[Congressional Record Volume 164, Number 62 (Tuesday, April 17, 2018)]
[Senate]
[Pages S2223-S2225]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




          HACK THE DEPARTMENT OF HOMELAND SECURITY ACT OF 2017

  Mr. McCONNELL. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 335, S. 1281.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The bill clerk read as follows:

       A bill (S. 1281) to establish a bug bounty pilot program 
     within the Department of Homeland Security, and for other 
     purposes.


[[Page S2224]]


  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the Committee on Homeland Security and 
Governmental Affairs, with an amendment to strike all after the 
enacting clause and insert in lieu thereof the following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Hack the Department of 
     Homeland Security Act of 2017'' or the ``Hack DHS Act''.

     SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT 
                   PROGRAM.

       (a) Definitions.--In this section:
       (1) Bug bounty program.--The term ``bug bounty program'' 
     means a program under which an approved individual, 
     organization, or company is temporarily authorized to 
     identify and report vulnerabilities of Internet-facing 
     information technology of the Department in exchange for 
     compensation.
       (2) Department.--The term ``Department'' means the 
     Department of Homeland Security.
       (3) Information technology.--The term ``information 
     technology'' has the meaning given the term in section 11101 
     of title 40, United States Code.
       (4) Pilot program.--The term ``pilot program'' means the 
     bug bounty pilot program required to be established under 
     subsection (b)(1).
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.
       (b) Establishment of Pilot Program.--
       (1) In general.--Not later than 180 days after the date of 
     enactment of this Act, the Secretary shall establish, within 
     the Office of the Chief Information Officer, a bug bounty 
     pilot program to minimize vulnerabilities of Internet-facing 
     information technology of the Department.
       (2) Requirements.--In establishing the pilot program, the 
     Secretary shall--
       (A) provide compensation for reports of previously 
     unidentified security vulnerabilities within the websites, 
     applications, and other Internet-facing information 
     technology of the Department that are accessible to the 
     public;
       (B) award a competitive contract to an entity, as 
     necessary, to manage the pilot program and for executing the 
     remediation of vulnerabilities identified as a consequence of 
     the pilot program;
       (C) designate mission-critical operations within the 
     Department that should be excluded from the pilot program;
       (D) consult with the Attorney General on how to ensure that 
     approved individuals, organizations, or companies that comply 
     with the requirements of the pilot program are protected from 
     prosecution under section 1030 of title 18, United States 
     Code, and similar provisions of law for specific activities 
     authorized under the pilot program;
       (E) consult with the relevant offices at the Department of 
     Defense that were responsible for launching the 2016 ``Hack 
     the Pentagon'' pilot program and subsequent Department of 
     Defense bug bounty programs;
       (F) develop an expeditious process by which an approved 
     individual, organization, or company can register with the 
     entity described in subparagraph (B), submit to a background 
     check as determined by the Department, and receive a 
     determination as to eligibility for participation in the 
     pilot program; and
       (G) engage qualified interested persons, including non-
     government sector representatives, about the structure of the 
     pilot program as constructive and to the extent practicable.
       (c) Report.--Not later than 90 days after the date on which 
     the pilot program is completed, the Secretary of Homeland 
     Security shall submit to the Committee on Homeland Security 
     and Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives a report on 
     the pilot program, which shall include--
       (1) the number of approved individuals, organizations, or 
     companies involved in the pilot program, broken down by the 
     number of approved individuals, organizations, or companies 
     that--
       (A) registered;
       (B) were approved;
       (C) submitted security vulnerabilities; and
       (D) received compensation;
       (2) the number and severity of vulnerabilities reported as 
     part of the pilot program;
       (3) the number of previously unidentified security 
     vulnerabilities remediated as a result of the pilot program;
       (4) the current number of outstanding previously 
     unidentified security vulnerabilities and Department 
     remediation plans;
       (5) the average length of time between the reporting of 
     security vulnerabilities and remediation of the 
     vulnerabilities;
       (6) the types of compensation provided under the pilot 
     program; and
       (7) the lessons learned from the pilot program.
       (d) Authorization of Appropriations.--There are authorized 
     to be appropriated to the Department $250,000 for fiscal year 
     2018 to carry out this Act.
  Mr. McCONNELL. Mr. President, I ask unanimous consent that the Hassan 
amendment be considered and agreed to, the committee-reported 
substitute amendment, as amended, be agreed to, and the bill, as 
amended, be considered read a third time.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The amendment (No. 2238) was agreed to, as follows:

                     (Purpose: To improve the bill)

       On page 8, line 21, strike ``90 days'' and insert ``180 
     days''.

  The committee-reported amendment in the nature of a substitute, as 
amended, was agreed to.
  The bill was ordered to be engrossed for a third reading and was read 
the third time.
  Mr. McCONNELL. Mr. President, I know of no further debate on the 
bill.
  The PRESIDING OFFICER. If there is no further debate, the bill having 
been read the third time, the question is, Shall the bill pass?
  The bill (S. 1281), as amended, was passed, as follows:

                                S. 1281

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Hack the Department of 
     Homeland Security Act of 2017'' or the ``Hack DHS Act''.

     SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT 
                   PROGRAM.

       (a) Definitions.--In this section:
       (1) Bug bounty program.--The term ``bug bounty program'' 
     means a program under which an approved individual, 
     organization, or company is temporarily authorized to 
     identify and report vulnerabilities of Internet-facing 
     information technology of the Department in exchange for 
     compensation.
       (2) Department.--The term ``Department'' means the 
     Department of Homeland Security.
       (3) Information technology.--The term ``information 
     technology'' has the meaning given the term in section 11101 
     of title 40, United States Code.
       (4) Pilot program.--The term ``pilot program'' means the 
     bug bounty pilot program required to be established under 
     subsection (b)(1).
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.
       (b) Establishment of Pilot Program.--
       (1) In general.--Not later than 180 days after the date of 
     enactment of this Act, the Secretary shall establish, within 
     the Office of the Chief Information Officer, a bug bounty 
     pilot program to minimize vulnerabilities of Internet-facing 
     information technology of the Department.
       (2) Requirements.--In establishing the pilot program, the 
     Secretary shall--
       (A) provide compensation for reports of previously 
     unidentified security vulnerabilities within the websites, 
     applications, and other Internet-facing information 
     technology of the Department that are accessible to the 
     public;
       (B) award a competitive contract to an entity, as 
     necessary, to manage the pilot program and for executing the 
     remediation of vulnerabilities identified as a consequence of 
     the pilot program;
       (C) designate mission-critical operations within the 
     Department that should be excluded from the pilot program;
       (D) consult with the Attorney General on how to ensure that 
     approved individuals, organizations, or companies that comply 
     with the requirements of the pilot program are protected from 
     prosecution under section 1030 of title 18, United States 
     Code, and similar provisions of law for specific activities 
     authorized under the pilot program;
       (E) consult with the relevant offices at the Department of 
     Defense that were responsible for launching the 2016 ``Hack 
     the Pentagon'' pilot program and subsequent Department of 
     Defense bug bounty programs;
       (F) develop an expeditious process by which an approved 
     individual, organization, or company can register with the 
     entity described in subparagraph (B), submit to a background 
     check as determined by the Department, and receive a 
     determination as to eligibility for participation in the 
     pilot program; and
       (G) engage qualified interested persons, including non-
     government sector representatives, about the structure of the 
     pilot program as constructive and to the extent practicable.
       (c) Report.--Not later than 180 days after the date on 
     which the pilot program is completed, the Secretary of 
     Homeland Security shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives a report on the pilot program, which shall 
     include--
       (1) the number of approved individuals, organizations, or 
     companies involved in the pilot program, broken down by the 
     number of approved individuals, organizations, or companies 
     that--
       (A) registered;
       (B) were approved;
       (C) submitted security vulnerabilities; and
       (D) received compensation;
       (2) the number and severity of vulnerabilities reported as 
     part of the pilot program;
       (3) the number of previously unidentified security 
     vulnerabilities remediated as a result of the pilot program;
       (4) the current number of outstanding previously 
     unidentified security vulnerabilities and Department 
     remediation plans;
       (5) the average length of time between the reporting of 
     security vulnerabilities and remediation of the 
     vulnerabilities;
       (6) the types of compensation provided under the pilot 
     program; and
       (7) the lessons learned from the pilot program.
       (d) Authorization of Appropriations.--There are authorized 
     to be appropriated to the Department $250,000 for fiscal year 
     2018 to carry out this Act.

[[Page S2225]]

  

  Mr. McCONNELL. Mr. President, I ask unanimous consent that the motion 
to reconsider be considered made and laid upon the table.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________