
                        Rules and Administration

_______________________________________________________________________

                                 A BILL


 
      To protect the administration of Federal elections against 
                         cybersecurity threats.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Secure Elections Act''.

SEC. 2. SENSE OF CONGRESS.

    It is the sense of Congress that--
            (1) the States conduct elections and should maintain 
        control of and responsibility for them;
            (2) it is important to maintain State leadership in 
        election administration;
            (3) free and fair elections are central to our democracy;
            (4) protecting our elections is a national security 
        priority; and
            (5) an attack on our election systems by a foreign power is 
        a hostile act and should be met with appropriate retaliatory 
        actions, including immediate and severe sanctions.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Advisory panel.--The term ``Advisory Panel'' means the 
        advisory panel of independent experts on election cybersecurity 
        established under section 5(a)(1).
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Rules and Administration, the 
                Committee on Armed Services, the Committee on Homeland 
                Security and Governmental Affairs, the Committee on 
                Appropriations, the Select Committee on Intelligence, 
                the majority leader, and the minority leader of the 
                Senate; and
                    (B) the Committee on House Administration, the 
                Committee on Armed Services, the Committee on Homeland 
                Security, the Committee on Appropriations, the 
                Permanent Select Committee on Intelligence, the 
                Speaker, and the minority leader of the House of 
                Representatives.
            (3) Appropriate federal entities.--The term ``appropriate 
        Federal entities'' means--
                    (A) the Department of Commerce, including the 
                National Institute of Standards and Technology;
                    (B) the Department of Defense;
                    (C) the Department, including the component of the 
                Department that reports to the Under Secretary 
                responsible for overseeing critical infrastructure 
                protection, cybersecurity, and other related programs 
                of the Department;
                    (D) the Department of Justice, including the 
                Federal Bureau of Investigation;
                    (E) the Commission; and
                    (F) the Office of the Director of National 
                Intelligence, the National Security Agency, and such 
                other elements of the intelligence community (as 
                defined in section 3 of the National Security Act of 
                1947 (50 U.S.C. 3003)) as the Director of National 
                Intelligence determines are appropriate.
            (4) Chairman.--The term ``Chairman'' means the Chairman of 
        the Election Assistance Commission.
            (5) Commission.--The term ``Commission'' means the Election 
        Assistance Commission.
            (6) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (7) Election agency.--The term ``election agency'' means 
        any component of a State or any component of a county, 
        municipality, or other subdivision of a State that is 
        responsible for administering Federal elections.
            (8) Election cybersecurity incident.--The term ``election 
        cybersecurity incident'' means any incident involving an 
        election system.
            (9) Election cybersecurity threat.--The term ``election 
        cybersecurity threat'' means any cybersecurity threat (as 
        defined in section 102 of the Cybersecurity Information Sharing 
        Act of 2015 (6 U.S.C. 1501)) to an election system.
            (10) Election cybersecurity vulnerability.--The term 
        ``election cybersecurity vulnerability'' means any security 
        vulnerability (as defined in section 102 of the Cybersecurity 
        Information Sharing Act of 2015 (6 U.S.C. 1501)) that affects 
        an election system.
            (11) Election service provider.--The term ``election 
        service provider'' means any person providing, supporting, or 
        maintaining an election system on behalf of an election agency, 
        such as a contractor or vendor.
            (12) Election system.--The term ``election system'' means a 
        voting system, an election management system, a voter 
        registration website or database, an electronic pollbook, a 
        system for tabulating or reporting election results, an 
        election agency communications system, or any other information 
        system (as defined in section 3502 of title 44, United States 
        Code) that the Secretary identifies as central to the 
        management, support, or administration of a Federal election.
            (13) Federal election.--The term ``Federal election'' means 
        any election (as defined in section 301(1) of the Federal 
        Election Campaign Act of 1971 (52 U.S.C. 30101(1))) for Federal 
        office (as defined in section 301(3) of the Federal Election 
        Campaign Act of 1971 (52 U.S.C. 30101(3))).
            (14) Federal entity.--The term ``Federal entity'' means any 
        agency (as defined in section 551 of title 5, United States 
        Code).
            (15) Incident.--The term ``incident'' has the meaning given 
        the term in section 227(a) of the Homeland Security Act of 2002 
        (6 U.S.C. 148(a)).
            (16) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
            (17) State.--The term ``State'' means each of the several 
        States of the United States, the District of Columbia, the 
        Commonwealth of Puerto Rico, Guam, American Samoa, the 
        Commonwealth of Northern Mariana Islands, and the United States 
        Virgin Islands.
            (18) State election official.--The term ``State election 
        official'' means--
                    (A) the chief State election official of a State 
                designated under section 10 of the National Voter 
                Registration Act of 1993 (52 U.S.C. 20509); or
                    (B) in the Commonwealth of Puerto Rico, Guam, 
                American Samoa, the Commonwealth of Northern Mariana 
                Islands, and the United States Virgin Islands, a chief 
                State election official designated by the State for 
                purposes of this Act.
            (19) State law enforcement officer.--The term ``State law 
        enforcement officer'' means the head of a State law enforcement 
        agency, such as an attorney general.
            (20) Voting system.--The term ``voting system'' has the 
        meaning given the term in section 301(b) of the Help America 
        Vote Act of 2002 (52 U.S.C. 21081(b)).

SEC. 4. INFORMATION SHARING.

    (a) Designation of Responsible Federal Entity.--The Secretary shall 
have primary responsibility within the Federal Government for sharing 
information about election cybersecurity incidents, threats, and 
vulnerabilities with Federal entities and with election agencies.
    (b) Presumption of Federal Information Sharing to the Department.--
If a Federal entity receives information about an election 
cybersecurity incident, threat, or vulnerability, the Federal entity 
shall promptly share that information with the Department, unless the 
head of the entity (or a Senate-confirmed official designated by the 
head) makes a specific determination in writing that there is good 
cause to withhold the particular information.
    (c) Presumption of Federal and State Information Sharing From the 
Department.--If the Department receives information about an election 
cybersecurity incident, threat, or vulnerability, the Department shall 
promptly share that information with--
            (1) the appropriate Federal entities;
            (2) all State election agencies;
            (3) to the maximum extent practicable, all election 
        agencies that have requested ongoing updates on election 
        cybersecurity incidents, threats, or vulnerabilities; and
            (4) to the maximum extent practicable, all election 
        agencies that may be affected by the risks associated with the 
        particular election cybersecurity incident, threat, or 
        vulnerability.
    (d) Technical Resources for Election Agencies.--In sharing 
information about election cybersecurity incidents, threats, and 
vulnerabilities with election agencies under this section, the 
Department shall, to the maximum extent practicable--
            (1) provide cyber threat indicators and defensive measures 
        (as such terms are defined in section 102 of the Cybersecurity 
        Information Sharing Act of 2015 (6 U.S.C. 1501)), such as 
        recommended technical instructions, that assist with 
        preventing, mitigating, and detecting threats or 
        vulnerabilities;
            (2) identify resources available for protecting against, 
        detecting, responding to, and recovering from associated risks, 
        including technical capabilities of the Department; and
            (3) provide guidance about further sharing of the 
        information.
    (e) Declassification Review.--If the Department receives classified 
information about an election cybersecurity incident, threat, or 
vulnerability--
            (1) the Secretary shall promptly submit a request for 
        expedited declassification review to the head of a Federal 
        entity with authority to conduct the review, consistent with 
        Executive Order 13526 or any successor order, unless the 
        Secretary determines that such a request would be 
        inappropriate; and
            (2) the head of the Federal entity described in paragraph 
        (1) shall promptly conduct the review.
    (f) Role of Non-Federal Entities.--The Department may share 
information about election cybersecurity incidents, threats, and 
vulnerabilities through a non-Federal entity.
    (g) Protection of Personal and Confidential Information.--
            (1) In general.--If a Federal entity shares information 
        relating to an election cybersecurity incident, threat, or 
        vulnerability, the Federal entity shall, within Federal 
        information systems (as defined in section 3502 of title 44, 
        United States Code) of the entity--
                    (A) minimize the acquisition, use, and disclosure 
                of personal information of voters, except as necessary 
                to identify, protect against, detect, respond to, or 
                recover from election cybersecurity incidents, threats, 
                and vulnerabilities;
                    (B) notwithstanding any other provision of law, 
                prohibit the retention of personal information of 
                voters, such as--
                            (i) voter registration information, 
                        including physical address, email address, and 
                        telephone number;
                            (ii) political party affiliation or 
                        registration information; and
                            (iii) voter history, including registration 
                        status or election participation; and
                    (C) protect confidential Federal and State 
                information from unauthorized disclosure.
            (2) Exemption from disclosure.--Information relating to an 
        election cybersecurity incident, threat, or vulnerability, such 
        as personally identifiable information of reporting persons or 
        individuals affected by such incident, threat, or 
        vulnerability, shared by or with the Federal Government shall 
        be--
                    (A) deemed voluntarily shared information and 
                exempt from disclosure under section 552 of title 5, 
                United States Code, and any State, tribal, or local 
                provision of law requiring disclosure of information or 
                records; and
                    (B) withheld, without discretion, from the public 
                under section 552(b)(3)(B) of title 5, United States 
                Code, and any State, tribal, or local provision of law 
                requiring disclosure of information or records.
    (h) Duty To Assess Possible Cybersecurity Incidents.--
            (1) Election agencies.--If an election agency becomes aware 
        of the possibility of an election cybersecurity incident, the 
        election agency shall promptly assess whether an election 
        cybersecurity incident occurred and notify the State election 
        official.
            (2) Election service providers.--If an election service 
        provider becomes aware of the possibility of an election 
        cybersecurity incident, the election service provider shall 
        promptly assess whether an election cybersecurity incident 
        occurred and notify the relevant election agencies consistent 
        with subsection (j).
    (i) Information Sharing About Cybersecurity Incidents by Election 
Agencies.--If an election agency has reason to believe that an election 
cybersecurity incident has occurred with respect to an election system 
owned, operated, or maintained by or on behalf of the election agency, 
the election agency shall, in the most expedient time possible and 
without unreasonable delay, provide notification of the election 
cybersecurity incident to the Department.
    (j) Information Sharing About Cybersecurity Incidents by Election 
Service Providers.--If an election service provider has reason to 
believe that an election cybersecurity incident may have occurred, or 
that an incident related to the role of the provider as an election 
service provider may have occurred, the election service provider 
shall--
            (1) notify the relevant election agencies in the most 
        expedient time possible and without unreasonable delay; and
            (2) cooperate with the election agencies in providing the 
        notifications required under subsections (h)(1) and (i).
    (k) Content of Notification by Election Agencies.--The 
notifications required under subsections (h)(1) and (i)--
            (1) shall include an initial assessment of--
                    (A) the date, time, and duration of the election 
                cybersecurity incident;
                    (B) the circumstances of the election cybersecurity 
                incident, including the specific election systems 
                believed to have been accessed and information 
                acquired; and
                    (C) planned and implemented technical measures to 
                respond to and recover from the incident; and
            (2) shall be updated with additional material information, 
        including technical data, as it becomes available.
    (l) Security Clearance.--Not later than 30 days after the date of 
enactment of this Act, the Secretary--
            (1) shall establish an expedited process for providing 
        appropriate security clearance to State election officials and 
        designated technical personnel employed by State election 
        agencies;
            (2) shall establish an expedited process for providing 
        appropriate security clearance to members of the Commission and 
        designated technical personnel employed by the Commission; and
            (3) shall establish a process for providing appropriate 
        security clearance to personnel at other election agencies.
    (m) Protection From Liability.--Nothing in this Act may be 
construed to provide a cause of action against a State, unit of local 
government, or an election service provider.
    (n) Assessment of Inter-State Information Sharing About Election 
Cybersecurity.--
            (1) In general.--The Secretary and the Chairman, in 
        coordination with the heads of the appropriate Federal entities 
        and appropriate officials of State and local governments, shall 
        conduct an assessment of--
                    (A) the structure and functioning of the Multi-
                State Information Sharing and Analysis Center for 
                purposes of election cybersecurity; and
                    (B) other mechanisms for inter-state information 
                sharing about election cybersecurity.
            (2) Comment from election agencies.--In carrying out the 
        assessment required under paragraph (1), the Secretary and the 
        Chairman shall solicit and consider comments from all State 
        election agencies.
            (3) Distribution.--The Secretary and the Chairman shall 
        jointly issue the assessment required under paragraph (1) to--
                    (A) all election agencies known to the Department 
                and the Commission; and
                    (B) the appropriate congressional committees.
    (o) Congressional Notification.--
            (1) In general.--If an appropriate Federal entity has 
        reason to believe that a significant election cybersecurity 
        incident has occurred, the entity shall--
                    (A) not later than 7 calendar days after the date 
                on which there is a reasonable basis to conclude that 
                the significant incident has occurred, provide 
                notification of the incident to the appropriate 
                congressional committees; and
                    (B) update the initial notification under paragraph 
                (1) within a reasonable period of time after additional 
                information relating to the incident is discovered.
            (2) Reporting threshold.--The Secretary shall--
                    (A) promulgate a uniform definition of a 
                ``significant election cybersecurity incident''; and
                    (B) shall submit the definition promulgated under 
                subparagraph (A) to the appropriate congressional 
                committees.

SEC. 5. ADVISORY PANEL AND GUIDELINES.

    (a) Advisory Panel.--
            (1) In general.--The Commission shall establish an advisory 
        panel of independent experts on election cybersecurity.
            (2) Membership.--The Advisory Panel shall consist of not 
        less than 9 members, of whom--
                    (A) one shall be appointed by the Chairman, in 
                consultation with the Secretary and the Director of the 
                National Institute of Standards and Technology, and 
                shall be designated as the Chairman of the advisory 
                panel;
                    (B) four shall be appointed by the Chairman, in 
                consultation with the Secretary; and
                    (C) four shall be appointed by the Secretary, in 
                consultation with the Chairman and the Director of the 
                National Institute of Standards and Technology.
            (3) Eligibility.--Individuals appointed to the Advisory 
        Panel established under paragraph (1)--
                    (A) may not be officers or employees of the United 
                States;
                    (B) if appointed under paragraph (2)(A), shall 
                possess expertise in election law, election 
                administration, or cybersecurity; and
                    (C) if appointed under subparagraph (B) or (C) of 
                paragraph (2), shall possess expertise in 
                cybersecurity.
            (4) Terms; vacancies.--Members of the Advisory Panel shall 
        serve for a term set by the Commission. Any vacancy in the 
        Advisory Panel shall be filled in the same manner as the 
        original appointment.
            (5) Compensation.--Members of the Advisory Panel shall 
        serve on the Advisory Panel without compensation, except that 
        members of the Advisory Panel may be allowed travel expenses, 
        including per diem in lieu of subsistence, at rates authorized 
        for employees of agencies under subchapter I of chapter 57 of 
        title 5, United States Code, while away from their homes or 
        regular places of business in the performance of services for 
        the Advisory Panel.
            (6) Administrative staff.--Upon request of the Advisory 
        Panel, the Commission shall provide to the Advisory Panel, on a 
        reimbursable basis, the administrative support services 
        necessary for the Advisory Panel to carry out its 
        responsibilities under this Act.
    (b) Guidelines.--
            (1) In general.--The Advisory Panel shall develop a set of 
        guidelines for election cybersecurity, including standards for 
        procuring, maintaining, testing, auditing, operating, and 
        updating election systems.
            (2) Requirements.--In developing the guidelines, the 
        Advisory Panel shall--
                    (A) identify the top risks to election systems;
                    (B) describe how specific technology choices can 
                increase or decrease those risks; and
                    (C) provide recommended policies, best practices, 
                and overall security strategies for identifying, 
                protecting against, detecting, responding to, and 
                recovering from the risks identified under subparagraph 
                (A).
    (c) Grant Program.--The Advisory Panel shall assist the Commission 
and the Department in carrying out the grant program required under 
section 7 by--
            (1) submitting recommendations to the Commission about the 
        grant program application process;
            (2) submitting recommendations, including recommended 
        criteria, to the Commission for the grant program review 
        process;
            (3) submitting recommendations, including recommended 
        criteria, to the Commission for use of remaining grant funds;
            (4) submitting recommendations, including recommended 
        criteria, to the Commission for the interim grant program for 
        non-paper equipment replacement; and
            (5) providing any other assistance that the Commission or 
        the Department requests.
    (d) Voting Systems and Statistical Audits.--The guidelines 
developed under subsection (b) shall include provisions regarding 
voting systems and statistical audits for Federal elections, including 
that--
            (1) each vote is cast using a voting system that--
                    (A) would be eligible to be purchased under section 
                7(f); and
                    (B) allows the voter an opportunity to inspect and 
                confirm the marked ballot before casting it (consistent 
                with accessibility requirements); and
            (2) each election result is determined by tabulating marked 
        ballots (by hand or device), and prior to certification by a 
        State of the election result, election agencies within the 
        State inspect (by hand and not by device) a random sample of 
        the marked ballots and thereby establish high statistical 
        confidence in the election result.
    (e) Issues Considered.--
            (1) In general.--In developing the guidelines required 
        under subsection (b), the Advisory Panel shall consider--
                    (A) applying established cybersecurity best 
                practices to Federal election administration by States 
                and local governments, including appropriate 
                technologies, procedures, and personnel for 
                identifying, protecting against, detecting, responding 
                to, and recovering from cybersecurity events;
                    (B) mechanisms to verify that election systems 
                accurately tabulate ballots, report results, and 
                identify a winner for each election for Federal office, 
                even if there is an error or fault in the voting 
                system;
                    (C) specific types of election audits, including 
                procedures and shortcomings for such audits;
                    (D) durational requirements needed to facilitate 
                election audits prior to election certification, 
                including variations in the acceptance of postal 
                ballots, time allowed to cure provisional ballots, and 
                election certification deadlines;
                    (E) providing actionable guidance to election 
                agencies that have not applied for or received grant 
                funds under section 7, and to agencies that seek to 
                implement additional cybersecurity protections;
                    (F) how the guidelines could assist other 
                components of State and local governments; and
                    (G) any other factors that the Advisory Panel 
                determines to be relevant.
            (2) Relationship to voluntary voting system guidelines and 
        national institute of standards and technology cybersecurity 
        guidance.--In developing the guidelines required under 
        subsection (b), the Advisory Panel shall consider--
                    (A) the voluntary voting system guidelines 
                developed by the Commission; and
                    (B) cybersecurity standards and best practices 
                developed by the National Institute of Standards and 
                Technology, including frameworks, consistent with 
                section 2(c) of the National Institute of Standards and 
                Technology Act (15 U.S.C. 272(c)).
    (f) Public Comment.--The Advisory Panel shall--
            (1) provide a reasonable opportunity for public comment, 
        including through Commission publication in the Federal 
        Register, on the guidelines required under subsection (b), 
        including a 45-day opportunity for public comment on a draft of 
        the guidelines before they are submitted under subsection (i), 
        which shall, to the extent practicable, occur concurrently with 
        the other activities of the Advisory Panel under this section; 
        and
            (2) consider the public comments in developing the 
        guidelines.
    (g) Consultation.--In developing the guidelines required under 
subsection (b), the Advisory Panel shall consult with--
            (1) the appropriate Federal entities;
            (2) the Standards Board, Board of Advisors, and Technical 
        Guidelines Development Committee of the Commission;
            (3) the Federal Communications Commission;
            (4) the Federal Trade Commission;
            (5) the National Governors Association;
            (6) the National Association of Secretaries of State;
            (7) the National Association of State Election Directors;
            (8) the National Association of Election Officials;
            (9) the National Association of Counties;
            (10) the National League of Cities;
            (11) the International Association of Government Officials;
            (12) the Multi-State Information Sharing and Analysis 
        Center;
            (13) the National Science Foundation; and
            (14) any other interested entities that the Advisory Panel 
        determines are necessary to the development of the guidelines.
    (h) Submission to Commission.--Not later than 180 days after the 
date of enactment of this Act, the Advisory Panel shall submit the 
guidelines required under subsection (b) to the Commission.
    (i) Submission to Congress; Modification.--Not later than 14 
calendar days after the date on which the Commission receives 
guidelines under subsection (h) or (l), the Commission shall submit the 
guidelines to the appropriate congressional committees. The Commission 
may modify the guidelines in advance of submission to Congress if--
            (1) the Commission determines that there is good cause to 
        modify the guidelines, consistent with the considerations 
        established in subsection (e) and notwithstanding the 
        recommendation of the Advisory Panel; and
            (2) the Commission submits a written justification of the 
        modification to the Advisory Panel and the appropriate 
        congressional committees.
    (j) Distribution to Election Agencies.--The Commission shall 
distribute the guidelines required under subsection (b) to all election 
agencies known to the Commission and the Department.
    (k) Publication.--The Commission shall make the guidelines required 
under subsection (b) available on the public website of the Department.
    (l) Periodic Review.--Not later than January 31, 2019, and once 
every 2 years thereafter, the Advisory Panel shall review and update 
the guidelines required under subsection (b).
    (m) Rule of Construction.--Nothing in this section shall be 
construed to subject the process for developing the guidelines required 
under subsection (b) to subchapter II of chapter 5, and chapter 7, of 
title 5, United States Code (commonly known as the ``Administrative 
Procedure Act'').
    (n) Conforming Amendment.--Section 202 of the Help America Vote Act 
of 2002 (52 U.S.C. 20921) is amended by striking ``and'' at the end of 
paragraph (5), by striking the period at the end of paragraph (6) and 
inserting ``; and'', and by adding at the end the following new 
paragraph:
            ``(7) establishing the advisory panel of independent 
        experts on election cybersecurity under section 5(a)(1) of the 
        Secure Elections Act.''.

SEC. 6. REPORTS TO CONGRESS.

    (a) Reports on Foreign Threats to Elections.--
            (1) In general.--Not later than 30 days after the date of 
        enactment of this Act, and 30 days after the end of each fiscal 
        year thereafter, the Secretary and the Director of National 
        Intelligence, in coordination with the heads of the appropriate 
        Federal entities, shall submit a joint report to the 
        appropriate congressional committees on foreign threats to 
        elections in the United States, including physical and 
        cybersecurity threats.
            (2) Voluntary participation by states.--The Secretary shall 
        solicit and consider comments from all State election agencies. 
        Participation by an election agency in the report under this 
        subsection shall be voluntary and at the discretion of the 
        State.
    (b) Reports on Grant Program.--
            (1) In general.--Not later than 2 years after the date of 
        enactment of this Act, and, subject to paragraph (2), every 4 
        years thereafter, the Comptroller General of the United States 
        shall submit a report to the appropriate congressional 
        committees on the grant program established under section 7, 
        including how grant funds have been distributed and used to 
        implement the guidelines required under section 5(b).
            (2) Sunset.--If the Comptroller General determines that 
        over 90 percent of the funds appropriated under section 7(h)(1) 
        have been expended by the States, the reporting requirement in 
        paragraph (1) shall cease to be effective after the Comptroller 
        General submits a final report.

SEC. 7. STATE ELECTION SYSTEM CYBERSECURITY AND MODERNIZATION GRANTS.

    (a) Authority.--
            (1) In general.--The Commission shall award grants in 
        accordance with this section.
            (2) Coordination.--
                    (A) In general.--The Commission shall coordinate 
                with the Secretary in carrying out this section.
                    (B) Joint program.--If the Chairman determines that 
                jointly carrying out this section with the Secretary 
                would increase State participation and cybersecurity 
                preparedness, the Chairman shall--
                            (i) submit notice of the determination to 
                        the Committee on Homeland Security and 
                        Governmental Affairs and the Committee on Rules 
                        and Administration of the Senate and the 
                        Committee on Homeland Security and the 
                        Committee on House Administration of the House 
                        of Representatives; and
                            (ii) enter into a Memorandum of 
                        Understanding with the Secretary to carry out 
                        the grant program.
    (b) Cybersecurity and Modernization Grants.--
            (1) Application process.--
                    (A) In general.--The Commission shall--
                            (i) establish a process for States to apply 
                        for election system cybersecurity and 
                        modernization grants;
                            (ii) in establishing the application 
                        process, consider the recommendations of the 
                        Advisory Panel under section 5(c); and
                            (iii) ensure that the application process 
                        requires that a State seeking a grant provide a 
                        detailed explanation of how election agencies 
                        within the State will implement the guidelines 
                        established under section 5(b).
                    (B) Review.--The Commission--
                            (i) shall fund a State application 
                        submitted under subparagraph (A) if the 
                        Commission determines that--
                                    (I) the election agencies within 
                                the State will likely implement the 
                                guidelines established under section 
                                5(b);
                                    (II) with respect to the guidelines 
                                related to statistical audits, 
                                consistent with section 5(d), the State 
                                will complete a statewide pilot program 
                                during a biennial Federal general 
                                election not later than 2022; and
                                    (III) the State will match at least 
                                ten percent of the total grant 
                                allocation for election cybersecurity 
                                improvements; and
                            (ii) in reviewing a State application, 
                        shall consider the recommendations and criteria 
                        of the Advisory Panel under section 5(c).
                    (C) State implementation.--
                            (i) In general.--A State receiving a grant 
                        under this subsection may adopt any reasonable 
                        implementation of the guidelines established 
                        under section 5(b).
                            (ii) Inconsistency with state law.--If 
                        implementation of the guidelines would be 
                        inconsistent with State law, the State shall--
                                    (I) identify in the application of 
                                the State the legal issue and the 
                                guidelines that the State cannot 
                                implement;
                                    (II) specify in the application of 
                                the State the amount of grant funds 
                                that the State would spend implementing 
                                those guidelines if the law were not 
                                inconsistent; and
                                    (III) not spend the amount of grant 
                                funds specified under subclause (II) 
                                until the legal issue is resolved.
                    (D) Protection of personal information.--The 
                application process established under this paragraph 
                shall not require a State to disclose the personal 
                information of any voter.
            (2) Use of funds.--
                    (A) In general.--Except as provided in subparagraph 
                (B), a State receiving a grant under this subsection 
                shall use the funds received under the grant to 
                implement the guidelines established under section 
                5(b).
                    (B) Remaining funds.--A State may use funds from a 
                grant under this subsection to improve, upgrade, or 
                acquire hardware, software, or services for the 
                purposes of improving administration of Federal 
                elections, consistent with the guidelines established 
                under section 5(b), if--
                            (i) the State election official submits a 
                        written certification to the Commission that 
                        the election agencies within the State have 
                        implemented the guidelines established under 
                        section 5(b); and
                            (ii) the Commission, after consideration of 
                        the recommendations and criteria of the 
                        Advisory Panel under section 5(c), approves the 
                        use of funds.
            (3) Limitation on amount of grants.--
                    (A) In general.--Subject to subparagraph (C), the 
                amount of funds provided to a State under a grant under 
                this subsection shall be equal to the product obtained 
                by multiplying--
                            (i) the total amount appropriated for 
                        grants pursuant to the authorization under 
                        subsection (h) reduced by the amounts described 
                        in subsections (d)(6) and (e)(5); by
                            (ii) the State allocation percentage for 
                        the State (as determined under paragraph (2)).
                    (B) State allocation percentage.--The State 
                allocation percentage for a State is the amount 
                (expressed as a percentage) equal to the quotient 
                obtained by dividing--
                            (i) the total voting age population of all 
                        States (as reported in the most recent 
                        decennial census); by
                            (ii) the voting age population of the State 
                        (as reported in the most recent decennial 
                        census).
                    (C) Minimum amount of payment.--The amount 
                determined under this subsection may not be less than--
                            (i) in the case of any of the several 
                        States or the District of Columbia, 0.5 percent 
                        of the total amount appropriated for grants 
                        under this section; or
                            (ii) in the case of the Commonwealth of 
                        Puerto Rico, Guam, American Samoa, the 
                        Commonwealth of Northern Mariana Islands, or 
                        the United States Virgin Islands, 0.1 percent 
                        of such total amount.
                    (D) Pro rata reductions.--The Commission shall make 
                such pro rata reductions to the allocations determined 
                under subparagraph (A) as are necessary to comply with 
                the requirements of subparagraph (C).
            (4) Grants for local jurisdictions.--
                    (A) Eligibility.--If a State notifies the 
                Commission that it will not apply for election system 
                cybersecurity and modernization grants under this 
                subsection, the Commission shall award grants to 
                election agencies within the State.
                    (B) Application process.--The Commission shall 
                establish a process for election agencies that are 
                eligible under subparagraph (A) to apply for election 
                system cybersecurity and modernization grants, 
                consistent with the application process for States 
                established under paragraph (1).
                    (C) Use of funds.--An election agency that receives 
                a grant under this subsection is subject to the use of 
                funds restrictions in paragraph (2).
                    (D) Limitation on amount of grant.--The amount of 
                funds provided to an election agency under a grant 
                under this subsection shall be equal to the amount 
                obtained by multiplying the amount available to the 
                State under paragraph (3) by the quotient obtained by 
                dividing--
                            (i) the voting age population of the State 
                        (as reported in the most recent decennial 
                        census) who would cast their ballots in a 
                        Federal election using voting systems operated 
                        by the election agency (under current State 
                        law); by
                            (ii) the voting age population of the State 
                        (as reported in the most recent decennial 
                        census).
    (c) Interim Grant Program for Election Preparedness.--
            (1) In general.--The Commission, in consultation with the 
        Secretary, shall award a grant to an election agency, 
        regardless of State submission of an application under 
        subsection (b)(1)(A), that--
                    (A) receives a ``cyber hygiene'' scan, a risk and 
                vulnerability assessment, or a similar cybersecurity 
                evaluation by the Department or a contractor approved 
                by the Department; and
                    (B) not later than November 6, 2018, submits to the 
                Commission and the Department--
                            (i) the results of the evaluation described 
                        in subparagraph (A);
                            (ii) a plan for rapidly remediating the 
                        vulnerabilities identified by the evaluation, 
                        including specific expenditures; and
                            (iii) in the case of an application by any 
                        election agency of a political subdivision of a 
                        State, a certification of approval from the 
                        State election agency.
            (2) Prioritization for local governments.--A State election 
        agency may authorize some or all other election agencies within 
        the State to apply for interim grants under paragraph (1). If 
        the amount available under paragraph (5) is not sufficient to 
        fund the applications received from election agencies within 
        the State, the State election agency may establish a priority 
        order for funding applications.
            (3) Use of funds.--An election agency that receives a grant 
        under paragraph (1) shall only use the funds received under the 
        grant to implement the remediation plan submitted under 
        paragraph (1)(B)(ii).
            (4) Unavailability of department services.--If an election 
        agency requests an evaluation by the Department consistent with 
        paragraph (1)(A), and the Department is not able to provide the 
        evaluation during the 30-calendar-day period following the 
        request, the agency may--
                    (A) procure a reasonably equivalent evaluation from 
                a private-sector entity; and
                    (B) use funds received from a grant under paragraph 
                (1) as reimbursement for the cost of the evaluation.
            (5) Limitation on amount of grant; coordination with 
        cybersecurity and modernization grants.--
                    (A) Limitation.--The aggregate amount of grants 
                under this subsection to all election agencies in a 
                State shall not exceed 10 percent of the limitation 
                with respect to such State under subsection (b)(3).
                    (B) Coordination with cybersecurity and 
                modernization grants.--The amount under subsection 
                (b)(3) for purposes of grants under subsection (b) to a 
                State shall be reduced by the amount of grants provided 
                under this subsection to election agencies within the 
                State, less any unused amount returned to the 
                Department.
    (d) Interim Grant Program for Non-Paper Equipment Replacement.--
            (1) In general.--The Commission shall award grants to 
        States designated under paragraph (2) for the purpose of 
        replacing voting systems that would not be eligible for 
        purchase under subsection (f).
            (2) Eligibility.--Not later than 60 days after the date of 
        enactment of this Act, the Commission shall develop a list of 
        States in which 10 percent or more of votes in the first 
        Federal election occurring after the date of enactment of this 
        Act are expected to be cast using voting systems that would not 
        be eligible for purchase under subsection (f), and shall submit 
        the list to the appropriate congressional committees.
            (3) Application process.--The Commission shall--
                    (A) establish an application process for States 
                designated under paragraph (2) to apply for grants 
                under this subsection; and
                    (B) consider the recommendations of the Advisory 
                Panel under section 5(c) in establishing the 
                application process; and ensure that a State applying 
                for a grant submits--
                            (i) an inventory of voting systems in the 
                        State that would not be eligible for purchase 
                        under subsection (f);
                            (ii) a plan to expeditiously replace those 
                        voting systems; and
                            (iii) a commitment to State funding for 
                        replacements that is at least equivalent to the 
                        grant amount.
            (4) Review.--The Commission--
                    (A) shall fund a State application if the 
                Commission determines that the State will likely 
                replace the voting systems that would not be eligible 
                for purchase under subsection (f); and
                    (B) in reviewing a State application, shall 
                consider the recommendations and criteria of the 
                Advisory Panel under section 5(c).
            (5) Use of funds.--A State election agency that receives 
        funds under paragraph (1) shall only use the funds to replace 
        voting systems that would not be eligible for purchase under 
        subsection (f).
            (6) Limitations; coordination with cybersecurity and 
        modernization grants.--
                    (A) Limitations.--Of the total amount authorized to 
                be appropriated under subsection (h), $186,000,000 
                shall be used for grants awarded under this subsection.
                    (B) Formula for grant amounts.--The grant amount 
                made available to each State shall be set according to 
                the proportional formula described in subsection 
                (b)(3), as applied to the list of States designated 
                under paragraph (2) and the number of votes cast in 
                those States using voting systems that would not be 
                eligible for purchase under subsection (f).
                    (C) Coordination with cybersecurity and 
                modernization grants.--If the Secretary determines that 
                no additional State will receive a grant under this 
                paragraph, the Secretary shall reallocate any amounts 
                remaining under subparagraph (A) to the cybersecurity 
                and modernization grant program under subsection (b).
            (7) Grants for local jurisdictions.--
                    (A) Eligibility.--If a State designated under 
                paragraph (2) notifies the Commission that it will not 
                apply for grants under this subsection, the Commission 
                shall award grants to election agencies within such 
                State.
                    (B) Application process.--The Commission shall 
                establish a process for election agencies that are 
                eligible under subparagraph (A) to apply for grants 
                under this subsection, consistent with the application 
                process for States established under paragraph (3).
                    (C) Review.--The Commission shall review 
                applications of election agencies under this paragraph 
                in a similar manner to the manner required for 
                applications by States under paragraph (4).
                    (D) Use of funds.--An election agency that receives 
                a grant under this subsection is subject to the use of 
                funds restrictions in paragraph (5).
                    (E) Limitation on amount of grant.--The amount of 
                funds provided to an election agency under a grant 
                under this subsection shall be equal to the amount 
                obtained by multiplying the amount available to the 
                State under paragraph (6)(B) by the quotient obtained 
                by dividing--
                            (i) the voting age population of the State 
                        (as reported in the most recent decennial 
                        census) who would cast their ballots in a 
                        Federal election using voting systems that are 
                        operated by the election agency (under current 
                        State law) and that would not be eligible for 
                        purchase under subsection (f); by
                            (ii) the voting age population of the State 
                        (as reported in the most recent decennial 
                        census) who would cast their ballots in a 
                        Federal election using voting systems that 
                        would not be eligible for purchase under 
                        subsection (f).
    (e) Financial Assistance for Auditing Expenses.--
            (1) In general.--The Commission shall award grants to 
        reimburse States that conduct statistical audits of a 
        proportionally large number of ballots in close Federal 
        elections if the statistical audit--
                    (A) is consistent with the guidelines established 
                under section 5(b); and
                    (B) includes the inspection (by hand and not by 
                device) of an amount of paper ballots in excess of 5 
                percent of the voting age population within the State 
                (in the case of national or statewide office) or 
                district covered by the election.
            (2) Applications process.--
                    (A) In general.--A State seeking a grant under this 
                subsection shall submit an application in such form and 
                manner and at such time as the Commission may require.
                    (B) Local governments.--A State election agency may 
                authorize some or all other election agencies within 
                the State to apply for grants under paragraph (1). The 
                Commission shall establish rules for the application of 
                paragraphs (3) and (4)(B) to agencies requesting grants 
                under this subparagraph.
            (3) Limitation on amount of grants.--The amount of funds 
        provided under a grant under this subsection shall be equal to 
        the cost of the statistical audit, less the cost of inspecting 
        (by hand and not by device) a number of ballots equal to 5 
        percent of--
                    (A) in the case of an election for a national or 
                statewide office, the voting age population within the 
                State; or
                    (B) in the case of an election for any other 
                office, the voting age population within the district 
                covered by the election.
            (4) Timing; distribution.--
                    (A) In general.--The Commission shall award grants 
                under this subsection on January 31, 2019, and every 2 
                years thereafter.
                    (B) Insufficient funds.--If the amount appropriated 
                for carrying out this subsection is insufficient to 
                fund the grants, the Commission shall fund such grants 
                according to the proportional formula described in 
                subsection (b)(3), as applied to the States seeking 
                grants under this subsection and the number of marked 
                paper ballots that were inspected by hand in excess of 
                5 percent of the voting age population within the State 
                (in the case of national or statewide office) or 
                district covered by the election.
            (5) Limitation.--Of the total amount authorized to be 
        appropriated under subsection (h), $5,000,000 shall be used for 
        grants under this subsection.
    (f) Prohibition on Use for Certain Voting Systems.--
            (1) In general.--Funds received under a grant under this 
        section may not be used for any voting system that records each 
        vote in electronic storage, unless the system is an optical 
        scanner that reads paper ballots.
            (2) Electronic user interfaces.--Funds received under a 
        grant under this section may be used for a voting system with 
        an electronic user interface provided that the voting system is 
        consistent with clause (i).
    (g) Contracting Assistance.--Not later than 90 days after the date 
of enactment of this Act, the Administrator of General Services, in 
consultation with the Director of the National Institute of Standards 
and Technology, shall take such actions as may be necessary through 
competitive processes--
            (1) to qualify a set of private sector entities that are 
        capable of assisting States with identifying, protecting 
        against, detecting, responding to, and recovering from election 
        cybersecurity incidents, threats, and vulnerabilities;
            (2) to establish contract vehicles to enable States to 
        access the services of 1 or more of the private sector 
        organizations after receiving amounts under a grant under this 
        section;
            (3) to ensure that the contract vehicles permit individual 
        States to augment Federal funds with funding otherwise 
        available to the States; and
            (4) to provide a list of qualified entities to the Chairman 
        and Secretary in order to ensure it is readily available to 
        State election officials.
    (h) Authorization of Appropriations.--
            (1) In general.--There is authorized to be appropriated to 
        the Commission $386,000,000 to carry out this section for 
        fiscal year 2018.
            (2) Availability.--Any amounts appropriated pursuant to 
        paragraph (1) shall remain available without fiscal year 
        limitation until expended.
            (3) Funding source.--
                    (A) Definitions.--In this paragraph--
                            (i) the terms ``agency'', ``closeout'', and 
                        ``Federal grant award'' have the meanings given 
                        those terms in section 2 of the Grants 
                        Oversight and New Efficiency Act (Public Law 
                        114-117; 130 Stat. 6); and
                            (ii) the term ``Director'' means the 
                        Director of the Office of Management and 
                        Budget.
                    (B) Closeout of expired and undisbursed federal 
                grants.--Not later than 1 year after the date of 
                enactment of this Act, the Director shall promulgate 
                procedures requiring the head of each agency to 
                promptly conduct a closeout of each Federal grant 
                award.
                    (C) Related reports.--In promulgating the 
                procedures required under subparagraph (B), the 
                Director shall consider the recommendations and data in 
                the reports required to be submitted under section 2 of 
                the Grants Oversight and New Efficiency Act (Public Law 
                114-117; 130 Stat. 6) and section 530 of the Commerce, 
                Justice, Science, and Related Agencies Appropriations 
                Act, 2016 (Public Law 114-113; 129 Stat. 2329), and 
                similar reports.
                    (D) Expiration.--The procedures required under 
                subparagraph (B) shall expire 4 years after the date on 
                which the procedures are promulgated.
    (i) Conforming Amendment.--Section 202(7) of the Help America Vote 
Act of 2002 (52 U.S.C. 20921), as amended by section 5, is amended by 
inserting ``and carrying out the grant programs under section 7 of such 
Act'' after ``Secure Elections Act''.
                                 <all>