For the People Act of 2021 (H.R. 1; 117th Congress)/Division A/Title III/Subtitle A

Part 1 - VOTING SYSTEM SECURITY IMPROVEMENT GRANTS.

SEC. 3001. - GRANTS FOR OBTAINING COMPLIANT PAPER BALLOT VOTING SYSTEMS AND CARRYING OUT VOTING SYSTEM SECURITY IMPROVEMENTS.

(a) Availability Of Grants.—Subtitle D of title II of the Help America Vote Act of 2002 (52 U.S.C. 21001 et seq.), as amended by section 1622(b), is amended by adding at the end the following new part:

“PART 8—GRANTS FOR OBTAINING COMPLIANT PAPER BALLOT VOTING SYSTEMS AND CARRYING OUT VOTING SYSTEM SECURITY IMPROVEMENTS

“SEC. 298. - GRANTS FOR OBTAINING COMPLIANT PAPER BALLOT VOTING SYSTEMS AND CARRYING OUT VOTING SYSTEM SECURITY IMPROVEMENTS.

“(a) Availability And Use Of Grant.—The Commission shall make a grant to each eligible State—

“(1) to replace a voting system—

“(A) which does not meet the requirements which are first imposed on the State pursuant to the amendments made by the Voter Confidence and Increased Accessibility Act of 2021 with a voting system which does meet such requirements, for use in the regularly scheduled general elections for Federal office held in November 2022; or

“(B) which does meet such requirements but which is not in compliance with the most recent voluntary voting system guidelines issued by the Commission prior to the regularly scheduled general election for Federal office held in November 2022 with another system which does meet such requirements and is in compliance with such guidelines;

“(2) to carry out voting system security improvements described in section 298A with respect to the regularly scheduled general elections for Federal office held in November 2022 and each succeeding election for Federal office; and

“(3) to implement and model best practices for ballot design, ballot instructions, and the testing of ballots.

“(b) Amount Of Grant.—The amount of a grant made to a State under this section shall be such amount as the Commission determines to be appropriate, except that such amount may not be less than the product of $1 and the average of the number of individuals who cast votes in any of the two most recent regularly scheduled general elections for Federal office held in the State.

“(c) Pro Rata Reductions.—If the amount of funds appropriated for grants under this part is insufficient to ensure that each State receives the amount of the grant calculated under subsection (b), the Commission shall make such pro rata reductions in such amounts as may be necessary to ensure that the entire amount appropriated under this part is distributed to the States.

“(d) Surplus Appropriations.—If the amount of funds appropriated for grants authorized under section 298D(a)(2) exceed the amount necessary to meet the requirements of subsection (b), the Commission shall consider the following in making a determination to award remaining funds to a State:

“(1) The record of the State in carrying out the following with respect to the administration of elections for Federal office:

“(A) Providing voting machines that are less than 10 years old.

“(B) Implementing strong chain of custody procedures for the physical security of voting equipment and paper records at all stages of the process.

“(C) Conducting pre-election testing on every voting machine and ensuring that paper ballots are available wherever electronic machines are used.

“(D) Maintaining offline backups of voter registration lists.

“(E) Providing a secure voter registration database that logs requests submitted to the database.

“(F) Publishing and enforcing a policy detailing use limitations and security safeguards to protect the personal information of voters in the voter registration process.

“(G) Providing secure processes and procedures for reporting vote tallies.

“(H) Providing a secure platform for disseminating vote totals.

“(2) Evidence of established conditions of innovation and reform in providing voting system security and the proposed plan of the State for implementing additional conditions.

“(3) Evidence of collaboration between relevant stakeholders, including local election officials, in developing the grant implementation plan described in section 298B.

“(4) The plan of the State to conduct a rigorous evaluation of the effectiveness of the activities carried out with the grant.

“(e) Ability Of Replacement Systems To Administer Ranked Choice Elections.—To the greatest extent practicable, an eligible State which receives a grant to replace a voting system under this section shall ensure that the replacement system is capable of administering a system of ranked choice voting under which each voter shall rank the candidates for the office in the order of the voter’s preference.

“SEC. 298A. - VOTING SYSTEM SECURITY IMPROVEMENTS DESCRIBED.

“(a) Permitted Uses.—A voting system security improvement described in this section is any of the following:

“(1) The acquisition of goods and services from qualified election infrastructure vendors by purchase, lease, or such other arrangements as may be appropriate.

“(2) Cyber and risk mitigation training.

“(3) A security risk and vulnerability assessment of the State’s election infrastructure which is carried out by a provider of cybersecurity services under a contract entered into between the chief State election official and the provider.

“(4) The maintenance of election infrastructure, including addressing risks and vulnerabilities which are identified under either of the security risk and vulnerability assessments described in paragraph (3), except that none of the funds provided under this part may be used to renovate or replace a building or facility which is used primarily for purposes other than the administration of elections for public office.

“(5) Providing increased technical support for any information technology infrastructure that the chief State election official deems to be part of the State’s election infrastructure or designates as critical to the operation of the State’s election infrastructure.

“(6) Enhancing the cybersecurity and operations of the information technology infrastructure described in paragraph (4).

“(7) Enhancing the cybersecurity of voter registration systems.

“(b) Qualified Election Infrastructure Vendors Described.—

“(1) IN GENERAL.—For purposes of this part, a ‘qualified election infrastructure vendor’ is any person who provides, supports, or maintains, or who seeks to provide, support, or maintain, election infrastructure on behalf of a State, unit of local government, or election agency (as defined in section 3601 of the Election Security Act) who meets the criteria described in paragraph (2).

“(2) CRITERIA.—The criteria described in this paragraph are such criteria as the Chairman, in coordination with the Secretary of Homeland Security, shall establish and publish, and shall include each of the following requirements:

“(A) The vendor must be owned and controlled by a citizen or permanent resident of the United States.

“(B) The vendor must disclose to the Chairman and the Secretary, and to the chief State election official of any State to which the vendor provides any goods and services with funds provided under this part, of any sourcing outside the United States for parts of the election infrastructure.

“(C) The vendor must disclose to the Chairman and the Secretary, and to the chief State election official of any State to which the vendor provides any goods and services with funds provided under this part, the identification of any entity or individual with a more than five percent ownership interest in the vendor.

“(D) The vendor agrees to ensure that the election infrastructure will be developed and maintained in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee.

“(E) The vendor agrees to maintain its information technology infrastructure in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee.

“(F) The vendor agrees to ensure that the election infrastructure will be developed and maintained in a manner that is consistent with the supply chain best practices issued by the Technical Guidelines Development Committee.

“(G) The vendor agrees to ensure that it has personnel policies and practices in place that are consistent with personnel best practices, including cybersecurity training and background checks, issued by the Technical Guidelines Development Committee.

“(H) The vendor agrees to ensure that the election infrastructure will be developed and maintained in a manner that is consistent with data integrity best practices, including requirements for encrypted transfers and validation, testing and checking printed materials for accuracy, and disclosure of quality control incidents, issued by the Technical Guidelines Development Committee.

“(I) The vendor agrees to meet the requirements of paragraph (3) with respect to any known or suspected cybersecurity incidents involving any of the goods and services provided by the vendor pursuant to a grant under this part.

“(J) The vendor agrees to permit independent security testing by the Commission (in accordance with section 231(a)) and by the Secretary of the goods and services provided by the vendor pursuant to a grant under this part.

“(3) CYBERSECURITY INCIDENT REPORTING REQUIREMENTS.—

“(A) IN GENERAL.—A vendor meets the requirements of this paragraph if, upon becoming aware of the possibility that an election cybersecurity incident has occurred involving any of the goods and services provided by the vendor pursuant to a grant under this part—

“(i) the vendor promptly assesses whether or not such an incident occurred, and submits a notification meeting the requirements of subparagraph (B) to the Secretary and the Chairman of the assessment as soon as practicable (but in no case later than 3 days after the vendor first becomes aware of the possibility that the incident occurred);

“(ii) if the incident involves goods or services provided to an election agency, the vendor submits a notification meeting the requirements of subparagraph (B) to the agency as soon as practicable (but in no case later than 3 days after the vendor first becomes aware of the possibility that the incident occurred), and cooperates with the agency in providing any other necessary notifications relating to the incident; and

“(iii) the vendor provides all necessary updates to any notification submitted under clause (i) or clause (ii).

“(B) CONTENTS OF NOTIFICATIONS.—Each notification submitted under clause (i) or clause (ii) of subparagraph (A) shall contain the following information with respect to any election cybersecurity incident covered by the notification:

“(i) The date, time, and time zone when the election cybersecurity incident began, if known.

“(ii) The date, time, and time zone when the election cybersecurity incident was detected.

“(iii) The date, time, and duration of the election cybersecurity incident.

“(iv) The circumstances of the election cybersecurity incident, including the specific election infrastructure systems believed to have been accessed and information acquired, if any.

“(v) Any planned and implemented technical measures to respond to and recover from the incident.

“(vi) In the case of any notification which is an update to a prior notification, any additional material information relating to the incident, including technical data, as it becomes available.

“SEC. 298B. ELIGIBILITY OF STATES. “A State is eligible to receive a grant under this part if the State submits to the Commission, at such time and in such form as the Commission may require, an application containing—

“(1) a description of how the State will use the grant to carry out the activities authorized under this part;

“(2) a certification and assurance that, not later than 5 years after receiving the grant, the State will carry out risk-limiting audits and will carry out voting system security improvements, as described in section 298A; and

“(3) such other information and assurances as the Commission may require.

“SEC. 298C. REPORTS TO CONGRESS. “Not later than 90 days after the end of each fiscal year, the Commission shall submit a report to the appropriate congressional committees, including the Committees on Homeland Security, House Administration, and the Judiciary of the House of Representatives and the Committees on Homeland Security and Governmental Affairs, the Judiciary, and Rules and Administration of the Senate, on the activities carried out with the funds provided under this part. “SEC. 298D. AUTHORIZATION OF APPROPRIATIONS.

“(a) Authorization.—There are authorized to be appropriated for grants under this part—

“(1) $1,000,000,000 for fiscal year 2021; and

“(2) $175,000,000 for each of the fiscal years 2022, 2024, 2026, and 2028.

“(b) Continuing Availability Of Amounts.—Any amounts appropriated pursuant to the authorization of this section shall remain available until expended.”.

(b) Clerical Amendment.—The table of contents of such Act, as amended by section 1622(c), is amended by adding at the end of the items relating to subtitle D of title II the following:

“PART 8—GRANTS FOR OBTAINING COMPLIANT PAPER BALLOT VOTING SYSTEMS AND CARRYING OUT VOTING SYSTEM SECURITY IMPROVEMENTS

SEC. 3002. COORDINATION OF VOTING SYSTEM SECURITY ACTIVITIES WITH USE OF REQUIREMENTS PAYMENTS AND ELECTION ADMINISTRATION REQUIREMENTS UNDER HELP AMERICA VOTE ACT OF 2002.

(a) Duties Of Election Assistance Commission.—Section 202 of the Help America Vote Act of 2002 (52 U.S.C. 20922) is amended—

(1) in the matter preceding paragraph (1), by striking ‘‘by’’ and inserting ‘‘and the security of election infrastructure by’’; and

(2) by striking the semicolon at the end of paragraph (1) and inserting the following: “, and the development, maintenance and dissemination of cybersecurity guidelines to identify vulnerabilities that could lead to, protect against, detect, respond to and recover from cybersecurity incidents;”.

(b) Membership Of Secretary Of Homeland Security On Board Of Advisors Of Election Assistance Commission.—Section 214(a) of such Act (52 U.S.C. 20944(a)) is amended—

(1) by striking “37 members” and inserting “38 members”; and

(2) by adding at the end the following new paragraph:

“(17) The Secretary of Homeland Security or the Secretary’s designee.”.

(c) Representative Of Department Of Homeland Security On Technical Guidelines Development Committee.—Section 221(c)(1) of such Act (52 U.S.C. 20961(c)(1)) is amended—

(1) by redesignating subparagraph (E) as subparagraph (F); and

(2) by inserting after subparagraph (D) the following new subparagraph:

“(E) A representative of the Department of Homeland Security.”.

(d) Goals Of Periodic Studies Of Election Administration Issues; Consultation With Secretary Of Homeland Security.—Section 241(a) of such Act (52 U.S.C. 20981(a)) is amended—

(1) in the matter preceding paragraph (1), by striking “the Commission shall” and inserting “the Commission, in consultation with the Secretary of Homeland Security (as appropriate), shall”;

(2) by striking “and” at the end of paragraph (3);

(3) by redesignating paragraph (4) as paragraph (5); and

(4) by inserting after paragraph (3) the following new paragraph:

“(4) will be secure against attempts to undermine the integrity of election systems by cyber or other means; and”.

(e) Requirements Payments.—

(1) USE OF PAYMENTS FOR VOTING SYSTEM SECURITY IMPROVEMENTS.—Section 251(b) of such Act (52 U.S.C. 21001(b)), as amended by section 1061(a)(2), is further amended by adding at the end the following new paragraph:

“(5) PERMITTING USE OF PAYMENTS FOR VOTING SYSTEM SECURITY IMPROVEMENTS.—A State may use a requirements payment to carry out any of the following activities:

“(A) Cyber and risk mitigation training.

“(B) Providing increased technical support for any information technology infrastructure that the chief State election official deems to be part of the State’s election infrastructure or designates as critical to the operation of the State’s election infrastructure.

“(C) Enhancing the cybersecurity and operations of the information technology infrastructure described in subparagraph (B).

“(D) Enhancing the security of voter registration databases.”.

(2) INCORPORATION OF ELECTION INFRASTRUCTURE PROTECTION IN STATE PLANS FOR USE OF PAYMENTS.—Section 254(a)(1) of such Act (52 U.S.C. 21004(a)(1)) is amended by striking the period at the end and inserting “, including the protection of election infrastructure.”.

(3) COMPOSITION OF COMMITTEE RESPONSIBLE FOR DEVELOPING STATE PLAN FOR USE OF PAYMENTS.—Section 255 of such Act (52 U.S.C. 21005) is amended—

(A) by redesignating subsection (b) as subsection (c); and

(B) by inserting after subsection (a) the following new subsection:

“(b) Geographic Representation.—The members of the committee shall be a representative group of individuals from the State’s counties, cities, towns, and Indian tribes, and shall represent the needs of rural as well as urban areas of the State, as the case may be.”.

(f) Ensuring Protection Of Computerized Statewide Voter Registration List.—Section 303(a)(3) of such Act (52 U.S.C. 21083(a)(3)) is amended by striking the period at the end and inserting “, as well

as other measures to prevent and deter cybersecurity incidents, as identified by the Commission, the Secretary of Homeland Security, and the Technical Guidelines Development Committee.”.

(g) Senior Cyber Policy Advisor.—Section 204(a) of such Act (52 U.S.C. 20924(a)) is amended—

(1) by redesignating paragraphs (5) and (6) as paragraphs (6) and (7); and

(2) by inserting after paragraph (4) the following new paragraph:

“(5) SENIOR CYBER POLICY ADVISOR.—The Commission shall have a Senior Cyber Policy Advisor, who shall be appointed by the Commission and who shall serve under the Executive Director, and who shall be the primary policy advisor to the Commission on matters of cybersecurity for Federal elections.”.

Part 2 - GRANTS FOR RISK-LIMITING AUDITS OF RESULTS OF ELECTIONS.

SEC. 3011. GRANTS TO STATES FOR CONDUCTING RISK-LIMITING AUDITS OF RESULTS OF ELECTIONS.

(a) In General.—Title III of the Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) is amended by adding at the end the following new section:

“PART 9—GRANTS FOR CONDUCTING RISK-LIMITING AUDITS OF RESULTS OF ELECTIONS

“SEC. 299. GRANTS FOR CONDUCTING RISK-LIMITING AUDITS OF RESULTS OF ELECTIONS.

“(a) Availability Of Grants.—The Commission shall make a grant to each eligible State to conduct risk-limiting audits as described in subsection (b) with respect to the regularly scheduled general elections for Federal office held in November 2022 and each succeeding election for Federal office.

“(b) Risk-Limiting Audits Described.—In this part, a ‘risk-limiting audit’ is a post-election process—

“(1) which is conducted in accordance with rules and procedures established by the chief State election official of the State which meet the requirements of subsection (c); and

“(2) under which, if the reported outcome of the election is incorrect, there is at least a predetermined percentage chance that the audit will replace the incorrect outcome with the correct outcome as determined by a full, hand-to-eye tabulation of all votes validly cast in that election that ascertains voter intent manually and directly from voter-verifiable paper records.

“(c) Requirements For Rules And Procedures.—The rules and procedures established for conducting a risk-limiting audit shall include the following elements:

“(1) Rules for ensuring the security of ballots and documenting that prescribed procedures were followed.

“(2) Rules and procedures for ensuring the accuracy of ballot manifests produced by election agencies.

“(3) Rules and procedures for governing the format of ballot manifests, cast vote records, and other data involved in the audit.

“(4) Methods to ensure that any cast vote records used in the audit are those used by the voting system to tally the election results sent to the chief State election official and made public.

“(5) Procedures for the random selection of ballots to be inspected manually during each audit.

“(6) Rules for the calculations and other methods to be used in the audit and to determine whether and when the audit of an election is complete.

“(7) Procedures and requirements for testing any software used to conduct risk-limiting audits.

“(d) Definitions.—In this part, the following definitions apply:

“(1) The term ‘ballot manifest’ means a record maintained by each election agency that meets each of the following requirements:

“(A) The record is created without reliance on any part of the voting system used to tabulate votes.

“(B) The record functions as a sampling frame for conducting a risk-limiting audit.

“(C) The record contains the following information with respect to the ballots cast and counted in the election:

“(i) The total number of ballots cast and counted by the agency (including undervotes, overvotes, and other invalid votes).

“(ii) The total number of ballots cast in each election administered by the agency (including undervotes, overvotes, and other invalid votes).

“(iii) A precise description of the manner in which the ballots are physically stored, including the total number of physical groups of ballots, the numbering system for each group, a unique label for each group, and the number of ballots in each such group.

“(2) The term ‘incorrect outcome’ means an outcome that differs from the outcome that would be determined by a full tabulation of all votes validly cast in the election, determining voter intent manually, directly from voter-verifiable paper records.

“(3) The term ‘outcome’ means the winner of an election, whether a candidate or a position.

“(4) The term ‘reported outcome’ means the outcome of an election which is determined according to the canvass and which will become the official, certified outcome unless it is revised by an audit, recount, or other legal process.

“SEC. 299A. ELIGIBILITY OF STATES. “A State is eligible to receive a grant under this part if the State submits to the Commission, at such time and in such form as the Commission may require, an application containing—

“(1) a certification that, not later than 5 years after receiving the grant, the State will conduct risk-limiting audits of the results of elections for Federal office held in the State as described in section 299;

“(2) a certification that, not later than one year after the date of the enactment of this section, the chief State election official of the State has established or will establish the rules and procedures for conducting the audits which meet the requirements of section 299(c);

“(3) a certification that the audit shall be completed not later than the date on which the State certifies the results of the election;

“(4) a certification that, after completing the audit, the State shall publish a report on the results of the audit, together with such information as necessary to confirm that the audit was conducted properly;

“(5) a certification that, if a risk-limiting audit conducted under this part leads to a full manual tally of an election, State law requires that the State or election agency shall use the results of the full manual tally as the official results of the election; and

“(6) such other information and assurances as the Commission may require.

“SEC. 299B. AUTHORIZATION OF APPROPRIATIONS. “There are authorized to be appropriated for grants under this part $20,000,000 for fiscal year 2021, to remain available until expended.”.

(b) Clerical Amendment.—The table of contents of such Act, as amended by sections 1622(c) and 3001(b), is further amended by adding at the end of the items relating to subtitle D of title II the following:

“PART 9—GRANTS FOR CONDUCTING RISK-LIMITING AUDITS OF RESULTS OF ELECTIONS

SEC. 3012. GAO ANALYSIS OF EFFECTS OF AUDITS.

(a) Analysis.—Not later than 6 months after the first election for Federal office is held after grants are first awarded to States for conducting risk-limiting audits under part 9 of subtitle D of title II of the Help America Vote Act of 2002 (as added by section 3011) for conducting risk-limiting audits of elections for Federal office, the Comptroller General of the United States shall conduct an analysis of the extent to which such audits have improved the administration of such elections and the security of election infrastructure in the States receiving such grants.

(b) Report.—The Comptroller General of the United States shall submit a report on the analysis conducted under subsection (a) to the appropriate congressional committees.

Part 3 - ELECTION INFRASTRUCTURE INNOVATION GRANT PROGRAM.

SEC. 3021. - ELECTION INFRASTRUCTURE INNOVATION GRANT PROGRAM.

(a) In General.—Title III of the Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) is amended by adding at the end the following new section:

“SEC. 321. ELECTION INFRASTRUCTURE INNOVATION GRANT PROGRAM.

“(a) Establishment.—The Secretary, acting through the Under Secretary for Science and Technology, in coordination with the Chairman of the Election Assistance Commission (established pursuant to the Help America Vote Act of 2002) and in consultation with the Director of the National Science Foundation and the Director of the National Institute of Standards and Technology, shall establish a competitive grant program to award grants to eligible entities, on a competitive basis, for purposes of research and development that are determined to have the potential to significantly improve the security (including cybersecurity), quality, reliability, accuracy, accessibility, and affordability of election infrastructure, and increase voter participation.

“(b) Report To Congress.—Not later than 90 days after the conclusion of each fiscal year for which grants are awarded under this section, the Secretary shall submit to the Committee on Homeland Security and the Committee on House Administration of the House of Representatives and the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate a report describing such grants and analyzing the impact, if any, of such grants on the security and operation of election infrastructure, and on voter participation.

“(c) Authorization Of Appropriations.—There is authorized to be appropriated to the Secretary $20,000,000 for each of fiscal years 2021 through 2029 for purposes of carrying out this section.

“(d) Eligible Entity Defined.—In this section, the term ‘eligible entity’ means—

“(1) an institution of higher education (as such term is defined in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)), including an institution of higher education that is a historically Black college or university (which has the meaning given the term “part B institution” in section 322 of such Act (20 U.S.C. 1061)) or other minority-serving institution listed in section 371(a) of such Act (20 U.S.C. 1067q(a));

“(2) an organization described in section 501(c)(3) of the Internal Revenue Code of 1986 and exempt from tax under section 501(a) of such Code; or

“(3) an organization, association, or a for-profit company, including a small business concern (as such term is described in section 3 of the Small Business Act (15 U.S.C. 632)), including a small business concern owned and controlled by socially and economically disadvantaged individuals (as such term is defined in section 8(d)(3)(C) of the Small Business Act (15 U.S.C. 637(d)(3)(C)).”.

(b) Definition.—Section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101) is amended—

(1) by redesignating paragraphs (6) through (20) as paragraphs (7) through (21), respectively; and

(2) by inserting after paragraph (5) the following new paragraph:

“(6) ELECTION INFRASTRUCTURE.—The term ‘election infrastructure’ means storage facilities, polling places, and centralized vote tabulation locations used to support the administration of elections for public office, as well as related information and communications technology, including voter registration databases, voting machines, electronic mail and other communications systems (including electronic mail and other systems of vendors who have entered into contracts with election agencies to support the administration of elections, manage the election process, and report and display election results), and other systems used to manage the election process and to report and display election results on behalf of an election agency.”.

(c) Clerical Amendment.—The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 320 the following new item:

“Sec. 321. Election infrastructure innovation grant program.”.