[House Report 115-961] [From the U.S. Government Publishing Office] 115th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 115-961 ====================================================================== PUBLIC-PRIVATE CYBERSECURITY COOPERATION ACT _______ September 25, 2018.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 6735] The Committee on Homeland Security, to whom was referred the bill (H.R. 6735) to direct the Secretary of Homeland Security to establish a vulnerability disclosure policy for Department of Homeland Security internet websites, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 3 Background and Need for Legislation.............................. 3 Hearings......................................................... 4 Committee Consideration.......................................... 4 Committee Votes.................................................. 5 Committee Oversight Findings..................................... 5 New Budget Authority, Entitlement Authority, and Tax Expenditures 5 Congressional Budget Office Estimate............................. 5 Statement of General Performance Goals and Objectives............ 5 Duplicative Federal Programs..................................... 5 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 5 Federal Mandates Statement....................................... 6 Preemption Clarification......................................... 6 Disclosure of Directed Rule Makings.............................. 6 Advisory Committee Statement..................................... 6 Applicability to Legislative Branch.............................. 6 Section-by-Section Analysis of the Legislation................... 6 Changes in Existing Law Made by the Bill, as Reported............ 7 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Public-Private Cybersecurity Cooperation Act''. SEC. 2. DEPARTMENT OF HOMELAND SECURITY DISCLOSURE OF SECURITY VULNERABILITIES. (a) Vulnerability Disclosure Policy.--The Secretary of Homeland Security shall establish a policy applicable to individuals, organizations, and companies that report security vulnerabilities on appropriate information systems of Department of Homeland Security. Such policy shall include each of the following: (1) The appropriate information systems of the Department that individuals, organizations, and companies may use to discover and report security vulnerabilities on appropriate information systems. (2) The conditions and criteria under which individuals, organizations, and companies may operate to discover and report security vulnerabilities. (3) How individuals, organizations, and companies may disclose to the Department security vulnerabilities discovered on appropriate information systems of the Department. (4) The ways in which the Department may communicate with individuals, organizations, and companies that report security vulnerabilities. (5) The process the Department shall use for public disclosure of reported security vulnerabilities. (b) Remediation Process.--The Secretary of Homeland Security shall develop a process for the Department of Homeland Security to address the mitigation or remediation of the security vulnerabilities reported through the policy developed in subsection (a). (c) Consultation.--In developing the security vulnerability disclosure policy under subsection (a), the Secretary of Homeland Security shall consult with each of the following: (1) The Attorney General regarding how to ensure that individuals, organizations, and companies that comply with the requirements of the policy developed under subsection (a) are protected from prosecution under section 1030 of title 18, United States Code, civil lawsuits, and similar provisions of law with respect to specific activities authorized under the policy. (2) The Secretary of Defense and the Administrator of General Services regarding lessons that may be applied from existing vulnerability disclosure policies. (3) Non-governmental security researchers. (d) Public Availability.--The Secretary of Homeland Security shall make the policy developed under subsection (a) publicly available. (e) Submission to Congress.-- (1) Disclosure policy and remediation process.--Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to Congress a copy of the policy required under subsection (a) and the remediation process required under subsection (b). (2) Report and briefing.-- (A) Report.--Not later than one year after establishing the policy required under subsection (a), the Secretary of Homeland Security shall submit to Congress a report on such policy and the remediation process required under subsection (b). (B) Annual briefings.--One year after the date of the submission of the report under subparagraph (A), and annually thereafter for each of the next three years, the Secretary of Homeland Security shall provide to Congress a briefing on the policy required under subsection (a) and the process required under subsection (b). (C) Matters for inclusion.--The report required under subparagraph (A) and the briefings required under subparagraph (B) shall include each of the following with respect to the policy required under subsection (a) and the process required under subsection (b) for the period covered by the report or briefing, as the case may be: (i) The number of unique security vulnerabilities reported. (ii) The number of previously unknown security vulnerabilities mitigated or remediated. (iii) The number of unique individuals, organizations, and companies that reported security vulnerabilities. (iv) The average length of time between the reporting of security vulnerabilities and mitigation or remediation of such vulnerabilities. (f) Definitions.--In this section: (1) The term ``security vulnerability'' has the meaning given that term in section 102(17) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501(17)), in information technology. (2) The term ``information system'' has the meaning given that term by section 3502(12) of title 44, United States Code. (3) The term ``appropriate information system'' means an information system that the Secretary of Homeland Security selects for inclusion under the vulnerability disclosure policy required by subsection (a). PURPOSE AND SUMMARY H.R. 6735, the ``Public-Private Cybersecurity Cooperation Act'' requires the Secretary of Homeland Security to establish a policy for the reporting and remediation of security vulnerabilities on appropriate information systems within 90 days. The policy must include an understanding of the information technology that the policy applies to, the conditions under which individuals or organizations legally may discover and report vulnerabilities, and how those vulnerabilities are to be reported and disclosed. Additionally, the bill requires the Department to identify a process that it must go through in mitigating and remediating security vulnerabilities. In developing the policy, the Secretary must consult with the Attorney General, the Secretary of Defense, the Administrator of the General Services Administration, and non-governmental security researchers. Finally, the bill lays out the specifics for reporting the policy to Congress, as well as a report to Congress on the effectiveness of the policy. BACKGROUND AND NEED FOR LEGISLATION In 2016, the Defense Digital Service (DDS) within the Department of Defense (DOD) created the ``Hack the Pentagon Bug Bounty Program'' which allowed civic-minded security researchers the opportunity to report vulnerabilities found on DOD websites. Following the ``Hack the Pentagon program'', DDS created a Vulnerability Disclosure Policy that allowed individuals and organizations the ability to submit vulnerabilities found on DOD websites through an online portal. The ability of the DOD to leverage the public in finding vulnerabilities in public websites enabled a greater understanding of DOD's public facing cybersecurity risks. Based on the model and experience of DOD's vulnerability disclosure policy, this legislation would direct the Department to develop its own vulnerability disclosure policy. It is accepted industry practice among major technology companies to use vulnerability disclosure programs and bug bounty programs to help ensure the safety and security of their websites and platforms. Threat researchers from the private sector have commented on the process of receiving, reviewing, and responding to vulnerability disclosures as a foundational element of the modern cybersecurity policy. Members of the Committee have expressed concerns over the Department's lack of a vulnerability disclosure policy, at both Full Committee hearings and in correspondence with the Department. To date, the Department has no legal avenue for people to report vulnerabilities found of the Department's websites. As the government faces ongoing threats to its online infrastructure, the goal of this legislation is to engage the public to be proactive with security concerns and improve its cybersecurity efforts. H.R. 6735 directs the Secretary of Homeland Security to develop and implement a vulnerability disclosure program to keep pace with the constantly evolving threats the Department faces. Additionally, H.R. 6735 will ensure that the Department continues to lead by example in the government's efforts to improve its cybersecurity posture. HEARINGS While the committee did not hold any hearings on H.R. 6735 directly, the following hearings touched on oversight authority: March 9, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``The Current State of DHS Private Sector Engagement for Cybersecurity'' March 22, 2017--Full Committee: ``A Borderless Battle: Defending Against Cyber Threats'' March, 28, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``The Current State of DHS' Efforts to Secure Federal Networks'' October 3, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``Examining DHS' Cybersecurity Mission'' November 15, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``Maximizing the Value of Cyber Threat Information Sharing'' April 26, 2018--Full Committee: ``Strengthening the Safety and Security of Our Nation: The President's FY2019 Budget Request for the Department of Homeland Security'' July 25, 2018--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``Assessing the State of Federal Cybersecurity Risk Determination'' COMMITTEE CONSIDERATION The Committee met on September 13, 2018, to consider H.R. 6735 and ordered the measure to be reported to the House with a favorable recommendation, amended, by unanimous consent. The Committee took the following actions: The following amendments were offered: An Amendment offered by Mr. Ratcliffe and Mr. Langevin (#1); was AGREED TO by unanimous consent. Consisting of the following amendments: This amendment amends the long title to read: ``A bill to direct the Secretary of Homeland Security to establish a vulnerability disclosure policy for appropriate information systems of the Department of Homeland Security, and for other purposes.'' Creates the short title: ``Public-Private Cybersecurity Cooperation Act''. Page 2, lines 1 through 2, strike ``Department of Homeland Security public internet websites that shall include'' and insert ``appropriate information systems of the Department of Homeland Security. Such policy shall include each of the following:''. Page 2, lines 3 through 4, strike ``the information technology to which the policy applies'' and insert ``The appropriate information systems of the Department that individuals, organizations, and companies may use to discover and report security vulnerabilities on appropriate information systems''. In addition, makes technical corrections and updates the disclosure policy and remediation process. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 6735. COMMITTEE OVERSIGHT FINDINGS Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 6735 the ``Public-Private Cybersecurity Cooperation Act'', would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. CONGRESSIONAL BUDGET OFFICE ESTIMATE Pursuant to clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, a cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974 was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 6735 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. H.R. 6735 requires the Secretary of Homeland Security to provide the vulnerability disclosure policy to Congress, and report to Congress on a variety of metrics related to the efficiency and success of vulnerability reporting and mitigation. DUPLICATIVE FEDERAL PROGRAMS Pursuant to clause 3(c) of rule XIII, the Committee finds that H.R. 6735 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the rule XXI. FEDERAL MANDATES STATEMENT An estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. PREEMPTION CLARIFICATION In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 6735 does not preempt any State, local, or Tribal law. DISCLOSURE OF DIRECTED RULE MAKINGS The Committee estimates that H.R. 6735 would require no directed rule makings. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title This section provides that this bill may be cited as the ``Public-Private Cybersecurity Cooperation Act''. Sec. 2. Department of Homeland Security disclosure of security vulnerabilities Section 1(a) requires the Secretary of Homeland Security (the Secretary) to establish a policy for individuals, organizations, and companies to report security vulnerabilities on Department of Homeland Security (DHS) appropriate information systems. The vulnerability disclosure policy required shall include: the applicable information technology; conditions and criteria under which individuals, organizations, and companies may legally operate and report security vulnerabilities; how vulnerabilities can be disclosed to DHS; how DHS will communicate with the parties that discover vulnerabilities; and how DHS or individuals can report security vulnerabilities. The Committee intends that the policy developed by the Department take into account the process for communicating vulnerabilities with the original manufacturer of the technology. Section (b) requires the Secretary to develop a process for DHS to mitigate or remediate security vulnerabilities reported through the policy. Section (c) requires the Secretary to consult with the Attorney General, Secretary of Defense and Administrator of the General Services Administration, as well as non-governmental security researchers when developing the vulnerability disclosure policy. Section (d) requires the Secretary to make the vulnerability disclosure policy publicly available. The Committee intends lessons learned from other agencies that have existing security vulnerability disclosure programs be incorporated into DHS' policy. Additionally, the Committee intends that, to the extent security vulnerabilities reported to the Department are present in non-Department information systems, those vulnerabilities should be shared with participants in the Department's information sharing programs, including other federal agencies. The Secretary is required under section (e) to submit the policy to Congress within 90 days, additionally the Secretary has to submit an annual report for three years (e)(2), on the number of unique security vulnerabilities reports, the number of previously unknown security vulnerabilities mitigated or remediated, the number of unique parties that reported security vulnerabilities, and the average length of time between the reporting of the security vulnerability and when it was mitigated or remediated. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED As reported, H.R. 6735 makes no changes to existing law. [all]