[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4462 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 4462

   To direct the Secretary of Homeland Security and the Director of 
 National Intelligence to submit a joint report on foreign threats to 
elections in the United States and to establish procedures to test for 
and monitor cybersecurity vulnerabilities in certain equipment used in 
   the administration of elections for Federal office, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              July 3, 2023

   Ms. Mace introduced the following bill; which was referred to the 
Committee on House Administration, and in addition to the Committees on 
Homeland Security, and Intelligence (Permanent Select), for a period to 
      be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
   To direct the Secretary of Homeland Security and the Director of 
 National Intelligence to submit a joint report on foreign threats to 
elections in the United States and to establish procedures to test for 
and monitor cybersecurity vulnerabilities in certain equipment used in 
   the administration of elections for Federal office, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Election Security Assistance Act''.

SEC. 2. REPORTS TO CONGRESS ON FOREIGN THREATS TO ELECTIONS.

    (a) In General.--Not later than 30 days after the date of enactment 
of this Act, and 30 days after the end of each fiscal year thereafter, 
the Secretary of Homeland Security and the Director of National 
Intelligence, in coordination with the heads of the appropriate Federal 
entities, shall submit a joint report to the appropriate congressional 
committees and the chief State election official of each State on 
foreign threats to elections in the United States, including physical 
and cybersecurity threats.
    (b) Voluntary Participation by States.--The Secretary shall solicit 
and consider voluntary comments from all State election agencies. 
Participation by an election agency in the report under this section 
shall be voluntary and at the discretion of the State.
    (c) Appropriate Federal Entities.--In this section, the term 
``appropriate Federal entities'' means--
            (1) the Department of Commerce, including the National 
        Institute of Standards and Technology;
            (2) the Department of Defense;
            (3) the Department of Homeland Security, including the 
        component of the Department that reports to the Under Secretary 
        responsible for overseeing critical infrastructure protection, 
        cybersecurity, and other related programs of the Department;
            (4) the Department of Justice, including the Federal Bureau 
        of Investigation;
            (5) the Election Assistance Commission; and
            (6) the Office of the Director of National Intelligence, 
        the National Security Agency, and such other elements of the 
        intelligence community (as defined in section 3 of the National 
        Security Act of 1947 (50 U.S.C. 3003)) as the Director of 
        National Intelligence determines are appropriate.
    (d) Other Definitions.--In this section--
            (1) the term ``appropriate congressional committees'' 
        means--
                    (A) the Committee on Rules and Administration, the 
                Committee on Homeland Security and Governmental 
                Affairs, the Select Committee on Intelligence, and the 
                Committee on Foreign Relations of the Senate; and
                    (B) the Committee on House Administration, the 
                Committee on Homeland Security, the Permanent Select 
                Committee on Intelligence, and the Committee on Foreign 
                Affairs of the House of Representatives;
            (2) the term ``chief State election official'' means, with 
        respect to a State, the individual designated by the State 
        under section 10 of the National Voter Registration Act of 1993 
        (52 U.S.C. 20509) to be responsible for coordination of the 
        State's responsibilities under such Act;
            (3) the term ``election agency'' means any component of a 
        State or any component of a unit of local government of a State 
        that is responsible for administering Federal elections;
            (4) the term ``Secretary'' means the Secretary of Homeland 
        Security; and
            (5) the term ``State'' has the meaning given such term in 
        section 901 of the Help America Vote Act of 2002 (52 U.S.C. 
        21141).

SEC. 3. PROCESS TO TEST FOR AND MONITOR CYBERSECURITY VULNERABILITIES 
              IN ELECTION EQUIPMENT.

    (a) Process for Covered Voting Systems.--
            (1) In general.--The Director of the Cybersecurity and 
        Infrastructure Security Agency of the Department of Homeland 
        Security and the Election Assistance Commission (in 
        consultation with the Technical Guidelines Development 
        Committee and the Standards Board of the Commission), shall 
        jointly establish a voluntary process to test for and monitor 
        covered voting systems for cybersecurity vulnerabilities. Such 
        process shall include the following:
                    (A) Mitigation strategies and other remedies.
                    (B) Notice to the Commission and appropriate 
                entities of the results of testing conducted pursuant 
                to such process.
            (2) Implementation.--The Director shall implement the 
        process established under paragraph (1) at the request of the 
        Commission.
    (b) Labeling for Voting Systems.--The Commission (in consultation 
with the Technical Guidelines Development Committee and the Standards 
Board of the Commission), shall establish a process to provide for the 
deployment of appropriate labeling available through the website of the 
Commission to indicate that covered voting systems passed the most 
recent cybersecurity testing pursuant to the process established under 
subsection (a).
    (c) Rules of Construction.--The process established under 
subsection (a), including the results of any testing carried out 
pursuant to this section, shall not affect--
            (1) the certification status of equipment used in the 
        administration of an election for Federal office under the Help 
        America Vote Act of 2002; or
            (2) the authority of the Commission to so certify such 
        equipment under such Act.
    (d) Definition.--In this section, the term ``covered voting 
systems'' means equipment used in the administration of an election for 
Federal office that is certified in accordance with versions of 
Voluntary Voting System Guidelines under the Help America Vote Act of 
2002 under which such equipment is not required to be tested for 
cybersecurity vulnerabilities.

SEC. 4. DUTY OF SECRETARY OF HOMELAND SECURITY TO NOTIFY STATE AND 
              LOCAL OFFICIALS OF ELECTION CYBERSECURITY INCIDENTS.

    (a) Duty To Share Information With Department of Homeland 
Security.--If a Federal entity receives information about an election 
cybersecurity incident, the Federal entity shall promptly share that 
information with the Department of Homeland Security, unless the head 
of the entity (or a Senate-confirmed official designated by the head) 
makes a specific determination in writing that there is good cause to 
withhold the particular information.
    (b) Response to Receipt of Information by Secretary of Homeland 
Security.--
            (1) In general.--Upon receiving information about an 
        election cybersecurity incident under subsection (a), the 
        Secretary of Homeland Security, in consultation with the 
        Attorney General, the Director of the Federal Bureau of 
        Investigation, and the Director of National Intelligence, shall 
        promptly (but in no case later than 96 hours after receiving 
        the information) review the information and make a 
        determination whether each of the following apply:
                    (A) There is credible evidence that the incident 
                occurred.
                    (B) There is a basis to believe that the incident 
                resulted, could have resulted, or could result in voter 
                information systems or voter tabulation systems being 
                altered or otherwise affected.
            (2) Duty to notify state and local officials.--
                    (A) Duty described.--If the Secretary makes a 
                determination under paragraph (1) that subparagraphs 
                (A) and (B) of such paragraph apply with respect to an 
                election cybersecurity incident, not later than 96 
                hours after making the determination, the Secretary 
                shall provide a notification of the incident to each of 
                the following:
                            (i) The chief executive of the State 
                        involved.
                            (ii) The State election official of the 
                        State involved.
                            (iii) The local election official of the 
                        election agency involved.
                    (B) Treatment of classified information.--
                            (i) Efforts to avoid inclusion of 
                        classified information.--In preparing a 
                        notification provided under this paragraph to 
                        an individual described in clause (i), (ii), or 
                        (iii) of subparagraph (A), the Secretary shall 
                        attempt to avoid the inclusion of classified 
                        information.
                            (ii) Providing guidance to state and local 
                        officials.--To the extent that a notification 
                        provided under this paragraph to an individual 
                        described in clause (i), (ii), or (iii) of 
                        subparagraph (A) includes classified 
                        information, the Secretary (in consultation 
                        with the Attorney General and the Director of 
                        National Intelligence) shall indicate in the 
                        notification which information is classified.
            (3) Exception.--
                    (A) In general.--If the Secretary, in consultation 
                with the Attorney General and the Director of National 
                Intelligence, makes a determination that it is not 
                possible to provide a notification under paragraph (1) 
                with respect to an election cybersecurity incident 
                without compromising intelligence methods or sources or 
                interfering with an ongoing investigation, the 
                Secretary shall not provide the notification under such 
                paragraph.
                    (B) Ongoing review.--Not later than 30 days after 
                making a determination under subparagraph (A) and every 
                30 days thereafter, the Secretary shall review the 
                determination. If, after reviewing the determination, 
                the Secretary makes a revised determination that it is 
                possible to provide a notification under paragraph (2) 
                without compromising intelligence methods or sources or 
                interfering with an ongoing investigation, the 
                Secretary shall provide the notification under 
                paragraph (2) not later than 96 hours after making such 
                revised determination.
            (4) Coordination with election assistance commission.--The 
        Secretary shall make determinations and provide notifications 
        under this subsection in the same manner, and subject to the 
        same terms and conditions relating to the role of the Election 
        Assistance Commission, in which the Director of the 
        Cybersecurity and Infrastructure Security Agency of the 
        Department of Homeland Security makes determinations as to the 
        necessity of an advisory and the issuance of an advisory under 
        section 3(a) and the provision of notification under section 
        3(b).
    (c) Definitions.--In this section, the following definitions apply:
            (1) Election agency.--The term ``election agency'' means 
        any component of a State, or any component of a unit of local 
        government in a State, which is responsible for the 
        administration of elections for Federal office in the State.
            (2) Election cybersecurity incident.--The term ``election 
        cybersecurity incident'' means an occurrence that actually or 
        imminently jeopardizes, without lawful authority, the 
        integrity, confidentiality, or availability of information on 
        an information system of election infrastructure (including a 
        vote tabulation system), or actually or imminently jeopardizes, 
        without lawful authority, such an information system of 
        election infrastructure.
            (3) Federal election.--The term ``Federal election'' means 
        any election (as defined in section 301(1) of the Federal 
        Election Campaign Act of 1971 (52 U.S.C. 30101(1))) for Federal 
        office (as defined in section 301(3) of the Federal Election 
        Campaign Act of 1971 (52 U.S.C. 30101(3))).
            (4) Federal entity.--The term ``Federal entity'' means any 
        agency (as defined in section 551 of title 5, United States 
        Code).
            (5) Local election official.--The term ``local election 
        official'' means the chief election official of a component of 
        a unit of local government of a State that is responsible for 
        administering Federal elections.
            (6) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
            (7) State.--The term ``State'' means each of the several 
        States, the District of Columbia, the Commonwealth of Puerto 
        Rico, Guam, American Samoa, the Commonwealth of Northern 
        Mariana Islands, and the United States Virgin Islands.
            (8) State election official.--The term ``State election 
        official'' means--
                    (A) the chief State election official of a State 
                designated under section 10 of the National Voter 
                Registration Act of 1993 (52 U.S.C. 20509); or
                    (B) in the case of Puerto Rico, Guam, American 
                Samoa, the Northern Mariana Islands, and the United 
                States Virgin Islands, a chief State election official 
                designated by the State for purposes of this Act.
    (d) Effective Date.--This section shall apply with respect to 
information about an election cybersecurity incident which is received 
on or after the date of the enactment of this Act.

SEC. 5. RULE OF CONSTRUCTION.

    Nothing in this Act may be construed as authorizing the Secretary 
of Homeland Security to carry out the administration of an election for 
Federal office.
                                 <all>