Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 7447 (Introduced in House) — To amend the Help America Vote Act of 2002 to require the Election Assistance Commission to provide for the conduct o... · Sec. 3

Sec. 3. Independent security testing and coordinated cybersecurity vulnerability disclosure program for election systems

899 words·~4 min read·/bill/118/hr/7447/ih/section-3

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subtitle D of title II of the Help America Vote Act of 2002 ( 42 U.S.C. 15401 et seq. ) is amended by adding at the end the following new part: The Commission, in consultation with the Secretary, shall establish an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDP–E) (in this section referred to as the program ) in order to test for and disclose cybersecurity vulnerabilities in election systems. The program shall be conducted for a period of 5 years.
In carrying out the program, the Commission, in consultation with the Secretary, shall— establish a mechanism by which an election systems vendor may make their election system (including voting machines and source code) available to cybersecurity researchers participating in the program; provide for the vetting of cybersecurity researchers prior to their participation in the program, including the conduct of background checks; establish terms of participation that— describe the scope of testing permitted under the program; require researchers to— notify the vendor, the Commission, and the Secretary of any cybersecurity vulnerability they identify with respect to an election system; and otherwise keep such vulnerability confidential for 180 days after such notification; require the good faith participation of all participants in the program; and require an election system vendor, after receiving notification of a critical or high vulnerability (as defined by the National Institute of Standards and Technology) in an election system of the vendor, to— send a patch or propound some other fix or mitigation for such vulnerability to the appropriate State and local election officials, in consultation with the researcher who discovered it; and notify the Commission and the Secretary that such patch has been sent to such officials; in the case where a patch or fix to address a vulnerability disclosed under paragraph (3)(B)(i) is intended to be applied to a system certified by the Commission, provide— for the expedited review of such patch or fix within 90 days after receipt by the Commission; and if such review is not completed by the last day of such 90-day period, that such patch or fix shall be deemed to be certified by the Commission; and 180 days after the disclosure of a vulnerability under paragraph (3)(B)(i), notify the Director of the Cybersecurity and Infrastructure Security Agency of the vulnerability for inclusion in the database of Common Vulnerabilities and Exposures.
Participation in the program shall be voluntary for election systems vendors and researchers. Research conducted under the program, and any subsequent publication of such research, shall be treated as follows: The research and publication shall be treated as authorized in accordance with section 1030 of title 18, United States Code (commonly known as the Computer Fraud and Abuse Act ), (and similar State laws), and the election system vendor will not initiate or support legal action against the researcher for accidental, good faith violations of the program.
The research and publication shall be exempt from the anti-circumvention rule of section 1201 of title 17, United States Code (commonly known as the Digital Millennium Copyright Act ), and the election system vendor will not bring a claim against a researcher for circumvention of technology controls. Nothing in this subsection may be construed to limit or otherwise affect any exception to the general prohibition against the circumvention of technological measures under subparagraph
(A)of section 1201(a)(1) of title 17, United States Code, including with respect to any use that is excepted from that general prohibition by the Librarian of Congress under subparagraphs
(B)through
(D)of such section 1201(a)(1). Cybersecurity vulnerabilities discovered under the program shall be exempt from section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act). In this section: The term cybersecurity vulnerability means, with respect to an election system, any security vulnerability that affects the election system. The term election infrastructure means— storage facilities, polling places, and centralized vote tabulation locations used to support the administration of elections for public office; and related information and communications technology, including— voter registration databases; election management systems; voting machines; electronic mail and other communications systems (including electronic mail and other systems of vendors who have entered into contracts with election agencies to support the administration of elections, manage the election process, and report and display election results); and other systems used to manage the election process and to report and display election results on behalf of an election agency. The term election system means any information system that is part of an election infrastructure, including any related information and communications technology described in paragraph (2)(B). The term election system vendor means any person providing, supporting, or maintaining an election system on behalf of a State or local election official. The term information system has the meaning given the term in section 3502 of title 44, United States Code. The term Secretary means the Secretary of Homeland Security. The term security vulnerability has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 ( 6 U.S.C. 1501 ). . The table of contents of such Act is amended by adding at the end of the items relating to subtitle D of title II the following: PART 7—Independent security testing and coordinated cybersecurity vulnerability disclosure program for election systems Sec. 297. Independent security testing and coordinated cybersecurity vulnerability disclosure program for election systems. .
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Sec. 3
Independent security testing and coordinated cybersecurity vulnerability disclosure program for election systems
U.S.C.§ 15401
U.S.C.§ 1501
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.