[House Report 115-283]
[From the U.S. Government Publishing Office]
115th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 115-283
======================================================================
CYBER VULNERABILITY DISCLOSURE REPORTING ACT
_______
September 1, 2017.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. McCaul, from the Committee on Homeland Security, submitted the
following
R E P O R T
[To accompany H.R. 3202]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 3202) to require the Secretary of Homeland
Security to submit a report on cyber vulnerability disclosures,
and for other purposes, having considered the same, reports
favorably thereon without amendment and recommends that the
bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 1
Background and Need for Legislation.............................. 2
Hearings......................................................... 2
Committee Consideration.......................................... 2
Committee Votes.................................................. 2
Committee Oversight Findings..................................... 3
New Budget Authority, Entitlement Authority, and Tax Expenditures 3
Congressional Budget Office Estimate............................. 3
Statement of General Performance Goals and Objectives............ 3
Duplicative Federal Programs..................................... 3
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 3
Federal Mandates Statement....................................... 3
Preemption Clarification......................................... 4
Disclosure of Directed Rule Makings.............................. 4
Advisory Committee Statement..................................... 4
Applicability to Legislative Branch.............................. 4
Section-by-Section Analysis of the Legislation................... 4
Changes in Existing Law Made by the Bill, as Reported............ 5
Purpose and Summary
The Secretary of Homeland Security is directed to provide a
report to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate containing a description of
the policies and procedures developed by the Department of
Homeland Security to coordinate the disclosure of cyber
vulnerabilities. Further, the report should contain, where
available, information on the degree to which the information
was acted upon by industry and other stakeholders. The report
may also contain a description of how the Secretary is working
with other Federal entities and critical infrastructure owners
and operators to prevent, detect, and mitigate cyber
vulnerabilities.
Background and Need for Legislation
Computers are ubiquitous: we use them dozens of times a day
in everyday life--banking, communications, and work. As the
world has become increasingly interconnected through the
internet of things vulnerabilities in the computer code that
run the systems can expose them to exploitation by a variety of
people from hackers and criminals to nation States.
The Nation's critical infrastructure is diverse and
complex. It includes distributed networks, interdependent
functions and systems in both the physical space and
cyberspace. The Department of Homeland Security was given the
authority by the Cybersecurity Act of 2015 to improve
cybersecurity in the United States through enhanced sharing of
information about cybersecurity threats.
The Homeland Security Act of 2002 (Section 227(m)) allows
the Secretary to coordinate with industry to develop Department
policies and procedures for coordinating the disclosure of
cyber vulnerabilities. This disclosure is important as it
highlights vulnerabilities and allows the public and private
sector to work to prevent and mitigate cyber threats.
H.R. 3202 directs the Secretary of the Department of
Homeland Security to produce a report that describes the
policies and procedures developed to coordinate the disclosure
of cyber vulnerabilities.
Hearings
No hearings were held on H.R. 3202 in the 115th Congress.
Committee Consideration
The Committee met on July 26, 2017, to consider H.R. 3202,
and ordered the measure to be reported to the House with a
favorable recommendation, without amendment, by voice vote.
Committee Votes
Clause 3(b) of Rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto.
No recorded votes were requested during Committee
consideration of H.R. 3202.
Committee Oversight Findings
Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the
House of Representatives, the Committee has held oversight
hearings and made findings that are reflected in this report.
New Budget Authority, Entitlement Authority, and Tax Expenditures
In compliance with clause 3(c)(2) of Rule XIII of the Rules
of the House of Representatives, the Committee finds that H.R.
3202, the Cyber Vulnerability Disclosure Reporting Act, would
result in no new or increased budget authority, entitlement
authority, or tax expenditures or revenues.
Congressional Budget Office Estimate
Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the
House of Representatives, a cost estimate provided by the
Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974 was not made available to the
Committee in time for the filing of this report. The Chairman
of the Committee shall cause such estimate to be printed in the
Congressional Record upon its receipt by the Committee.
Statement of General Performance Goals and Objectives
Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the
House of Representatives, H.R. 3202 contains the following
general performance goals and objectives, including outcome
related goals and objectives authorized.
H.R. 3202 directs the Secretary of the Department of
Homeland Security produce a report that describes the policies
and procedures developed to coordinate the disclosure of cyber
vulnerabilities.
Duplicative Federal Programs
Pursuant to clause 3(c) of Rule XIII, the Committee finds
that H.R. 21626 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits
In compliance with Rule XXI of the Rules of the House of
Representatives, this bill, as reported, contains no
congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule
XXI.
Federal Mandates Statement
An estimate of Federal mandates prepared by the Director of
the Congressional Budget Office pursuant to section 423 of the
Unfunded Mandates Reform Act was not made available to the
Committee in time for the filing of this report. The Chairman
of the Committee shall cause such estimate to be printed in the
Congressional Record upon its receipt by the Committee.
Preemption Clarification
In compliance with section 423 of the Congressional Budget
Act of 1974, requiring the report of any Committee on a bill or
joint resolution to include a statement on the extent to which
the bill or joint resolution is intended to preempt State,
local, or Tribal law, the Committee finds that H.R. 3202 does
not preempt any State, local, or Tribal law.
Disclosure of Directed Rule Makings
The Committee estimates that H.R. 3202 would require no
directed rule makings.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
Section-by-Section Analysis of the Legislation
Section 1. Short Title.
This section provides that this bill may be cited as the
``Cyber Vulnerability Disclosure Reporting Act''.
Sec. 2. Report on Cyber Vulnerabilities.
This section directs the Secretary of Homeland Security to
submit a report within 240 days to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate. The
report shall contain a description of the policies and
procedures developed by the Department of Homeland Security to
coordinate the disclosure of cyber vulnerabilities, in
accordance with section 227(m) of the Homeland Security Act of
2002 (6 U.S.C. 148(m)).
To the extent possible, the report shall include an annex
with information describing the occasions on which such
policies and procedures were used to disclose cyber
vulnerabilities in the year prior to the date that the report
is required. Further, the report should contain, where
available, information on the degree to which the information
was acted upon by industry and other stakeholders. The report
may also contain a description of how the Secretary is working
with other Federal entities and critical infrastructure owners
and operators to prevent, detect, and mitigate cyber
vulnerabilities.
The report should be unclassified, but may contain a
classified annex.
Changes in Existing Law Made by the Bill, as Reported
As reported, H.R. 3202 makes no changes to existing law.
[all]