H.R. 6315: Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act

This bill, known as the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act, aims to enhance the security of election systems in the United States by introducing specific testing and evaluation requirements. Here’s a layman's summary of what it would accomplish:

Penetration Testing Requirements

The bill mandates that the Election Assistance Commission (EAC) conduct penetration testing as part of the process for testing, certifying, decertifying, and recertifying voting systems. Specifically:

• Within 180 days of the bill's enactment, the EAC must implement a system for conducting penetration tests on voting system hardware and software.
• The National Institute of Standards and Technology (NIST) will recommend accredited entities to perform these penetration tests, and the EAC will be responsible for approving these entities.

Independent Security Testing and Vulnerability Disclosure Program

The bill also proposes the establishment of a five-year pilot program called the Independent Security Testing and Coordinated Vulnerability Disclosure Program for Election Systems (VDP–E). This program aims to:

• Allow cybersecurity researchers to test and disclose vulnerabilities in election systems collaboratively.
• Provide election system vendors with a framework to participate voluntarily.
• Provide a mechanism for vendors to share their election systems with approved researchers for testing.

Program Participation Guidelines

In carrying out the program, the EAC (in coordination with the Secretary of Homeland Security) will:

• Vet participating researchers, including performing background checks.
• Establish terms that define the scope of permitted testing and require researchers to notify vendors and relevant authorities of any discovered vulnerabilities.
• Ensure that vendors implement necessary fixes for identified vulnerabilities within a specified timeframe and notify relevant officials once fixes are provided.
• Notify the Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities after a 180-day disclosure period.

Legal Protections for Researchers

The bill also includes provisions to protect researchers participating in the program:

• Participating in the program is voluntary for both election system vendors and researchers.
• Research conducted will be treated as authorized under current laws to prevent liability for good faith violations.
• Findings of cybersecurity vulnerabilities will be exempt from Freedom of Information Act requests, ensuring confidentiality of sensitive information.

Definitions Included in the Bill

The bill contains definitions for key terms used throughout, including:

• Cybersecurity vulnerability: Any security weakness affecting election systems.
• Election infrastructure: This encompasses polling places, vote tabulation locations, and related information technology.
• Election system: Any information system involved in managing elections.
• Election system vendor: Any person or entity providing or maintaining election systems on behalf of state or local officials.

Relevant Companies

None found