[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 1808 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 1808

      To require the Secretary of State to design and establish a 
    Vulnerability Disclosure Process to improve Department of State 
     cybersecurity and a bug bounty program to identify and report 
   vulnerabilities of Internet-facing information technology of the 
              Department of State, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 12, 2019

Mr. Gardner (for himself and Mr. Markey) introduced the following bill; 
which was read twice and referred to the Committee on Foreign Relations

_______________________________________________________________________

                                 A BILL


 
      To require the Secretary of State to design and establish a 
    Vulnerability Disclosure Process to improve Department of State 
     cybersecurity and a bug bounty program to identify and report 
   vulnerabilities of Internet-facing information technology of the 
              Department of State, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Hack Your State Department Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Bug bounty program.--The term ``bug bounty program'' 
        means a program under which an approved individual, 
        organization, or company is temporarily authorized to identify 
        and report vulnerabilities of Internet-facing information 
        technology of the Department in exchange for compensation.
            (2) Department.--The term ``Department'' means the 
        Department of State.
            (3) Information technology.--The term ``information 
        technology'' has the meaning given such term in section 11101 
        of title 40, United States Code.
            (4) Secretary.--The term ``Secretary'' means the Secretary 
        of State.
            (5) VDP.--The term ``VDP'' means the Vulnerability 
        Disclosure Process established pursuant to section 3.

SEC. 3. DEPARTMENT OF STATE VULNERABILITY DISCLOSURE PROCESS.

    (a) In General.--Not later than 180 days after the date of the 
enactment of this Act, the Secretary shall design, establish, and make 
publicly known a Vulnerability Disclosure Process to improve 
cybersecurity within the Department by--
            (1) providing security researchers with clear guidelines 
        for--
                    (A) conducting vulnerability discovery activities 
                directed at Department information technology; and
                    (B) submitting discovered security vulnerabilities 
                to the Department; and
            (2) creating Department procedures and infrastructure to 
        receive and fix discovered vulnerabilities.
    (b) Requirements.--In establishing VDP pursuant to subsection (a), 
the Secretary shall--
            (1) identify which Department information technology should 
        be included in the process;
            (2) determine whether the process should differentiate 
        among and specify the types of security vulnerabilities that 
        may be targeted;
            (3) provide a readily available means of reporting 
        discovered security vulnerabilities and the form in which such 
        vulnerabilities should be reported;
            (4) identify which Department offices and positions will be 
        responsible for receiving, prioritizing, and addressing 
        security vulnerability disclosure reports;
            (5) consult with the Attorney General regarding how to 
        ensure that individuals, organizations, and companies that 
        comply with the VDP requirements are protected from prosecution 
        under section 1030 of title 18, United States Code, and similar 
        provisions of law for specific activities authorized under VDP;
            (6) consult with the relevant offices at the Department of 
        Defense that were responsible for launching the 2016 
        Vulnerability Disclosure Program, ``Hack the Pentagon'', and 
        subsequent Department of Defense bug bounty programs;
            (7) engage qualified interested persons, including 
        nongovernmental sector representatives, about the structure of 
        VDP, as constructive and to the extent practicable; and
            (8) award contracts to entities, as necessary, to manage 
        VDP and implement the remediation of discovered security 
        vulnerabilities.
    (c) Annual Reports.--Not later than 180 days after the 
establishment of VDP under subsection (a) and annually thereafter for 
the following 6 years, the Secretary shall submit a report to the 
Committee on Foreign Relations of the Senate and the Committee on 
Foreign Affairs of the House of Representatives regarding the 
establishment of VDP, including information relating to--
            (1) the number and severity, in accordance with the 
        National Vulnerabilities Database of the National Institute of 
        Standards and Technology, of security vulnerabilities reported 
        through VDP;
            (2) the number of previously unidentified security 
        vulnerabilities remediated as a result of such reporting;
            (3) the current number of outstanding previously 
        unidentified security vulnerabilities and the Department's 
        remediation plans to address such vulnerabilities;
            (4) the average period between the reporting of security 
        vulnerabilities and the remediation of such vulnerabilities;
            (5) the resources, surge staffing, roles, and 
        responsibilities within the Department used to implement VDP 
        and complete the necessary security vulnerability remediation; 
        and
            (6) any other information that the Secretary determines to 
        be relevant.

SEC. 4. DEPARTMENT OF STATE BUG BOUNTY PILOT PROGRAM.

    (a) Establishment of Pilot Program.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act, the Secretary shall establish a Bug 
        Bounty Pilot Program to minimize security vulnerabilities of 
        Internet-facing information technology of the Department.
            (2) Requirements.--In establishing the pilot program under 
        paragraph (1), the Secretary shall--
                    (A) provide compensation for reports of previously 
                unidentified security vulnerabilities within the 
                websites, applications, and other Internet-facing 
                information technology of the Department that are 
                accessible to the public;
                    (B) award contracts to entities, as necessary, to 
                manage the pilot program and for executing the 
                remediation of security vulnerabilities identified 
                pursuant to subparagraph (A);
                    (C) identify which Department information 
                technology should be included in the pilot program;
                    (D) consult with the Attorney General on how to 
                ensure that individuals, organizations, or companies 
                that comply with the requirements of the pilot program 
                are protected from prosecution under section 1030 of 
                title 18, United States Code, and similar provisions of 
                law for specific activities authorized under the pilot 
                program;
                    (E) consult with the relevant offices at the 
                Department of Defense that were responsible for 
                launching the 2016 ``Hack the Pentagon'' pilot program 
                and subsequent Department of Defense bug bounty 
                programs;
                    (F) develop a process by which an approved 
                individual, organization, or company can--
                            (i) register with entities referred to in 
                        subparagraph (B);
                            (ii) submit to a background check, as 
                        determined by the Department; and
                            (iii) receive a determination as to 
                        eligibility for participation in the pilot 
                        program;
                    (G) engage qualified interested persons, including 
                nongovernmental sector representatives, about the 
                structure of the pilot program, as constructive and to 
                the extent practicable; and
                    (H) consult with relevant United States Government 
                officials to ensure that the pilot program complements 
                persistent network and vulnerability scans of the 
                Department's Internet-accessible systems, such as the 
                scans conducted pursuant to Binding Operational 
                Directive 15-01, issued by the Secretary of Homeland 
                Security on May 21, 2015.
            (3) Duration.--The pilot program established under 
        paragraph (1) should be terminated not later than 1 year after 
        the date on which it is established.
    (b) Report.--Not later than 180 days after the completion of the 
Bug Bounty Pilot Program under subsection (a), the Secretary shall 
submit a report to the Committee on Foreign Relations of the Senate and 
the Committee on Foreign Affairs of the House of Representatives that 
describes the pilot program, including information regarding--
            (1) the number of approved individuals, organizations, or 
        companies involved in the pilot program, broken down by--
                    (A) the number of approved individuals, 
                organizations, or companies that registered for the 
                pilot program;
                    (B) the number of such entities that were approved 
                to participate in the pilot program;
                    (C) the number of such entities that submitted 
                security vulnerabilities under the pilot program; and
                    (D) the number of such entities that received 
                compensation under the pilot program;
            (2) the number and severity, in accordance with the 
        National Vulnerabilities Database of the National Institute of 
        Standards and Technology, of security vulnerabilities reported 
        under the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the current number of outstanding previously 
        unidentified security vulnerabilities and the Department's 
        plans for remediating such vulnerabilities;
            (5) the average period between the reporting of security 
        vulnerabilities and the remediation of such vulnerabilities;
            (6) the types of compensation provided under the pilot 
        program; and
            (7) the lessons learned from the pilot program.
                                 <all>