Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 2902 (Introduced in Senate) — To modernize Federal information security management, and for other purposes. · Sec. 208

Sec. 208. Codifying vulnerability disclosure programs

791 words·~4 min read·/bill/117/s/2902/is/section-208·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Chapter 35 of title 44 of United States Code is amended by inserting after section 3559A, as added by section 206 of this Act, the following: In this section: The term report means a vulnerability disclosure made to an agency by a reporter. The term reporter means an individual that submits a vulnerability report pursuant to the vulnerability disclosure process of an agency. The Director, in consultation with the Attorney General, shall issue guidance to agencies to not recommend or pursue legal action against a reporter or an individual that conducts a security research activity that the head of the agency determines— represents a good faith effort to follow the vulnerability disclosure policy developed under subsection (d)(2) of the agency; and is authorized under the vulnerability disclosure policy developed under subsection (d)(2) of the agency.
The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies on sharing relevant information in a consistent, automated, and machine readable manner with the Cybersecurity and Infrastructure Security Agency, including— any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on an agency information system that uses commercial software or services; information relating to vulnerability disclosure, coordination, or remediation activities of an agency, particularly as those activities relate to outside organizations— with which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security can assist; or about which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security should know; and any other information with respect to which the head of the agency determines helpful or necessary to involve the Cybersecurity and Infrastructure Security Agency.
The Director shall issue guidance to agencies on the required minimum scope of agency systems covered by the vulnerability disclosure policy of an agency required under subsection (d)(2). Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2021 , the Director shall update the guidance issued under subparagraph
(A)to require that every agency system that is connected to the internet is covered by the vulnerability disclosure policy of the agency. The Director of the Cybersecurity and Infrastructure Security Agency shall— provide support to agencies with respect to the implementation of the requirements of this section; develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; and upon a request by an agency, assist the agency in the disclosure to vendors of newly identified vulnerabilities in vendor products and services. The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system— an appropriate security contact; and the component of the agency that is responsible for the internet accessible services offered at the domain. The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall— describe— the scope of the systems of the agency included in the vulnerability disclosure policy; the type of information system testing that is authorized by the agency; the type of information system testing that is not authorized by the agency; and the disclosure policy of the agency for sensitive information; include a provision that authorizes the anonymous submission of a vulnerability by a reporter; with respect to a report to an agency, describe— how the reporter should submit the report; and if the report is not anonymous under subparagraph (B), when the reporter should anticipate an acknowledgment of receipt of the report by the agency; and include any other relevant information. The head of each agency shall incorporate any vulnerabilities reported under paragraph
(2)into the vulnerability management process of the agency in order to track and remediate the vulnerability. The requirements of subchapter I (commonly known as the Paperwork Reduction Act ) shall not apply to a vulnerability disclosure program established under this section. Not later than 90 days after the date of enactment of the Federal Information Security Modernization Act of 2021 , and annually thereafter for a 3-year period, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the status of the use of vulnerability disclosure policies under this section at agencies, including, with respect to the guidance issued under subsection (b)(3), an identification of the agencies that are compliant and not compliant. . The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559A the following: 3559B. Federal vulnerability disclosure programs. .
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.