Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 115th Congress · H.R. 6663 (Introduced in House) — To protect the administration of Federal elections against cybersecurity threats. · Sec. 4

Sec. 4. Information sharing

1,149 words·~5 min read·/bill/115/hr/6663/ih/section-4

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The Secretary shall have primary responsibility within the Federal Government for sharing information about election cybersecurity incidents, threats, and vul­ner­a­bil­i­ties with Federal entities and with election agencies. If a Federal entity receives information about an election cybersecurity incident, threat, or vulnerability, the Federal entity shall promptly share that information with the Department, unless the head of the entity (or a Senate-confirmed official designated by the head) makes a specific determination in writing that there is good cause to withhold the particular information.
If the Department receives information about an election cybersecurity incident, threat, or vulnerability, the Department shall promptly share that information with— the appropriate Federal entities; all State election agencies; to the maximum extent practicable, all election agencies that have requested ongoing updates on election cybersecurity incidents, threats, or vulnerabilities; and to the maximum extent practicable, all election agencies that may be affected by the risks associated with the particular election cybersecurity incident, threat, or vulnerability.
In sharing information about election cybersecurity incidents, threats, and vulnerabilities with election agencies under this section, the Department shall, to the maximum extent practicable— provide cyber threat indicators and defensive measures (as such terms are defined in section 102 of the Cybersecurity Information Sharing Act of 2015 ( 6 U.S.C. 1501 )), such as recommended technical instructions, that assist with preventing, mitigating, and detecting threats or vulnerabilities; identify resources available for protecting against, detecting, responding to, and recovering from associated risks, including technical capabilities of the Department; and provide guidance about further sharing of the information.
If the Department receives classified information about an election cybersecurity incident, threat, or vulnerability— the Secretary shall promptly submit a request for expedited declassification review to the head of a Federal entity with authority to conduct the review, consistent with Executive Order 13526 or any successor order, unless the Secretary determines that such a request would be inappropriate; and the head of the Federal entity described in paragraph
(1)shall promptly conduct the review. The Department may share information about election cybersecurity incidents, threats, and vulnerabilities through a non-Federal entity. If a Federal entity shares information relating to an election cybersecurity incident, threat, or vulnerability, the Federal entity shall, within Federal information systems (as defined in section 3502 of title 44, United States Code) of the entity— minimize the acquisition, use, and disclosure of personal information of voters, except as necessary to identify, protect against, detect, respond to, or recover from election cybersecurity incidents, threats, and vulnerabilities; notwithstanding any other provision of law, prohibit the retention of personal information of voters, such as— voter registration information, including physical address, email address, and telephone number; political party affiliation or registration information; and voter history, including registration status or election participation; and protect confidential Federal and State information from unauthorized disclosure. Information relating to an election cybersecurity incident, threat, or vulnerability, such as personally identifiable information of reporting persons or individuals affected by such incident, threat, or vulnerability, shared by or with the Federal Government shall be— deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records; and withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records. If an election agency becomes aware of the possibility of an election cybersecurity incident, the election agency shall promptly assess whether an election cybersecurity incident occurred and notify the State election official. If an election service provider becomes aware of the possibility of an election cybersecurity incident, the election service provider shall promptly assess whether an election cybersecurity incident occurred and notify the relevant election agencies consistent with subsection (j). If an election agency has reason to believe that an election cybersecurity incident has occurred with respect to an election system owned, operated, or maintained by or on behalf of the election agency, the election agency shall, in the most expedient time possible and without unreasonable delay, provide notification of the election cybersecurity incident to the Department. If an election service provider has reason to believe that an election cybersecurity incident may have occurred, or that an incident related to the role of the provider as an election service provider may have occurred, the election service provider shall— notify the relevant election agencies in the most expedient time possible and without unreasonable delay; and cooperate with the election agencies in providing the notifications required under subsections (h)(1) and (i). The notifications required under subsections (h)(1) and (i)— shall include an initial assessment of— the date, time, and duration of the election cybersecurity incident; the circumstances of the election cybersecurity incident, including the specific election systems believed to have been accessed and information acquired; and planned and implemented technical measures to respond to and recover from the incident; and shall be updated with additional material information, including technical data, as it becomes available. Not later than 30 days after the date of enactment of this Act, the Secretary— shall establish an expedited process for providing appropriate security clearance to State election officials and designated technical personnel employed by State election agencies; shall establish an expedited process for providing appropriate security clearance to members of the Commission and designated technical personnel employed by the Commission; and shall establish a process for providing appropriate security clearance to personnel at other election agencies. Nothing in this Act may be construed to provide a cause of action against a State, unit of local government, or an election service provider. The Secretary and the Chairman, in coordination with the heads of the appropriate Federal entities and appropriate officials of State and local governments, shall conduct an assessment of— the structure and functioning of the Multi-State Information Sharing and Analysis Center for purposes of election cybersecurity; and other mechanisms for inter-state information sharing about election cybersecurity. In carrying out the assessment required under paragraph (1), the Secretary and the Chairman shall solicit and consider comments from all State election agencies. The Secretary and the Chairman shall jointly issue the assessment required under paragraph
(1)to— all election agencies known to the Department and the Commission; and the appropriate congressional committees. If an appropriate Federal entity has reason to believe that a significant election cybersecurity incident has occurred, the entity shall— not later than 7 calendar days after the date on which there is a reasonable basis to conclude that the significant incident has occurred, provide notification of the incident to the appropriate congressional committees; and update the initial notification under paragraph
(1)within a reasonable period of time after additional information relating to the incident is discovered. The Secretary shall— promulgate a uniform definition of a significant election cybersecurity incident ; and shall submit the definition promulgated under subparagraph
(A)to the appropriate congressional committees.
Connectionstraces to 2
Citation graph
cites case law
Sec. 4
Information sharing
U.S.C.§ 1501
Fed. Reg.Presidential Documents
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.