[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1500 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 1500

  To amend the Help America Vote Act of 2002 to require the Election 
Assistance Commission to provide for the conduct of penetration testing 
   as part of the testing and certification of voting systems and to 
 provide for the establishment of an Independent Security Testing and 
    Coordinated Vulnerability Disclosure Pilot Program for Election 
                                Systems.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 9, 2023

Mr. Warner (for himself and Ms. Collins) introduced the following bill; 
    which was read twice and referred to the Committee on Rules and 
                             Administration

_______________________________________________________________________

                                 A BILL


 
  To amend the Help America Vote Act of 2002 to require the Election 
Assistance Commission to provide for the conduct of penetration testing 
   as part of the testing and certification of voting systems and to 
 provide for the establishment of an Independent Security Testing and 
    Coordinated Vulnerability Disclosure Pilot Program for Election 
                                Systems.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening Election Cybersecurity 
to Uphold Respect for Elections through Independent Testing Act'' or 
the ``SECURE IT Act''.

SEC. 2. REQUIRING PENETRATION TESTING AS PART OF THE TESTING AND 
              CERTIFICATION OF VOTING SYSTEMS.

    Section 231 of the Help America Vote Act of 2002 (52 U.S.C. 20971) 
is amended by adding at the end the following new subsection:
    ``(e) Required Penetration Testing.--
            ``(1) In general.--Not later than 180 days after the date 
        of the enactment of this subsection, the Commission shall 
        provide for the conduct of penetration testing as part of the 
        testing, certification, decertification, and recertification of 
        voting system hardware and software by accredited laboratories 
        under this section.
            ``(2) Accreditation.--The Director of the National 
        Institute of Standards and Technology shall recommend to the 
        Commission entities the Director proposes be accredited to 
        carry out penetration testing under this subsection and certify 
        compliance with the penetration testing-related guidelines 
        required by this subsection. The Commission shall vote on the 
        accreditation of any entity recommended. The requirements for 
        such accreditation shall be a subset of the requirements for 
        accreditation of laboratories under subsection (b) and shall 
        only be based on consideration of an entity's competence to 
        conduct penetration testing under this subsection.''.

SEC. 3. INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY 
              VULNERABILITY DISCLOSURE PROGRAM FOR ELECTION SYSTEMS.

    (a) In General.--Subtitle D of title II of the Help America Vote 
Act of 2002 (42 U.S.C. 15401 et seq.) is amended by adding at the end 
the following new part:

 ``PART 7--INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY 
      VULNERABILITY DISCLOSURE PILOT PROGRAM FOR ELECTION SYSTEMS

``SEC. 297. INDEPENDENT SECURITY TESTING AND COORDINATED CYBERSECURITY 
              VULNERABILITY DISCLOSURE PILOT PROGRAM FOR ELECTION 
              SYSTEMS.

    ``(a) In General.--
            ``(1) Establishment.--The Commission, in consultation with 
        the Secretary, shall establish an Independent Security Testing 
        and Coordinated Vulnerability Disclosure Pilot Program for 
        Election Systems (VDP-E) (in this section referred to as the 
        `program') in order to test for and disclose cybersecurity 
        vulnerabilities in election systems.
            ``(2) Duration.--The program shall be conducted for a 
        period of 5 years.
            ``(3) Requirements.--In carrying out the program, the 
        Commission, in consultation with the Secretary, shall--
                    ``(A) establish a mechanism by which an election 
                systems vendor may make their election system 
                (including voting machines and source code) available 
                to cybersecurity researchers participating in the 
                program;
                    ``(B) provide for the vetting of cybersecurity 
                researchers prior to their participation in the 
                program, including the conduct of background checks;
                    ``(C) establish terms of participation that--
                            ``(i) describe the scope of testing 
                        permitted under the program;
                            ``(ii) require researchers to--
                                    ``(I) notify the vendor, the 
                                Commission, and the Secretary of any 
                                cybersecurity vulnerability they 
                                identify with respect to an election 
                                system; and
                                    ``(II) otherwise keep such 
                                vulnerability confidential for 180 days 
                                after such notification;
                            ``(iii) require the good faith 
                        participation of all participants in the 
                        program; and
                            ``(iv) require an election system vendor, 
                        after receiving notification of a critical or 
                        high vulnerability (as defined by the National 
                        Institute of Standards and Technology) in an 
                        election system of the vendor, to--
                                    ``(I) send a patch or propound some 
                                other fix or mitigation for such 
                                vulnerability to the appropriate State 
                                and local election officials, in 
                                consultation with the researcher who 
                                discovered it; and
                                    ``(II) notify the Commission and 
                                the Secretary that such patch has been 
                                sent to such officials;
                    ``(D) in the case where a patch or fix to address a 
                vulnerability disclosed under subparagraph (C)(ii)(I) 
                is intended to be applied to a system certified by the 
                Commission, provide--
                            ``(i) for the expedited review of such 
                        patch or fix within 90 days after receipt by 
                        the Commission; and
                            ``(ii) if such review is not completed by 
                        the last day of such 90 day period, that such 
                        patch or fix shall be deemed to be certified by 
                        the Commission; and
                    ``(E) 180 days after the disclosure of a 
                vulnerability under subparagraph (C)(ii)(I), notify the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency of the vulnerability for inclusion in 
                the database of Common Vulnerabilities and Exposures.
            ``(4) Voluntary participation; safe harbor.--
                    ``(A) Voluntary participation.--Participation in 
                the program shall be voluntary for election systems 
                vendors and researchers.
                    ``(B) Safe harbor.--When conducting research under 
                this program, such research and subsequent publication 
                shall be considered to be:
                            ``(i) Authorized in accordance with section 
                        1030 of title 18, United States Code (commonly 
                        known as the `Computer Fraud and Abuse Act'), 
                        (and similar State laws), and the election 
                        system vendor will not initiate or support 
                        legal action against the researcher for 
                        accidental, good faith violations of the 
                        program.
                            ``(ii) Exempt from the anti-circumvention 
                        rule of section 1201 of title 17, United States 
                        Code (commonly known as the `Digital Millennium 
                        Copyright Act'), and the election system vendor 
                        will not bring a claim against a researcher for 
                        circumvention of technology controls.
                    ``(C) Rule of construction.--Nothing in this 
                paragraph may be construed to limit or otherwise affect 
                any exception to the general prohibition against the 
                circumvention of technological measures under 
                subparagraph (A) of section 1201(a)(1) of title 17, 
                United States Code, including with respect to any use 
                that is excepted from that general prohibition by the 
                Librarian of Congress under subparagraphs (B) through 
                (D) of such section 1201(a)(1).
            ``(5) Exempt from disclosure.--Cybersecurity 
        vulnerabilities discovered under the program shall be exempt 
        from section 552 of title 5, United States Code (commonly 
        referred to as the Freedom of Information Act).
            ``(6) Definitions.--In this subsection:
                    ``(A) Cybersecurity vulnerability.--The term 
                `cybersecurity vulnerability' means, with respect to an 
                election system, any security vulnerability that 
                affects the election system.
                    ``(B) Election infrastructure.--The term `election 
                infrastructure' means--
                            ``(i) storage facilities, polling places, 
                        and centralized vote tabulation locations used 
                        to support the administration of elections for 
                        public office; and
                            ``(ii) related information and 
                        communications technology, including--
                                    ``(I) voter registration databases;
                                    ``(II) election management systems;
                                    ``(III) voting machines;
                                    ``(IV) electronic mail and other 
                                communications systems (including 
                                electronic mail and other systems of 
                                vendors who have entered into contracts 
                                with election agencies to support the 
                                administration of elections, manage the 
                                election process, and report and 
                                display election results); and
                                    ``(V) other systems used to manage 
                                the election process and to report and 
                                display election results on behalf of 
                                an election agency.
                    ``(C) Election system.--The term `election system' 
                means any information system that is part of an 
                election infrastructure, including any related 
                information and communications technology described in 
                subparagraph (B)(ii).
                    ``(D) Election system vendor.--The term `election 
                system vendor' means any person providing, supporting, 
                or maintaining an election system on behalf of a State 
                or local election official.
                    ``(E) Information system.--The term `information 
                system' has the meaning given the term in section 3502 
                of title 44, United States Code.
                    ``(F) Secretary.--The term `Secretary' means the 
                Secretary of Homeland Security.
                    ``(G) Security vulnerability.--The term `security 
                vulnerability' has the meaning given the term in 
                section 102 of the Cybersecurity Information Sharing 
                Act of 2015 (6 U.S.C. 1501).''.
    (b) Clerical Amendment.--The table of contents of such Act is 
amended by adding at the end of the items relating to subtitle D of 
title II the following:

 ``PART 7--Independent Security Testing and Coordinated Cybersecurity 
         Vulnerability Disclosure Program for Election Systems

``Sec. 297. Independent security testing and coordinated cybersecurity 
                            vulnerability disclosure program for 
                            election systems.''.
                                 <all>