Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 4552 (Reported in House) — To improve the cybersecurity of the Federal Government, and for other purposes. · Sec. 8

Sec. 8. Vulnerability disclosure policies

1,226 words·~6 min read·/bill/118/hr/4552/rh/section-8

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Chapter 35 of title 44, United States Code, is amended by inserting after section 3559A, as added by this Act, the following: The purpose of Federal vulnerability disclosure policies is to create a mechanism to enable the public to inform agencies of vulnerabilities in Federal information systems. It is the sense of Congress that, in implementing the requirements of this section, the Federal Government should take appropriate steps to reduce real and perceived burdens in communications between agencies and security researchers.
In this section: The term contractor has the meaning given the term in section 3591. The term internet of things has the meaning given the term in Special Publication 800–213 of the National Institute of Standards and Technology, entitled IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements , or any successor document. The term security vulnerability has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 ( 6 U.S.C. 1501 ).
The term submitter means an individual that submits a vulnerability disclosure report pursuant to the vulnerability disclosure process of an agency. The term vulnerability disclosure report means a disclosure of a security vulnerability made to an agency by a submitter. The Director shall issue guidance to agencies that includes— use of the information system security vulnerabilities disclosure process guidelines established under section 4(a)(1) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3b(a)(1)); direction to not recommend or pursue legal action against a submitter or an individual that conducts a security research activity that— represents a good faith effort to identify and report security vulnerabilities in information systems; or otherwise represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (f)(2); direction on sharing relevant information in a consistent, automated, and machine-readable manner with the Director of the Cybersecurity and Infrastructure Security Agency; the minimum scope of agency systems required to be covered by the vulnerability disclosure policy of an agency required under subsection (f)(2), including exemptions under subsection (g); requirements for providing information to the submitter of a vulnerability disclosure report on the resolution of the vulnerability disclosure report; a stipulation that the mere identification by a submitter of a security vulnerability, without a significant compromise of confidentiality, integrity, or availability, does not constitute a major incident; and the applicability of the guidance to internet of things devices owned or controlled by an agency.
In developing the guidance required under subsection (c)(3), the Director shall consult with the Director of the Cybersecurity and Infrastructure Security Agency. The Director of the Cybersecurity and Infrastructure Security Agency shall— provide support to agencies with respect to the implementation of the requirements of this section; develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; upon a request by an agency, assist the agency in the disclosure to vendors of newly identified security vulnerabilities in vendor products and services; and as appropriate, implement the requirements of this section, in accordance with the authority under section 3553(b)(8), as a shared service available to agencies.
The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system and to the extent consistent with the security of information systems but with the presumption of disclosure— an appropriate security contact; and the component of the agency that is responsible for the internet accessible services offered at the domain. The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall— describe— the scope of the systems of the agency included in the vulnerability disclosure policy, including for internet of things devices owned or controlled by the agency; the type of information system testing that is authorized by the agency; the type of information system testing that is not authorized by the agency; the disclosure policy for a contractor; and the disclosure policy of the agency for sensitive information; with respect to a vulnerability disclosure report to an agency, describe— how the submitter should submit the vulnerability disclosure report; and if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency; include any other relevant information; and be mature in scope and cover every internet accessible information system used or operated by that agency or on behalf of that agency.
The head of each agency shall— consider security vulnerabilities reported in accordance with paragraph (2); commensurate with the risk posed by the security vulnerability, address such security vulnerability using the security vulnerability management process of the agency; and in accordance with subsection (c)(5), provide information to the submitter of a vulnerability disclosure report. The Director and the head of each agency shall carry out this section in a manner consistent with the protection of national security information.
The Director and the head of each agency may not publish under subsection (f)(1) or include in a vulnerability disclosure policy under subsection (f)(2) host names, services, information systems, or other information that the Director or the head of an agency, in coordination with the Director and other appropriate heads of agencies, determines would— disrupt a law enforcement investigation; endanger national security or intelligence activities; or impede national defense activities or military operations.
This section shall not apply to national security systems. The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated— to the Secretary of Defense in the case of systems described in section 3553(e)(2); and to the Director of National Intelligence in the case of systems described in section 3553(e)(3). The Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section. .
Compliance with guidance issued by the Director relating to vulnerability disclosure policies before the date of enactment of this Act shall be deemed to be compliance with section 3559B of title 44, United States Code, as added by this title. Nothing in section 3559B of title 44, United States Code, as added by this title, shall be construed to require the Director to issue new guidance to agencies relating to vulnerability disclosure policies before the date described in paragraph (4).
Nothing in section 3559B of title 44, United States Code, as added by this title, shall be construed to require the head of any agency to issue new policies relating to vulnerability disclosure policies before the issuance of any updated guidance under paragraph (4). Notwithstanding paragraphs (1),
(2)and (3), not later than 4 years after the date of enactment of this Act, the Director shall review and, as appropriate, update existing guidance relating to vulnerability disclosure policies. The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559A, as added by this Act, the following: 3559B. Federal vulnerability disclosure policies. . Section 5 of the IoT Cybersecurity Improvement Act of 2020 ( 15 U.S.C. 278g–3c ) is amended by striking subsections
(d)and (e). The IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3a et seq.) is amended— by striking section 6 ( 15 U.S.C. 278g–3d ); and by striking section 7 ( 15 U.S.C. 278g–3e ).
Connectionstraces to 1
Traces to 1 document
5 references not yet in our index
  • 15 USC 278g–3b(a)(1)
  • 15 USC 278g–3c
  • 15 USC 278g–3a
  • 15 USC 278g–3d
  • 15 USC 278g–3e
Citation graph
cites case law
Sec. 8
Vulnerability disclosure policies
U.S.C.§ 1501
Cite15 USC 278g–3b(a)(1)
Cite15 USC 278g–3c
Cite15 USC 278g–3a
Cite15 USC 278g–3d
Cite15 USC 278g–3e
Cites 6Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.