For the People Act of 2021 (H.R. 1; 117th Congress)/Division A/Title III/Subtitle E

SEC. 3401. SHORT TITLE.

This subtitle may be cited as the “Prevent Election Hacking Act of 2021”.

SEC. 3402. ELECTION SECURITY BUG BOUNTY PROGRAM.

(a) Establishment.—Not later than 1 year after the date of the enactment of this Act, the Secretary shall establish a program to be known as the “Election Security Bug Bounty Program” (in this subtitle referred to as the “Program”) to improve the cybersecurity of the systems used to administer elections for Federal office by facilitating and encouraging assessments by independent technical experts, in cooperation with State and local election officials and election service providers, to identify and report election cybersecurity vulnerabilities.

(b) Voluntary Participation By Election Officials And Election Service Providers.—

(1) NO REQUIREMENT TO PARTICIPATE IN PROGRAM.—Participation in the Program shall be entirely voluntary for State and local election officials and election service providers.

(2) ENCOURAGING PARTICIPATION AND INPUT FROM ELECTION OFFICIALS.—In developing the Program, the Secretary shall solicit input from, and encourage participation by, State and local election officials.

(c) Activities Funded.—In establishing and carrying out the Program, the Secretary shall—

(1) establish a process for State and local election officials and election service providers to voluntarily participate in the Program;

(2) designate appropriate information systems to be included in the Program;

(3) provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under paragraph (2) and establish criteria for individuals, organizations, and companies to be considered eligible for such compensation in compliance with Federal laws;

(4) consult with the Attorney General on how to ensure that approved individuals, organizations, and companies that comply with the requirements of the Program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law, and from liability under civil actions for specific activities authorized under the Program;

(5) consult with the Secretary of Defense and the heads of other departments and agencies that have implemented programs to provide compensation for reports of previously undisclosed vulnerabilities in information systems, regarding lessons that may be applied from such programs;

(6) develop an expeditious process by which an individual, organization, or company can register with the Department, submit to a background check as determined by the Department, and receive a determination regarding eligibility for participation in the Program; and

(7) engage qualified interested persons, including representatives of private entities, about the structure of the Program and, to the extent practicable, establish a recurring competition for independent technical experts to assess election systems for the purpose of identifying and reporting election cybersecurity vulnerabilities.

(d) Use Of Service Providers.—The Secretary may award competitive contracts as necessary to manage the Program.

(e) Definitions.—In this section:

(1) The term “Department” means the Department of Homeland Security.

(2) The terms “election” and “Federal office” have the meanings given such terms in section 301 of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101).

(3) The term “election cybersecurity vulnerability” means any security vulnerability that affects an election system.

(4) The term “election infrastructure” has the meaning given such term in paragraph (6) of section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101), as added by section 3021 of this title.

(5) The term “election service provider” means any person providing, supporting, or maintaining an election system on behalf of a State or local election official, such as a contractor or vendor.

(6) The term “election system” means any information system which is part of an election infrastructure.

(7) The term “information system” has the meaning given such term in section 3502 of title 44, United States Code.

(8) The term “Secretary” means the Secretary of Homeland Security, or, upon designation by the Secretary of Homeland Security, the Deputy Secretary of Homeland Security, the Director of Cybersecurity and Infrastructure Security of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, or a Senate-confirmed official who reports to the Director.

(9) The term “security vulnerability” has the meaning given such term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

(10) The term “State” means each of the several States, the District of Columbia, the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, and the United States Virgin Islands.

(11) The term “voting system” has the meaning given such term in section 301(b) of the Help America Vote Act of 2002 (52 U.S.C. 21081(b)).