[House Report 115-283]
[From the U.S. Government Publishing Office]


115th Congress   }                                     {        Report
                        HOUSE OF REPRESENTATIVES
 1st Session     }                                     {       115-283

======================================================================



 
              CYBER VULNERABILITY DISCLOSURE REPORTING ACT

                                _______
                                

 September 1, 2017.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 3202]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3202) to require the Secretary of Homeland 
Security to submit a report on cyber vulnerability disclosures, 
and for other purposes, having considered the same, reports 
favorably thereon without amendment and recommends that the 
bill do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     1
Background and Need for Legislation..............................     2
Hearings.........................................................     2
Committee Consideration..........................................     2
Committee Votes..................................................     2
Committee Oversight Findings.....................................     3
New Budget Authority, Entitlement Authority, and Tax Expenditures     3
Congressional Budget Office Estimate.............................     3
Statement of General Performance Goals and Objectives............     3
Duplicative Federal Programs.....................................     3
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     3
Federal Mandates Statement.......................................     3
Preemption Clarification.........................................     4
Disclosure of Directed Rule Makings..............................     4
Advisory Committee Statement.....................................     4
Applicability to Legislative Branch..............................     4
Section-by-Section Analysis of the Legislation...................     4
Changes in Existing Law Made by the Bill, as Reported............     5

                          Purpose and Summary

    The Secretary of Homeland Security is directed to provide a 
report to the Committee on Homeland Security of the House of 
Representatives and the Committee on Homeland Security and 
Governmental Affairs of the Senate containing a description of 
the policies and procedures developed by the Department of 
Homeland Security to coordinate the disclosure of cyber 
vulnerabilities. Further, the report should contain, where 
available, information on the degree to which the information 
was acted upon by industry and other stakeholders. The report 
may also contain a description of how the Secretary is working 
with other Federal entities and critical infrastructure owners 
and operators to prevent, detect, and mitigate cyber 
vulnerabilities.

                  Background and Need for Legislation

    Computers are ubiquitous: we use them dozens of times a day 
in everyday life--banking, communications, and work. As the 
world has become increasingly interconnected through the 
internet of things vulnerabilities in the computer code that 
run the systems can expose them to exploitation by a variety of 
people from hackers and criminals to nation States.
    The Nation's critical infrastructure is diverse and 
complex. It includes distributed networks, interdependent 
functions and systems in both the physical space and 
cyberspace. The Department of Homeland Security was given the 
authority by the Cybersecurity Act of 2015 to improve 
cybersecurity in the United States through enhanced sharing of 
information about cybersecurity threats.
    The Homeland Security Act of 2002 (Section 227(m)) allows 
the Secretary to coordinate with industry to develop Department 
policies and procedures for coordinating the disclosure of 
cyber vulnerabilities. This disclosure is important as it 
highlights vulnerabilities and allows the public and private 
sector to work to prevent and mitigate cyber threats.
    H.R. 3202 directs the Secretary of the Department of 
Homeland Security to produce a report that describes the 
policies and procedures developed to coordinate the disclosure 
of cyber vulnerabilities.

                                Hearings

    No hearings were held on H.R. 3202 in the 115th Congress.

                        Committee Consideration

    The Committee met on July 26, 2017, to consider H.R. 3202, 
and ordered the measure to be reported to the House with a 
favorable recommendation, without amendment, by voice vote.

                            Committee Votes

    Clause 3(b) of Rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during Committee 
consideration of H.R. 3202.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of Rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
3202, the Cyber Vulnerability Disclosure Reporting Act, would 
result in no new or increased budget authority, entitlement 
authority, or tax expenditures or revenues.

                  Congressional Budget Office Estimate

    Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the 
House of Representatives, a cost estimate provided by the 
Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974 was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the 
House of Representatives, H.R. 3202 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    H.R. 3202 directs the Secretary of the Department of 
Homeland Security produce a report that describes the policies 
and procedures developed to coordinate the disclosure of cyber 
vulnerabilities.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of Rule XIII, the Committee finds 
that H.R. 21626 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with Rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule 
XXI.

                       Federal Mandates Statement

    An estimate of Federal mandates prepared by the Director of 
the Congressional Budget Office pursuant to section 423 of the 
Unfunded Mandates Reform Act was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

                        Preemption Clarification

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 3202 does 
not preempt any State, local, or Tribal law.

                  Disclosure of Directed Rule Makings

    The Committee estimates that H.R. 3202 would require no 
directed rule makings.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1.   Short Title.

    This section provides that this bill may be cited as the 
``Cyber Vulnerability Disclosure Reporting Act''.

Sec. 2.   Report on Cyber Vulnerabilities.

    This section directs the Secretary of Homeland Security to 
submit a report within 240 days to the Committee on Homeland 
Security of the House of Representatives and the Committee on 
Homeland Security and Governmental Affairs of the Senate. The 
report shall contain a description of the policies and 
procedures developed by the Department of Homeland Security to 
coordinate the disclosure of cyber vulnerabilities, in 
accordance with section 227(m) of the Homeland Security Act of 
2002 (6 U.S.C. 148(m)).
    To the extent possible, the report shall include an annex 
with information describing the occasions on which such 
policies and procedures were used to disclose cyber 
vulnerabilities in the year prior to the date that the report 
is required. Further, the report should contain, where 
available, information on the degree to which the information 
was acted upon by industry and other stakeholders. The report 
may also contain a description of how the Secretary is working 
with other Federal entities and critical infrastructure owners 
and operators to prevent, detect, and mitigate cyber 
vulnerabilities.
    The report should be unclassified, but may contain a 
classified annex.

         Changes in Existing Law Made by the Bill, as Reported

    As reported, H.R. 3202 makes no changes to existing law.

                                  [all]