[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6106 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 6106

 To create a risk framework to evaluate foreign mobile applications of 
                    concern, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 26, 2023

   Ms. Sherrill (for herself, Mr. Bergman, Mr. Krishnamoorthi, Mrs. 
Hinson, Mr. Newhouse, Mr. Garamendi, Mr. Crow, Mr. Finstad, Mr. Carson, 
 and Ms. Tokuda) introduced the following bill; which was referred to 
                    the Committee on Armed Services

_______________________________________________________________________

                                 A BILL


 
 To create a risk framework to evaluate foreign mobile applications of 
                    concern, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Bolstering America's Defenses 
Against Potentially Perilous Software Act'' or the ``BAD APPS Act''.

SEC. 2. RISK FRAMEWORK FOR FOREIGN MOBILE APPLICATIONS OF CONCERN.

    (a) In General.--The Secretary of Defense shall--
            (1) create categorical definitions of foreign mobile 
        applications of concern with respect to personnel or operations 
        of the Department of Defense, distinguishing among categories 
        such as applications for shopping, social media, entertainment, 
        or health; and
            (2) create a risk framework with respect to Department 
        personnel or operations that assesses each foreign mobile 
        application (or, if appropriate, grouping of similar such 
        applications) that is from a country of concern for any 
        potential impact on Departmental personnel and Departmental 
        operations, incorporating considerations of--
                    (A) the manner and extent of data collection by the 
                application;
                    (B) the ability of the application to influence the 
                user with the applications content to the detriment of 
                the United States;
                    (C) the manner and extent of foreign ownership or 
                control of the application or data collected by the 
                application;
                    (D) any foreign government interests associated 
                with the applications;
                    (E) a software bill of materials with a focus on 
                known or assessed malicious software embedded in the 
                application, including in prior versions of the 
                application or in other applications created by the 
                owners of such application;
                    (F) any known impact from prior use of the 
                application to Department personnel or operations; and
                    (G) the foreign mobile application of concern 
                residing on a United States Government device or a 
                personally owned device while in proximity to 
                Department operations or activities or in the personal 
                custody of personnel during Department sanctioned 
                activities.
    (b) Considerations.--In developing the categorical definitions and 
risk framework described in subsection (a), the Secretary of Defense--
            (1) shall include in the risk framework foreign mobile 
        applications of concern--
                    (A) from countries that the Secretary determines to 
                be engaged in consistent, unauthorized conduct that is 
                detrimental to the national security or foreign policy 
                of the United States;
                    (B) that are accessible to be downloaded from major 
                mobile device application marketplaces by Department 
                personnel; and
                    (C) originating from, authored in, owned by, or 
                otherwise associated with countries or entities that 
                are designated on the list maintained and set forth in 
                Supplement No. 4 to part 744 of the Export 
                Administration Regulations;
            (2) may include additional countries or individual foreign 
        mobile applications with malicious and banned capabilities from 
        other countries to the extent the Secretary determines 
        appropriate; and
            (3) shall consider distinguishing within the risk framework 
        the particular interests of a country described in paragraph 
        (1) or (2) in the use of a foreign mobile application of 
        concern of such country (regardless of device or owner) by--
                    (A) users located at facilities of the Department 
                of Defense of varying levels of sensitivity;
                    (B) users conducting authorized operations or 
                movements of Department of Defense materiel; or
                    (C) specific civilian employees of the Department 
                or contractors whom the Secretary determines likely to 
                be a target of a foreign actor.
    (c) Guidance and Updates.--The Secretary of Defense shall--
            (1) issue guidance to all Department personnel 
        incorporating the categories of foreign mobile applications of 
        concern and advising how to mitigate the risks identified by 
        the risk framework with respect to such applications;
            (2) routinely update the categorical definitions and risk 
        framework promulgated pursuant to subsection (a), at least on 
        an annual basis; and
            (3) prescribe, if feasible, regulations that appropriately 
        mitigate risks from applications on devices provided by the 
        Department of Defense or on any device used during an activity 
        described in subsection (b)(3)(B) or at locations described 
        under (b)(3)(A).
                                 <all>