118th CONGRESS 1st Session |
To direct the Secretary of Homeland Security and the Director of National Intelligence to submit a joint report on foreign threats to elections in the United States and to establish procedures to test for and monitor cybersecurity vulnerabilities in certain equipment used in the administration of elections for Federal office, and for other purposes.
July 3, 2023
Ms. Mace introduced the following bill; which was referred to the Committee on House Administration, and in addition to the Committees on Homeland Security, and Intelligence (Permanent Select), for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To direct the Secretary of Homeland Security and the Director of National Intelligence to submit a joint report on foreign threats to elections in the United States and to establish procedures to test for and monitor cybersecurity vulnerabilities in certain equipment used in the administration of elections for Federal office, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Election Security Assistance Act”.
SEC. 2. Reports to Congress on foreign threats to elections.
(a) In general.—Not later than 30 days after the date of enactment of this Act, and 30 days after the end of each fiscal year thereafter, the Secretary of Homeland Security and the Director of National Intelligence, in coordination with the heads of the appropriate Federal entities, shall submit a joint report to the appropriate congressional committees and the chief State election official of each State on foreign threats to elections in the United States, including physical and cybersecurity threats.
(b) Voluntary participation by States.—The Secretary shall solicit and consider voluntary comments from all State election agencies. Participation by an election agency in the report under this section shall be voluntary and at the discretion of the State.
(c) Appropriate Federal entities.—In this section, the term “appropriate Federal entities” means—
(1) the Department of Commerce, including the National Institute of Standards and Technology;
(2) the Department of Defense;
(3) the Department of Homeland Security, including the component of the Department that reports to the Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and other related programs of the Department;
(4) the Department of Justice, including the Federal Bureau of Investigation;
(5) the Election Assistance Commission; and
(6) the Office of the Director of National Intelligence, the National Security Agency, and such other elements of the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) as the Director of National Intelligence determines are appropriate.
(d) Other definitions.—In this section—
(1) the term “appropriate congressional committees” means—
(A) the Committee on Rules and Administration, the Committee on Homeland Security and Governmental Affairs, the Select Committee on Intelligence, and the Committee on Foreign Relations of the Senate; and
(B) the Committee on House Administration, the Committee on Homeland Security, the Permanent Select Committee on Intelligence, and the Committee on Foreign Affairs of the House of Representatives;
(2) the term “chief State election official” means, with respect to a State, the individual designated by the State under section 10 of the National Voter Registration Act of 1993 (52 U.S.C. 20509) to be responsible for coordination of the State’s responsibilities under such Act;
(3) the term “election agency” means any component of a State or any component of a unit of local government of a State that is responsible for administering Federal elections;
(4) the term “Secretary” means the Secretary of Homeland Security; and
(5) the term “State” has the meaning given such term in section 901 of the Help America Vote Act of 2002 (52 U.S.C. 21141).
SEC. 3. Process to test for and monitor cybersecurity vulnerabilities in election equipment.
(a) Process for covered voting systems.—
(1) IN GENERAL.—The Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security and the Election Assistance Commission (in consultation with the Technical Guidelines Development Committee and the Standards Board of the Commission), shall jointly establish a voluntary process to test for and monitor covered voting systems for cybersecurity vulnerabilities. Such process shall include the following:
(A) Mitigation strategies and other remedies.
(B) Notice to the Commission and appropriate entities of the results of testing conducted pursuant to such process.
(2) IMPLEMENTATION.—The Director shall implement the process established under paragraph (1) at the request of the Commission.
(b) Labeling for voting systems.—The Commission (in consultation with the Technical Guidelines Development Committee and the Standards Board of the Commission), shall establish a process to provide for the deployment of appropriate labeling available through the website of the Commission to indicate that covered voting systems passed the most recent cybersecurity testing pursuant to the process established under subsection (a).
(c) Rules of construction.—The process established under subsection (a), including the results of any testing carried out pursuant to this section, shall not affect—
(1) the certification status of equipment used in the administration of an election for Federal office under the Help America Vote Act of 2002; or
(2) the authority of the Commission to so certify such equipment under such Act.
(d) Definition.—In this section, the term “covered voting systems” means equipment used in the administration of an election for Federal office that is certified in accordance with versions of Voluntary Voting System Guidelines under the Help America Vote Act of 2002 under which such equipment is not required to be tested for cybersecurity vulnerabilities.
SEC. 4. Duty of Secretary of Homeland Security to notify State and local officials of election cybersecurity incidents.
(a) Duty To share information with Department of Homeland Security.—If a Federal entity receives information about an election cybersecurity incident, the Federal entity shall promptly share that information with the Department of Homeland Security, unless the head of the entity (or a Senate-confirmed official designated by the head) makes a specific determination in writing that there is good cause to withhold the particular information.
(b) Response to receipt of information by Secretary of Homeland Security.—
(1) IN GENERAL.—Upon receiving information about an election cybersecurity incident under subsection (a), the Secretary of Homeland Security, in consultation with the Attorney General, the Director of the Federal Bureau of Investigation, and the Director of National Intelligence, shall promptly (but in no case later than 96 hours after receiving the information) review the information and make a determination whether each of the following apply:
(A) There is credible evidence that the incident occurred.
(B) There is a basis to believe that the incident resulted, could have resulted, or could result in voter information systems or voter tabulation systems being altered or otherwise affected.
(2) DUTY TO NOTIFY STATE AND LOCAL OFFICIALS.—
(A) DUTY DESCRIBED.—If the Secretary makes a determination under paragraph (1) that subparagraphs (A) and (B) of such paragraph apply with respect to an election cybersecurity incident, not later than 96 hours after making the determination, the Secretary shall provide a notification of the incident to each of the following:
(i) The chief executive of the State involved.
(ii) The State election official of the State involved.
(iii) The local election official of the election agency involved.
(B) TREATMENT OF CLASSIFIED INFORMATION.—
(i) EFFORTS TO AVOID INCLUSION OF CLASSIFIED INFORMATION.—In preparing a notification provided under this paragraph to an individual described in clause (i), (ii), or (iii) of subparagraph (A), the Secretary shall attempt to avoid the inclusion of classified information.
(ii) PROVIDING GUIDANCE TO STATE AND LOCAL OFFICIALS.—To the extent that a notification provided under this paragraph to an individual described in clause (i), (ii), or (iii) of subparagraph (A) includes classified information, the Secretary (in consultation with the Attorney General and the Director of National Intelligence) shall indicate in the notification which information is classified.
(A) IN GENERAL.—If the Secretary, in consultation with the Attorney General and the Director of National Intelligence, makes a determination that it is not possible to provide a notification under paragraph (1) with respect to an election cybersecurity incident without compromising intelligence methods or sources or interfering with an ongoing investigation, the Secretary shall not provide the notification under such paragraph.
(B) ONGOING REVIEW.—Not later than 30 days after making a determination under subparagraph (A) and every 30 days thereafter, the Secretary shall review the determination. If, after reviewing the determination, the Secretary makes a revised determination that it is possible to provide a notification under paragraph (2) without compromising intelligence methods or sources or interfering with an ongoing investigation, the Secretary shall provide the notification under paragraph (2) not later than 96 hours after making such revised determination.
(4) COORDINATION WITH ELECTION ASSISTANCE COMMISSION.—The Secretary shall make determinations and provide notifications under this subsection in the same manner, and subject to the same terms and conditions relating to the role of the Election Assistance Commission, in which the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security makes determinations as to the necessity of an advisory and the issuance of an advisory under section 3(a) and the provision of notification under section 3(b).
(c) Definitions.—In this section, the following definitions apply:
(1) ELECTION AGENCY.—The term “election agency” means any component of a State, or any component of a unit of local government in a State, which is responsible for the administration of elections for Federal office in the State.
(2) ELECTION CYBERSECURITY INCIDENT.—The term “election cybersecurity incident” means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system of election infrastructure (including a vote tabulation system), or actually or imminently jeopardizes, without lawful authority, such an information system of election infrastructure.
(3) FEDERAL ELECTION.—The term “Federal election” means any election (as defined in section 301(1) of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101(1))) for Federal office (as defined in section 301(3) of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101(3))).
(4) FEDERAL ENTITY.—The term “Federal entity” means any agency (as defined in section 551 of title 5, United States Code).
(5) LOCAL ELECTION OFFICIAL.—The term “local election official” means the chief election official of a component of a unit of local government of a State that is responsible for administering Federal elections.
(6) SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.
(7) STATE.—The term “State” means each of the several States, the District of Columbia, the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, and the United States Virgin Islands.
(8) STATE ELECTION OFFICIAL.—The term “State election official” means—
(A) the chief State election official of a State designated under section 10 of the National Voter Registration Act of 1993 (52 U.S.C. 20509); or
(B) in the case of Puerto Rico, Guam, American Samoa, the Northern Mariana Islands, and the United States Virgin Islands, a chief State election official designated by the State for purposes of this Act.
(d) Effective date.—This section shall apply with respect to information about an election cybersecurity incident which is received on or after the date of the enactment of this Act.
Nothing in this Act may be construed as authorizing the Secretary of Homeland Security to carry out the administration of an election for Federal office.