[House Report 116-193] [From the U.S. Government Publishing Office] 116th Congress } { Report HOUSE OF REPRESENTATIVES 1st Session } { 116-193 ====================================================================== CYBERSECURITY VULNERABILITY REMEDIATION ACT _______ August 30, 2019.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Thompson of Mississippi, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 3710] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 3710) to amend the Homeland Security Act of 2002 to provide for the remediation of cybersecurity vulnerabilities, and for other purposes, having considered the same, report favorably thereon without amendment and recommend that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 1 Background and Need for Legislation.............................. 2 Hearings......................................................... 2 Committee Consideration.......................................... 2 Committee Votes.................................................. 3 Committee Oversight Findings..................................... 3 C.B.O. Estimate, New Budget Authority, Entitlement Authority, and Tax Expenditures............................................... 3 Federal Mandates Statement....................................... 5 Statement of General Performance Goals and Objectives Duplicative Federal Programs..................................... 5 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits Advisory Committee Statement Applicability to Legislative Branch Section-by-Section Analysis of the Legislation................... 5 Changes in Existing Law Made by the Bill, as Reported............ 6 Purpose and Summary H.R. 3710, the ``Cybersecurity Vulnerability Remediation Act,'' seeks to improve how the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) helps Federal and non-Federal entities manage known cybersecurity risks. Toward that end, the bill would authorize the CISA Director to identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities--including for software or hardware that is no longer supported by the vendor. Additionally, the bill would authorize the DHS Under Secretary for Science and Technology to establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities. Background and Need for Legislation The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for Federal network protection and providing voluntary cybersecurity services to non-Federal entities. Toward that end, CISA has invested in developing systems to catalogue cybersecurity vulnerabilities. Leveraging the Common Vulnerabilities and Exposures (CVE) database and in partnership with the National Institute of Standard and Technology (NIST), CISA established the National Vulnerability Database (NVD) to assess the severity of cybersecurity vulnerabilities. Even with these this tools, however, owners and operators of public and private information systems are not consistently able to manage known security risks and combat cyber threats. H.R. 3710 would authorize CISA to develop and distribute ``playbooks,'' in consultation with private sector experts, to provide procedures and mitigation strategies for the most critical, known vulnerabilities--especially those affecting software or hardware that is no longer supported by a vendor. The playbooks would be available to Federal agencies, industry, and other stakeholders. H.R. 3710 would also allow for the DHS Science and Technology Directorate (S&T), in consultation with CISA, to establish a competition program for industry, individuals, academia, and others to provide remediation solutions for cybersecurity vulnerabilities that are no longer supported. Hearings For the purpose of section 103(i) of H. Res. 6 of the 116th Congress the following related hearings were held: A Full Committee hearing entitled ``Defending Our Democracy: Building Partnerships to Protect America's Elections,'' on February 13, 2019 and a June 25, 2019, a hearing held by the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation entitled ``Cybersecurity Challenges for State and Local Governments: Assessing How the Federal Government Can Help.'' Committee Consideration The Committee met on July 17, 2019, with a quorum being present, to consider H.R. 3710 and ordered the measure to be reported to the House with a favorable recommendation, without amendment, by unanimous consent. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. Committee Oversight Findings In compliance with clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee advises that the findings and recommendations of the Committee, based on oversight activities under clause 2(b)(1) of rule X of the Rules of the House of Representatives, are incorporated in the descriptive portions of this report. Congressional Budget Office Estimate New Budget Authority, Entitlement Authority, and Tax Expenditures With respect to the requirements of clause 3(c)(2) of rule XIII of the Rules of the House of Representatives and section 308(a) of the Congressional Budget Act of 1974 and with respect to requirements of clause (3)(c)(3) of rule XIII of the Rules of the House of Representatives and section 402 of the Congressional Budget Act of 1974, The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office. U.S. Congress, Congressional Budget Office, Washington, DC, August 1, 2019. Hon. Bennie G. Thompson, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 3710, the Cybersecurity Vulnerability Remediation Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Aldo Prosperi. Sincerely, Phillip L. Swagel, Director. Enclosure. [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] H.R. 3710 would authorize the Department of Homeland Security (DHS) to disseminate information to the public about vulnerabilities in the software and hardware of information systems. The bill also would authorize DHS to establish an award program to encourage independent researchers to identify and report vulnerabilities and solutions for those vulnerabilities to the department. DHS is already performing many of the cybersecurity activities that would be authorized by H.R. 3710. The department manages several programs that provide services and information to help system administrators, software manufacturers, and the general public identify cyber vulnerabilities. For example, the DHS Common Vulnerabilities and Exposures program helps software vendors identify risks and communicate to their customers how vulnerabilities affect their products and services. To estimate the cost of providing incentive payments to independent researchers, CBO used information about similar programs of other federal agencies. For example, the General Services Administration (GSA) offers payments to individual researchers through its Bug Bounty program for each vulnerability identified. Those payments range from $150 to $5,000 based on how critical the potential target is to GSA's operations. On the basis of budget data from those related programs, CBO estimates that making incentive payments to independent researchers for identifying vulnerabilities would cost $11 million each year. CBO expects that DHS would be ready to implement the program beginning in 2021. Thus, CBO estimates that enacting H.R. 3710 would cost $44 million over the 2019- 2024 period. Such spending would be subject to availability of appropriated funds. Areas of uncertainty in that estimate include expectations about the criteria DHS would use in awarding payments to independent researchers. H.R. 3710 would give DHS broad latitude in establishing the criteria under which it would provide cash payments. CBO assumes that the department would limit payments to actions that protect government systems. The budgetary effects of the bill would be significantly larger than this estimate if DHS also provides payments for actions that protect nonfederal systems. The CBO staff contact for this estimate is Aldo Prosperi. The estimate was reviewed by Leo Lex, Deputy Assistant Director for Budget Analysis. Federal Mandates Statement The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office. Duplicative Federal Programs Pursuant to clause 3(c) of rule XIII, the Committee finds that H.R. 3710 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Performance Goals and Objectives The Committee states that pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 3710 would authorize the CISA Director to identify, develop, and share mitigation protocols for managing security vulnerabilities and addressing cybersecurity risk. Additionally the bill would authorize the DHS Under Secretary for Science and Technology to establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities. Advisory on Earmarks In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of the rule XXI. Section-by-Section Analysis of the Legislation Section 1. Short title This section provides that the bill may be cited as the ``Cybersecurity Vulnerability Remediation Act''. Sec 2. Cybersecurity vulnerabilities This section provides that the term ``cybersecurity vulnerability'' has the meaning given the term ``security vulnerability'' in section 102 of the Cybersecurity Information Sharing Act of 2015. The section authorizes the CISA Director to, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor. The section further provides that the National Cybersecurity and Communications Integration Center shall share mitigation protocols to counter cybersecurity vulnerabilities. Sec 3. Report on cybersecurity vulnerabilities This section provides that not later than one year after the date of the enactment of this Act, the CISA Director shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on how the Agency carries out subsection (m) of section 2209 of the Homeland Security Act of 2002 to coordinate vulnerability disclosures, including disclosures of cybersecurity vulnerabilities (as such term is defined in such section), and subsection (n) of such section (as added by section 2) to disseminate actionable protocols to mitigate cybersecurity vulnerabilities, that includes the following: a description of the policies and procedures relating to the coordination of vulnerability disclosures; a description of the levels of activity in furtherance of such subsections (m) and (n) of such section 2209; any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in such section 2209) between the Department and industry and other stakeholders; any available information on the degree to which such information was acted upon by industry and other stakeholders; a description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures. Sec 4. Competition relating to cybersecurity vulnerabilities This section authorizes the Under Secretary for Science and Technology at the Department of Homeland Security, consultation with the CISA Director, to establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities (as such term is defined in section 2209 of the Homeland Security Act of 2002, as amended by section 2). The Committee believes that the establishment of an incentives- based program could enhance CISA's ability to develop timely playbooks to mitigate known cybersecurity vulnerabilities that could be exploited. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 * * * * * * * TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY Subtitle A--Cybersecurity and Infrastructure Security * * * * * * * SEC. 2209. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER. (a) Definitions.--In this section-- (1) the term ``cybersecurity risk''-- (A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and (B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement; (2) the terms ``cyber threat indicator'' and ``defensive measure'' have the meanings given those terms in section 102 of the Cybersecurity Act of 2015; (3) the term ``incident'' means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; (4) the term ``information sharing and analysis organization'' has the meaning given that term in section 2222(5); (5) the term ``information system'' has the meaning given that term in section 3502(8) of title 44, United States Code; [and] (6) the term ``cybersecurity vulnerability'' has the meaning given the term ``security vulnerability'' in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501); and [(6)] (7) the term ``sharing'' (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms). (b) Center.--There is in the Department a national cybersecurity and communications integration center (referred to in this section as the ``Center'') to carry out certain responsibilities of the Director. The Center shall be located in theCybersecurity and Infrastructure Security Agency.The head of the Center shall report to the AssistantDirector for Cybersecurity. (c) Functions.--The cybersecurity functions of the Center shall include-- (1) being a Federal civilian interface for the multi- directional and cross-sector sharing of information related to cyber threat indicators, defensivemeasures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including the implementationof title I of the Cybersecurity Act of 2015; (2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities; (3) coordinating the sharing of information related to cyber threat indicators, defensive measures,cybersecurity risks, and incidents across the Federal Government; (4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors; (5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensivemeasures, cybersecurity risks, and incidents; [and] (B) sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n); and [(B)] (C) sharing the analysis conducted under subparagraph (A) and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B) with Federal and non-Federal entities; (6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cyber threat indicators, defensive measures, cybersecurityrisks, and incidents, which may include attribution, mitigation, and remediation; (7) providing information and recommendations on security and resilience measures to Federal and non- Federal entities, including information and recommendations to-- (A) facilitate information security; (B) strengthen information systems against cybersecurity risks and incidents; and (C) [sharing] share cyber threat indicators and defensive measures; (8) engaging with international partners, in consultation with other appropriate agencies, to-- (A) collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and (B) enhance the security and resilience of global cybersecurity; (9) sharing cyber threat indicators, defensive measures, mitigation protocols to counter cybersecurity vulnerabilities, and other information related to cybersecurity risks and incidents with Federal and non- Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate; (10) participating, as appropriate, in national exercises run by the Department; and (11) in coordination with the Emergency Communications Division of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications. (d) Composition.-- (1) In general.--The Center shall be composed of-- (A) appropriate representatives of Federal entities, such as-- (i) sector-specific agencies; (ii) civilian and law enforcement agencies; and (iii) elements of the intelligence community, as that term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); (B) appropriate representatives of non- Federal entities, such as-- (i) State, local, and tribal governments; (ii) information sharing and analysis organizations, including information sharing and analysis centers; (iii) owners and operators of critical information systems; and (iv) private entities; (C) components within the Center that carry out cybersecurity and communications activities; (D) a designated Federal official for operational coordination with and across each sector; (E) an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and (F) other appropriate representatives or entities, as determined by the Secretary. (2) Incidents.--In the event of an incident, during exigent circumstances the Secretary may grant a Federal or non-Federal entity immediate temporary access to the Center. (e) Principles.--In carrying out the functions under subsection (c), the Center shall ensure-- (1) to the extent practicable, that-- (A) timely, actionable, and relevant cyber threat indicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is shared; (B) when appropriate, cyber threat indicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector; (C) activities are prioritized and conducted based on the level of risk; (D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration; (E) continuous, collaborative, and inclusive coordination occurs-- (i) across sectors; and (ii) with-- (I) sector coordinating councils; (II) information sharing and analysis organizations; and (III) other appropriate non- Federal partners; (F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient; (G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and[;] (H) the Center designates an agency contact for non-Federal entities; (2) that information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents is appropriately safeguarded against unauthorized access or disclosure; and (3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons, including by working with the Privacy Officer appointed under section 222 to ensure that the Center follows the policies and procedures specified in subsections (b) and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015. (f) No Right or Benefit.-- (1) In general.--The provision of assistance or information to, and inclusion in the Center of, governmental or private entities under this section shall be at the sole and unreviewable discretion of the Director. (2) Certain assistance or information.--The provision of certain assistance or information to, or inclusion in the Center of, one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity. (g) Automated Information Sharing.-- (1) In general.--The Director, in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the sharing of cyber threat indicators and defensive measures in accordance with title I of the Cybersecurity Act of 2015. (2) Annual report.--The Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives an annual report on the status and progress of the development of the capabilities described in paragraph (1). Such reports shall be required until such capabilities are fully implemented. (h) Voluntary Information Sharing Procedures.-- (1) Procedures.-- (A) In general.--The Center may enter into a voluntary information sharing relationship with any consenting non-Federal entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes in accordance with this section. Nothing in this subsection may be construed to require any non-Federal entity to enter into any such information sharing relationship with the Center or any other entity. The Center may terminate a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Director, for any reason, including if the Center determines that the non-Federal entity with which the Center has entered into such a relationship has violated the terms of this subsection. (B) National security.--The Secretary may decline to enter into a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Director, for any reason, including if the Secretary determines that such is appropriate for national security. (2) Voluntary information sharing relationships.--A voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph. (A) Standard agreement.--For the use of a non-Federal entity, the Center shall make available a standard agreement, consistent with this section, on the Department's website. (B) Negotiated agreement.--At the request of a non-Federal entity, and if determined appropriate by the Center, at the sole and unreviewable discretion of the Secretary, acting through the Director, the Department shall negotiate a non-standard agreement, consistent with this section. (C) Existing agreements.--An agreement between the Center and a non-Federal entity that is entered into before the date of enactment of this subsection, or such an agreement that is in effect before such date, shall be deemed in compliance with the requirements of this subsection, notwithstanding any other provision or requirement of this subsection. An agreement under this subsection shall include the relevant privacy protections as in effect under the Cooperative Research and Development Agreement for Cybersecurity Information Sharing and Collaboration, as of December 31, 2014. Nothing in this subsection may be construed to require a non-Federal entity to enter into either a standard or negotiated agreement to be in compliance with this subsection. (i) Direct Reporting.--The Secretary shall develop policies and procedures for direct reporting to the Secretary by the Director of the Center regarding significant cybersecurity risks and incidents. (j) Reports on International Cooperation.--Not later than 180 days after the date of enactment of this subsection, and periodically thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners in accordance with subsection (c)(8). (k) Outreach.--Not later than 60 days after the date of enactment of this subsection, the Secretary, acting through the Director, shall-- (1) disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and (2) enhance outreach to critical infrastructure owners and operators for purposes of such sharing. (l) Cybersecurity Outreach.-- (1) In general.--The Secretary may leverage small business development centers to provide assistance to small business concerns by disseminating information on cyber threat indicators, defense measures, cybersecurity risks, incidents, analyses, and warnings to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees. (2) Definitions.--For purposes of this subsection, the terms ``small business concern'' and ``small business development center'' have the meaning given such terms, respectively, under section 3 of the Small Business Act. (m) Coordinated Vulnerability Disclosure.--The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures. (n) Protocols to Counter Cybersecurity Vulnerabilities.--The Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor. * * * * * * * [all]