[House Report 115-283] [From the U.S. Government Publishing Office] 115th Congress } { Report HOUSE OF REPRESENTATIVES 1st Session } { 115-283 ====================================================================== CYBER VULNERABILITY DISCLOSURE REPORTING ACT _______ September 1, 2017.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 3202] The Committee on Homeland Security, to whom was referred the bill (H.R. 3202) to require the Secretary of Homeland Security to submit a report on cyber vulnerability disclosures, and for other purposes, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 1 Background and Need for Legislation.............................. 2 Hearings......................................................... 2 Committee Consideration.......................................... 2 Committee Votes.................................................. 2 Committee Oversight Findings..................................... 3 New Budget Authority, Entitlement Authority, and Tax Expenditures 3 Congressional Budget Office Estimate............................. 3 Statement of General Performance Goals and Objectives............ 3 Duplicative Federal Programs..................................... 3 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 3 Federal Mandates Statement....................................... 3 Preemption Clarification......................................... 4 Disclosure of Directed Rule Makings.............................. 4 Advisory Committee Statement..................................... 4 Applicability to Legislative Branch.............................. 4 Section-by-Section Analysis of the Legislation................... 4 Changes in Existing Law Made by the Bill, as Reported............ 5 Purpose and Summary The Secretary of Homeland Security is directed to provide a report to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate containing a description of the policies and procedures developed by the Department of Homeland Security to coordinate the disclosure of cyber vulnerabilities. Further, the report should contain, where available, information on the degree to which the information was acted upon by industry and other stakeholders. The report may also contain a description of how the Secretary is working with other Federal entities and critical infrastructure owners and operators to prevent, detect, and mitigate cyber vulnerabilities. Background and Need for Legislation Computers are ubiquitous: we use them dozens of times a day in everyday life--banking, communications, and work. As the world has become increasingly interconnected through the internet of things vulnerabilities in the computer code that run the systems can expose them to exploitation by a variety of people from hackers and criminals to nation States. The Nation's critical infrastructure is diverse and complex. It includes distributed networks, interdependent functions and systems in both the physical space and cyberspace. The Department of Homeland Security was given the authority by the Cybersecurity Act of 2015 to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats. The Homeland Security Act of 2002 (Section 227(m)) allows the Secretary to coordinate with industry to develop Department policies and procedures for coordinating the disclosure of cyber vulnerabilities. This disclosure is important as it highlights vulnerabilities and allows the public and private sector to work to prevent and mitigate cyber threats. H.R. 3202 directs the Secretary of the Department of Homeland Security to produce a report that describes the policies and procedures developed to coordinate the disclosure of cyber vulnerabilities. Hearings No hearings were held on H.R. 3202 in the 115th Congress. Committee Consideration The Committee met on July 26, 2017, to consider H.R. 3202, and ordered the measure to be reported to the House with a favorable recommendation, without amendment, by voice vote. Committee Votes Clause 3(b) of Rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during Committee consideration of H.R. 3202. Committee Oversight Findings Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of Rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 3202, the Cyber Vulnerability Disclosure Reporting Act, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the House of Representatives, a cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974 was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the House of Representatives, H.R. 3202 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. H.R. 3202 directs the Secretary of the Department of Homeland Security produce a report that describes the policies and procedures developed to coordinate the disclosure of cyber vulnerabilities. Duplicative Federal Programs Pursuant to clause 3(c) of Rule XIII, the Committee finds that H.R. 21626 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with Rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule XXI. Federal Mandates Statement An estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 3202 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 3202 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short Title. This section provides that this bill may be cited as the ``Cyber Vulnerability Disclosure Reporting Act''. Sec. 2. Report on Cyber Vulnerabilities. This section directs the Secretary of Homeland Security to submit a report within 240 days to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate. The report shall contain a description of the policies and procedures developed by the Department of Homeland Security to coordinate the disclosure of cyber vulnerabilities, in accordance with section 227(m) of the Homeland Security Act of 2002 (6 U.S.C. 148(m)). To the extent possible, the report shall include an annex with information describing the occasions on which such policies and procedures were used to disclose cyber vulnerabilities in the year prior to the date that the report is required. Further, the report should contain, where available, information on the degree to which the information was acted upon by industry and other stakeholders. The report may also contain a description of how the Secretary is working with other Federal entities and critical infrastructure owners and operators to prevent, detect, and mitigate cyber vulnerabilities. The report should be unclassified, but may contain a classified annex. Changes in Existing Law Made by the Bill, as Reported As reported, H.R. 3202 makes no changes to existing law. [all]