[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5358 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 5358

 To direct the Secretary of Homeland Security to establish an election 
  research program to test the security of election systems, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 24, 2021

  Mr. Bacon introduced the following bill; which was referred to the 
Committee on House Administration, and in addition to the Committee on 
 Homeland Security, for a period to be subsequently determined by the 
  Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To direct the Secretary of Homeland Security to establish an election 
  research program to test the security of election systems, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. ELECTION RESEARCH PROGRAM.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new section:

``SEC. 2218. ELECTION RESEARCH PROGRAM.

    ``(a) Establishment of Election Research Program.--
            ``(1) In general.--Not later than 180 days after the date 
        of the enactment of this section, the Secretary, in 
        coordination with the heads of election service providers, 
        shall establish and administer an election research program to 
        test each election system provided by each election service 
        provider (under fair, reasonable, and nondiscriminatory terms) 
        on behalf of an election agency to identify potentially 
        vulnerable information.
            ``(2) Testing.--In carrying out the program required under 
        paragraph (1), qualified independent security researchers shall 
        apply the methodology developed pursuant to paragraph (3) to 
        each election system provided pursuant to paragraph (1) to 
        identify potentially vulnerable information.
            ``(3) Methodology.--The Secretary, in consultation with the 
        Director, shall develop a methodology to be used by independent 
        security researchers to test each election system provided by 
        each election solution provider to identify potentially 
        vulnerable information.
            ``(4) Qualifications for qualified independent 
        researcher.--The Secretary, in consultation with the Director 
        of the Cybersecurity and Infrastructure Security Agency, shall 
        establish the qualifications for the independent security 
        researchers referred to in subsection paragraph (3).
    ``(b) Coordinated Vulnerability Disclosure Guidelines.--Not later 
than 180 days after the date of the enactment of this section, the 
Secretary, in consultation with the Commissioners of the Election 
Assistance Commission, cybersecurity researchers, and covered industry 
experts, shall establish policies and procedures for the processing and 
resolution of potentially vulnerable information relating to an 
election system, to the extent practicable, aligned with Standards 
29147 and 30111 of the International Standards Organization, 
including--
            ``(1) processes for an election service provider to--
                    ``(A) receive information relating to potentially 
                vulnerable information relating to an election system; 
                and
                    ``(B) disseminate resolution information relating 
                to potentially vulnerable information relating to an 
                election system; and
            ``(2) guidance, such as the Guide to Vulnerability 
        Reporting for America's Election Administrators, with respect 
        to the information items to be produced through the 
        implementation of the vulnerability disclosure process of the 
        election service provider.
    ``(c) Definitions.--In this section:
            ``(1) Covered field.--The term `covered field' means 
        computer science, engineering, information science, information 
        systems management, mathematics, operations research, 
        statistics, or technology management.
            ``(2) Covered industry expert.--The term `covered industry 
        expert' means an individual who has--
                    ``(A) successfully completed 2 full years of 
                progressively higher level graduate education leading 
                to a Master's or equivalent graduate degree from an 
                accredited institution of higher education (given the 
                meaning of such term in section 101 of the Higher 
                Education Act of 1965 (20 U.S.C. 1001)) in a covered 
                field; or
                    ``(B) a degree that requires at least 24 semester 
                hours in a covered field required the development or 
                adaptation of applications, systems or networks.
            ``(3) Director.--The term `Director' means the Director of 
        the National Institute of Standards and Technology.
            ``(4) Election agency.--The term `election agency' means 
        the Federal Election Commission.
            ``(5) Election service provider.--The term `covered 
        election service provider' means a private sector entity which 
        develops, manufactures, sells, and/or implements and maintains 
        technology that enables the administration of elections. 
        Including but not limited to, voting systems, electronic 
        pollbooks, election management systems, and voter registration 
        systems.
            ``(6) Election system.--The term `election system' means--
                    ``(A) the total combination of mechanical, 
                electromechanical, or electronic equipment (including 
                the software, firmware, and documentation required to 
                program, control, and support the equipment) that is 
                used to--
                            ``(i) define ballots;
                            ``(ii) cast and count votes;
                            ``(iii) report or display election results; 
                        and
                            ``(iv) maintain and produce any audit trail 
                        information; and
                    ``(B) the practices and associated documentation 
                used to--
                            ``(i) identify system components and 
                        versions of such components;
                            ``(ii) test the system during its 
                        development and maintenance;
                            ``(iii) maintain records of system errors 
                        and defects;
                            ``(iv) determine specific system changes to 
                        be made to a system after the initial 
                        qualification of the system; and
                            ``(v) make available any materials to the 
                        voter (such as notices, instructions, forms, or 
                        paper ballots).
            ``(7) Potentially vulnerable information.--The term 
        `potential vulnerability information' means a flaw in code or 
        design that creates a potential point of security compromise 
        for an endpoint or network.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by inserting after the 
item relating to section 2217 the following new item:

``2218. Election research program.''.
                                 <all>