117 HR 5358 IH: To direct the Secretary of Homeland Security to establish an election research program to test the security of election systems, and for other purposes. U.S. House of Representatives 2021-09-24 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
I117th CONGRESS1st SessionH. R. 5358IN THE HOUSE OF REPRESENTATIVESSeptember 24, 2021Mr. Bacon introduced the following bill; which was referred to the Committee on House Administration, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concernedA BILLTo direct the Secretary of Homeland Security to establish an election research program to test the security of election systems, and for other purposes.
1.
Election research program
(a)
In general
Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following new section:
2218.
Election research program
(a)
Establishment of election research program
(1)
In general
Not later than 180 days after the date of the enactment of this section, the Secretary, in coordination with the heads of election service providers, shall establish and administer an election research program to test each election system provided by each election service provider (under fair, reasonable, and nondiscriminatory terms) on behalf of an election agency to identify potentially vulnerable information.(2)
Testing
In carrying out the program required under paragraph (1), qualified independent security researchers shall apply the methodology developed pursuant to paragraph (3) to each election system provided pursuant to paragraph (1) to identify potentially vulnerable information. (3)
Methodology
The Secretary, in consultation with the Director, shall develop a methodology to be used by independent security researchers to test each election system provided by each election solution provider to identify potentially vulnerable information. (4)
Qualifications for qualified independent researcher
The Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall establish the qualifications for the independent security researchers referred to in subsection paragraph (3).(b)
Coordinated vulnerability disclosure guidelines
Not later than 180 days after the date of the enactment of this section, the Secretary, in consultation with the Commissioners of the Election Assistance Commission, cybersecurity researchers, and covered industry experts, shall establish policies and procedures for the processing and resolution of potentially vulnerable information relating to an election system, to the extent practicable, aligned with Standards 29147 and 30111 of the International Standards Organization, including—(1)processes for an election service provider to—(A)receive information relating to potentially vulnerable information relating to an election system; and(B)disseminate resolution information relating to potentially vulnerable information relating to an election system; and(2)guidance, such as the Guide to Vulnerability Reporting for America’s Election Administrators, with respect to the information items to be produced through the implementation of the vulnerability disclosure process of the election service provider.(c)
Definitions
In this section:(1)
Covered field
The term covered field means computer science, engineering, information science, information systems management, mathematics, operations research, statistics, or technology management.(2)
Covered industry expert
The term covered industry expert means an individual who has—(A)successfully completed 2 full years of progressively higher level graduate education leading to a Master's or equivalent graduate degree from an accredited institution of higher education (given the meaning of such term in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001)) in a covered field; or (B)a degree that requires at least 24 semester hours in a covered field required the development or adaptation of applications, systems or networks.(3)
Director
The term Director means the Director of the National Institute of Standards and Technology.(4)
Election agency
The term election agency means the Federal Election Commission.(5)
Election service provider
The term covered election service provider means a private sector entity which develops, manufactures, sells, and/or implements and maintains technology that enables the administration of elections. Including but not limited to, voting systems, electronic pollbooks, election management systems, and voter registration systems.(6)
Election system
The term election system means—(A)the total combination of mechanical, electromechanical, or electronic equipment (including the software, firmware, and documentation required to program, control, and support the equipment) that is used to—(i)define ballots;(ii)cast and count votes;(iii)report or display election results; and(iv)maintain and produce any audit trail information; and(B)the practices and associated documentation used to—(i)identify system components and versions of such components;(ii)test the system during its development and maintenance;(iii)maintain records of system errors and defects;(iv)determine specific system changes to be made to a system after the initial qualification of the system; and(v)make available any materials to the voter (such as notices, instructions, forms, or paper ballots).(7)
Potentially vulnerable information
The term potential vulnerability information means a flaw in code or design that creates a potential point of security compromise for an endpoint or network.
.(b)
Clerical amendment
The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 2217 the following new item:2218. Election research program..