HR-7447 : Still Just a Bill

The SECURE IT Act (H.R. 7447) aims to enhance the cybersecurity of U.S. elections by amending the Help America Vote Act of 2002. The bill has two main components:

• Penetration Testing Requirement: Mandates the Election Assistance Commission (EAC) to include penetration testing as part of the testing, certification, decertification, and recertification processes for voting system hardware and software. The National Institute of Standards and Technology (NIST) will recommend entities to be accredited for conducting this testing.
• Vulnerability Disclosure Pilot Program: Establishes a pilot program for independent security testing and coordinated vulnerability disclosure for election systems (VDP-E). This program:
  • Allows election system vendors to make their systems available for testing by vetted cybersecurity researchers.
  • Requires researchers to notify vendors, the EAC, and the Secretary of Homeland Security of any vulnerabilities found and keep them confidential for 180 days.
  • Mandates vendors to provide patches or mitigations for critical or high vulnerabilities to relevant election officials.
  • Provides for expedited review of patches or fixes by the EAC.
  • Includes a safe harbor clause to protect researchers from legal action for good faith violations during testing and publication of research.

Participation in the vulnerability disclosure program is voluntary for both vendors and researchers. The bill also includes definitions for key terms such as "cybersecurity vulnerability," "election system," and "election system vendor."