[House Report 115-961]
[From the U.S. Government Publishing Office]


115th Congress   }                                     {        Report
                        HOUSE OF REPRESENTATIVES
 2d Session      }                                     {       115-961

======================================================================



 
              PUBLIC-PRIVATE CYBERSECURITY COOPERATION ACT

                                _______
                                

 September 25, 2018.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 6735]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 6735) to direct the Secretary of Homeland 
Security to establish a vulnerability disclosure policy for 
Department of Homeland Security internet websites, and for 
other purposes, having considered the same, report favorably 
thereon with an amendment and recommend that the bill as 
amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     3
Background and Need for Legislation..............................     3
Hearings.........................................................     4
Committee Consideration..........................................     4
Committee Votes..................................................     5
Committee Oversight Findings.....................................     5
New Budget Authority, Entitlement Authority, and Tax Expenditures     5
Congressional Budget Office Estimate.............................     5
Statement of General Performance Goals and Objectives............     5
Duplicative Federal Programs.....................................     5
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     5
Federal Mandates Statement.......................................     6
Preemption Clarification.........................................     6
Disclosure of Directed Rule Makings..............................     6
Advisory Committee Statement.....................................     6
Applicability to Legislative Branch..............................     6
Section-by-Section Analysis of the Legislation...................     6
Changes in Existing Law Made by the Bill, as Reported............     7

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Public-Private Cybersecurity 
Cooperation Act''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY DISCLOSURE OF SECURITY 
                    VULNERABILITIES.

  (a) Vulnerability Disclosure Policy.--The Secretary of Homeland 
Security shall establish a policy applicable to individuals, 
organizations, and companies that report security vulnerabilities on 
appropriate information systems of Department of Homeland Security. 
Such policy shall include each of the following:
          (1) The appropriate information systems of the Department 
        that individuals, organizations, and companies may use to 
        discover and report security vulnerabilities on appropriate 
        information systems.
          (2) The conditions and criteria under which individuals, 
        organizations, and companies may operate to discover and report 
        security vulnerabilities.
          (3) How individuals, organizations, and companies may 
        disclose to the Department security vulnerabilities discovered 
        on appropriate information systems of the Department.
          (4) The ways in which the Department may communicate with 
        individuals, organizations, and companies that report security 
        vulnerabilities.
          (5) The process the Department shall use for public 
        disclosure of reported security vulnerabilities.
  (b) Remediation Process.--The Secretary of Homeland Security shall 
develop a process for the Department of Homeland Security to address 
the mitigation or remediation of the security vulnerabilities reported 
through the policy developed in subsection (a).
  (c) Consultation.--In developing the security vulnerability 
disclosure policy under subsection (a), the Secretary of Homeland 
Security shall consult with each of the following:
          (1) The Attorney General regarding how to ensure that 
        individuals, organizations, and companies that comply with the 
        requirements of the policy developed under subsection (a) are 
        protected from prosecution under section 1030 of title 18, 
        United States Code, civil lawsuits, and similar provisions of 
        law with respect to specific activities authorized under the 
        policy.
          (2) The Secretary of Defense and the Administrator of General 
        Services regarding lessons that may be applied from existing 
        vulnerability disclosure policies.
          (3) Non-governmental security researchers.
  (d) Public Availability.--The Secretary of Homeland Security shall 
make the policy developed under subsection (a) publicly available.
  (e) Submission to Congress.--
          (1) Disclosure policy and remediation process.--Not later 
        than 90 days after the date of the enactment of this Act, the 
        Secretary of Homeland Security shall submit to Congress a copy 
        of the policy required under subsection (a) and the remediation 
        process required under subsection (b).
          (2) Report and briefing.--
                  (A) Report.--Not later than one year after 
                establishing the policy required under subsection (a), 
                the Secretary of Homeland Security shall submit to 
                Congress a report on such policy and the remediation 
                process required under subsection (b).
                  (B) Annual briefings.--One year after the date of the 
                submission of the report under subparagraph (A), and 
                annually thereafter for each of the next three years, 
                the Secretary of Homeland Security shall provide to 
                Congress a briefing on the policy required under 
                subsection (a) and the process required under 
                subsection (b).
                  (C) Matters for inclusion.--The report required under 
                subparagraph (A) and the briefings required under 
                subparagraph (B) shall include each of the following 
                with respect to the policy required under subsection 
                (a) and the process required under subsection (b) for 
                the period covered by the report or briefing, as the 
                case may be:
                          (i) The number of unique security 
                        vulnerabilities reported.
                          (ii) The number of previously unknown 
                        security vulnerabilities mitigated or 
                        remediated.
                          (iii) The number of unique individuals, 
                        organizations, and companies that reported 
                        security vulnerabilities.
                          (iv) The average length of time between the 
                        reporting of security vulnerabilities and 
                        mitigation or remediation of such 
                        vulnerabilities.
  (f) Definitions.--In this section:
          (1) The term ``security vulnerability'' has the meaning given 
        that term in section 102(17) of the Cybersecurity Information 
        Sharing Act of 2015 (6 U.S.C. 1501(17)), in information 
        technology.
          (2) The term ``information system'' has the meaning given 
        that term by section 3502(12) of title 44, United States Code.
          (3) The term ``appropriate information system'' means an 
        information system that the Secretary of Homeland Security 
        selects for inclusion under the vulnerability disclosure policy 
        required by subsection (a).

                          PURPOSE AND SUMMARY

    H.R. 6735, the ``Public-Private Cybersecurity Cooperation 
Act'' requires the Secretary of Homeland Security to establish 
a policy for the reporting and remediation of security 
vulnerabilities on appropriate information systems within 90 
days. The policy must include an understanding of the 
information technology that the policy applies to, the 
conditions under which individuals or organizations legally may 
discover and report vulnerabilities, and how those 
vulnerabilities are to be reported and disclosed.
    Additionally, the bill requires the Department to identify 
a process that it must go through in mitigating and remediating 
security vulnerabilities. In developing the policy, the 
Secretary must consult with the Attorney General, the Secretary 
of Defense, the Administrator of the General Services 
Administration, and non-governmental security researchers. 
Finally, the bill lays out the specifics for reporting the 
policy to Congress, as well as a report to Congress on the 
effectiveness of the policy.

                  BACKGROUND AND NEED FOR LEGISLATION

    In 2016, the Defense Digital Service (DDS) within the 
Department of Defense (DOD) created the ``Hack the Pentagon Bug 
Bounty Program'' which allowed civic-minded security 
researchers the opportunity to report vulnerabilities found on 
DOD websites. Following the ``Hack the Pentagon program'', DDS 
created a Vulnerability Disclosure Policy that allowed 
individuals and organizations the ability to submit 
vulnerabilities found on DOD websites through an online portal. 
The ability of the DOD to leverage the public in finding 
vulnerabilities in public websites enabled a greater 
understanding of DOD's public facing cybersecurity risks.
    Based on the model and experience of DOD's vulnerability 
disclosure policy, this legislation would direct the Department 
to develop its own vulnerability disclosure policy. It is 
accepted industry practice among major technology companies to 
use vulnerability disclosure programs and bug bounty programs 
to help ensure the safety and security of their websites and 
platforms. Threat researchers from the private sector have 
commented on the process of receiving, reviewing, and 
responding to vulnerability disclosures as a foundational 
element of the modern cybersecurity policy.
    Members of the Committee have expressed concerns over the 
Department's lack of a vulnerability disclosure policy, at both 
Full Committee hearings and in correspondence with the 
Department. To date, the Department has no legal avenue for 
people to report vulnerabilities found of the Department's 
websites. As the government faces ongoing threats to its online 
infrastructure, the goal of this legislation is to engage the 
public to be proactive with security concerns and improve its 
cybersecurity efforts.
    H.R. 6735 directs the Secretary of Homeland Security to 
develop and implement a vulnerability disclosure program to 
keep pace with the constantly evolving threats the Department 
faces. Additionally, H.R. 6735 will ensure that the Department 
continues to lead by example in the government's efforts to 
improve its cybersecurity posture.

                                HEARINGS

    While the committee did not hold any hearings on H.R. 6735 
directly, the following hearings touched on oversight 
authority:
          March 9, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``The Current 
        State of DHS Private Sector Engagement for 
        Cybersecurity''
          March 22, 2017--Full Committee: ``A Borderless 
        Battle: Defending Against Cyber Threats''
          March, 28, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``The Current 
        State of DHS' Efforts to Secure Federal Networks''
          October 3, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``Examining DHS' 
        Cybersecurity Mission''
          November 15, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``Maximizing the 
        Value of Cyber Threat Information Sharing''
          April 26, 2018--Full Committee: ``Strengthening the 
        Safety and Security of Our Nation: The President's 
        FY2019 Budget Request for the Department of Homeland 
        Security''
          July 25, 2018--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``Assessing the 
        State of Federal Cybersecurity Risk Determination''

                        COMMITTEE CONSIDERATION

    The Committee met on September 13, 2018, to consider H.R. 
6735 and ordered the measure to be reported to the House with a 
favorable recommendation, amended, by unanimous consent. The 
Committee took the following actions:
    The following amendments were offered:

An Amendment offered by Mr. Ratcliffe and Mr. Langevin (#1); 
was AGREED TO by unanimous consent.

    Consisting of the following amendments:
    This amendment amends the long title to read: ``A bill to 
direct the Secretary of Homeland Security to establish a 
vulnerability disclosure policy for appropriate information 
systems of the Department of Homeland Security, and for other 
purposes.''
    Creates the short title: ``Public-Private Cybersecurity 
Cooperation Act''.
    Page 2, lines 1 through 2, strike ``Department of Homeland 
Security public internet websites that shall include'' and 
insert ``appropriate information systems of the Department of 
Homeland Security. Such policy shall include each of the 
following:''.
    Page 2, lines 3 through 4, strike ``the information 
technology to which the policy applies'' and insert ``The 
appropriate information systems of the Department that 
individuals, organizations, and companies may use to discover 
and report security vulnerabilities on appropriate information 
systems''.
    In addition, makes technical corrections and updates the 
disclosure policy and remediation process.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R. 6735.

                      COMMITTEE OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
6735 the ``Public-Private Cybersecurity Cooperation Act'', 
would result in no new or increased budget authority, 
entitlement authority, or tax expenditures or revenues.

                  CONGRESSIONAL BUDGET OFFICE ESTIMATE

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, a cost estimate provided by the 
Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974 was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, H.R. 6735 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    H.R. 6735 requires the Secretary of Homeland Security to 
provide the vulnerability disclosure policy to Congress, and 
report to Congress on a variety of metrics related to the 
efficiency and success of vulnerability reporting and 
mitigation.

                      DUPLICATIVE FEDERAL PROGRAMS

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 6735 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

   CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF 
                                BENEFITS

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the rule 
XXI.

                       FEDERAL MANDATES STATEMENT

    An estimate of Federal mandates prepared by the Director of 
the Congressional Budget Office pursuant to section 423 of the 
Unfunded Mandates Reform Act was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

                        PREEMPTION CLARIFICATION

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 6735 does 
not preempt any State, local, or Tribal law.

                  DISCLOSURE OF DIRECTED RULE MAKINGS

    The Committee estimates that H.R. 6735 would require no 
directed rule makings.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Short title

    This section provides that this bill may be cited as the 
``Public-Private Cybersecurity Cooperation Act''.

Sec. 2. Department of Homeland Security disclosure of security 
        vulnerabilities

    Section 1(a) requires the Secretary of Homeland Security 
(the Secretary) to establish a policy for individuals, 
organizations, and companies to report security vulnerabilities 
on Department of Homeland Security (DHS) appropriate 
information systems. The vulnerability disclosure policy 
required shall include: the applicable information technology; 
conditions and criteria under which individuals, organizations, 
and companies may legally operate and report security 
vulnerabilities; how vulnerabilities can be disclosed to DHS; 
how DHS will communicate with the parties that discover 
vulnerabilities; and how DHS or individuals can report security 
vulnerabilities. The Committee intends that the policy 
developed by the Department take into account the process for 
communicating vulnerabilities with the original manufacturer of 
the technology.
    Section (b) requires the Secretary to develop a process for 
DHS to mitigate or remediate security vulnerabilities reported 
through the policy.
    Section (c) requires the Secretary to consult with the 
Attorney General, Secretary of Defense and Administrator of the 
General Services Administration, as well as non-governmental 
security researchers when developing the vulnerability 
disclosure policy.
    Section (d) requires the Secretary to make the 
vulnerability disclosure policy publicly available. The 
Committee intends lessons learned from other agencies that have 
existing security vulnerability disclosure programs be 
incorporated into DHS' policy. Additionally, the Committee 
intends that, to the extent security vulnerabilities reported 
to the Department are present in non-Department information 
systems, those vulnerabilities should be shared with 
participants in the Department's information sharing programs, 
including other federal agencies.
    The Secretary is required under section (e) to submit the 
policy to Congress within 90 days, additionally the Secretary 
has to submit an annual report for three years (e)(2), on the 
number of unique security vulnerabilities reports, the number 
of previously unknown security vulnerabilities mitigated or 
remediated, the number of unique parties that reported security 
vulnerabilities, and the average length of time between the 
reporting of the security vulnerability and when it was 
mitigated or remediated.

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    As reported, H.R. 6735 makes no changes to existing law.

                                  [all]