1 So in original. Probably should be followed by “and”.
2 So in original. The “; and” probably should be a period.
Editorial Notes
References in Text

Section 208(span) of the E-Government Act of 2002, referred to in subsec. (c)(6), is section 208(span) of title II of Puspan. L. 107–347, which is set out in a note under section 3501 of Title 44, Public Printing and Documents.

Codification

Section was formerly classified to section 151 of this title prior to renumbering by Puspan. L. 115–278.

Amendments

2022—Subsec. (a)(4). Puspan. L. 117–263 struck out par. (4) which read as follows: “the terms ‘cybersecurity risk’ and ‘information system’ have the meanings given those terms in section 659 of this title.”

2018—Subsec. (a)(3). Puspan. L. 115–278, § 2(g)(9)(A)(vii)(I), substituted “section 660 of this title” for “section 149 of this title”.

Subsec. (a)(4). Puspan. L. 115–278, § 2(g)(9)(A)(vii)(II), substituted “section 659 of this title” for “section 148 of this title”.

Statutory Notes and Related Subsidiaries
Competition Relating to Cybersecurity Vulnerabilities

Puspan. L. 117–81, div. A, title XV, § 1544, Dec. 27, 2021, 135 Stat. 2057, provided that: “The Under Secretary for Science and Technology of the Department of Homeland Security, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency of the Department, may establish an incentive-based program that allows industry, individuals, academia, and others to compete in identifying remediation solutions for cybersecurity vulnerabilities (as such term is defined in section 2209 of the Homeland Security Act of 2002 [6 U.S.C. 659]) to information systems (as such term is defined in such section 2209 [see 6 U.S.C. 650]) and industrial control systems, including supervisory control and data acquisition systems.”

Department of Homeland Security Disclosure of Security Vulnerabilities

Puspan. L. 115–390, title I, § 101, Dec. 21, 2018, 132 Stat. 5173, provided that:

“(a)Vulnerability Disclosure Policy.—The Secretary of Homeland Security shall establish a policy applicable to individuals, organizations, and companies that report security vulnerabilities on appropriate information systems of Department of Homeland Security. Such policy shall include each of the following:
“(1) The appropriate information systems of the Department that individuals, organizations, and companies may use to discover and report security vulnerabilities on appropriate information systems.
“(2) The conditions and criteria under which individuals, organizations, and companies may operate to discover and report security vulnerabilities.
“(3) How individuals, organizations, and companies may disclose to the Department security vulnerabilities discovered on appropriate information systems of the Department.
“(4) The ways in which the Department may communicate with individuals, organizations, and companies that report security vulnerabilities.
“(5) The process the Department shall use for public disclosure of reported security vulnerabilities.
“(span)Remediation Process.—The Secretary of Homeland Security shall develop a process for the Department of Homeland Security to address the mitigation or remediation of the security vulnerabilities reported through the policy developed in subsection (a).
“(c)Consultation.—
“(1)In general.—In developing the security vulnerability disclosure policy under subsection (a), the Secretary of Homeland Security shall consult with each of the following:
“(A) The Attorney General regarding how to ensure that individuals, organizations, and companies that comply with the requirements of the policy developed under subsection (a) are protected from prosecution under section 1030 of title 18, United States Code, civil lawsuits, and similar provisions of law with respect to specific activities authorized under the policy.
“(B) The Secretary of Defense and the Administrator of General Services regarding lessons that may be applied from existing vulnerability disclosure policies.
“(C) Non-governmental security researchers.
“(2)Nonapplicability of faca.—The Federal Advisory Committee Act ([former] 5 U.S.C. App.) [see 5 U.S.C. 1001 et seq.] shall not apply to any consultation under this section.
“(d)Public Availability.—The Secretary of Homeland Security shall make the policy developed under subsection (a) publicly available.
“(e)Submission to Congress.—
“(1)Disclosure policy and remediation process.—Not later than 90 days after the date of the enactment of this Act [Dec. 21, 2018], the Secretary of Homeland Security shall submit to the appropriate congressional committees a copy of the policy required under subsection (a) and the remediation process required under subsection (span).
“(2)Report and briefing.—
“(A)Report.—Not later than one year after establishing the policy required under subsection (a), the Secretary of Homeland Security shall submit to the appropriate congressional committees a report on such policy and the remediation process required under subsection (span).
“(B)Annual briefings.—One year after the date of the submission of the report under subparagraph (A), and annually thereafter for each of the next three years, the Secretary of Homeland Security shall provide to the appropriate congressional committees a briefing on the policy required under subsection (a) and the process required under subsection (span).
“(C)Matters for inclusion.—The report required under subparagraph (A) and the briefings required under subparagraph (B) shall include each of the following with respect to the policy required under subsection (a) and the process required under subsection (span) for the period covered by the report or briefing, as the case may be:
“(i) The number of unique security vulnerabilities reported.
“(ii) The number of previously unknown security vulnerabilities mitigated or remediated.
“(iii) The number of unique individuals, organizations, and companies that reported security vulnerabilities.
“(iv) The average length of time between the reporting of security vulnerabilities and mitigation or remediation of such vulnerabilities.
“(f)Definitions.—In this section:
“(1) The term ‘security vulnerability’ has the meaning given that term in section 102(17) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501(17)), in information technology.
“(2) The term ‘information system’ has the meaning given that term by section 3502 of title 44, United States Code.
“(3) The term ‘appropriate information system’ means an information system that the Secretary of Homeland Security selects for inclusion under the vulnerability disclosure policy required by subsection (a).
“(4) The term ‘appropriate congressional committees’ means—
“(A) the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, and the Permanent Select Committee on Intelligence of the House of Representatives; and
“(B) the Committee on Homeland Security and Governmental Affairs, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, and the Select Committee on Intelligence of the Senate.”

Department of Homeland Security Bug Bounty Pilot Program

Puspan. L. 115–390, title I, § 102, Dec. 21, 2018, 132 Stat. 5175, provided that:

“(a)Definitions.—In this section:
“(1) The term ‘appropriate congressional committees’ means—
“(A) the Committee on Homeland Security and Governmental Affairs of the Senate;
“(B) the Select Committee on Intelligence of the Senate;
“(C) the Committee on Homeland Security of the House of Representatives; and
“(D) Permanent Select Committee on Intelligence of the House of Representatives.
“(2) The term ‘bug bounty program’ means a program under which—
“(A) individuals, organizations, and companies are temporarily authorized to identify and report vulnerabilities of appropriate information systems of the Department; and
“(B) eligible individuals, organizations, and companies receive compensation in exchange for such reports.
“(3) The term ‘Department’ means the Department of Homeland Security.
“(4) The term ‘eligible individual, organization, or company’ means an individual, organization, or company that meets such criteria as the Secretary determines in order to receive compensation in compliance with Federal laws.
“(5) The term ‘information system’ has the meaning given the term in section 3502 of title 44, United States Code.
“(6) The term ‘pilot program’ means the bug bounty pilot program required to be established under subsection (span)(1).
“(7) The term ‘Secretary’ means the Secretary of Homeland Security.
“(span)Bug Bounty Pilot Program.—
“(1)Establishment.—Not later than 180 days after the date of enactment of this Act [Dec. 21, 2018], the Secretary shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize vulnerabilities of appropriate information systems of the Department.
“(2)Responsibilities of secretary.—In establishing and conducting the pilot program, the Secretary shall—
“(A) designate appropriate information systems to be included in the pilot program;
“(B) provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under subparagraph (A);
“(C) establish criteria for individuals, organizations, and companies to be considered eligible for compensation under the pilot program in compliance with Federal laws;
“(D) consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law, and civil lawsuits for specific activities authorized under the pilot program;
“(E) consult with the Secretary of Defense and the heads of other departments and agencies that have implemented programs to provide compensation for reports of previously undisclosed vulnerabilities in information systems, regarding lessons that may be applied from such programs; and
“(F) develop an expeditious process by which an individual, organization, or company can register with the Department, submit to a background check as determined by the Department, and receive a determination as to eligibility; and
“(G) engage qualified interested persons, including non-government sector representatives, about the structure of the pilot program as constructive and to the extent practicable.
“(3)Contract authority.—In establishing the pilot program, the Secretary, subject to the availability of appropriations, may award 1 or more competitive contracts to an entity, as necessary, to manage the pilot program.
“(c)Report to Congress.—Not later than 180 days after the date on which the pilot program is completed, the Secretary shall submit to the appropriate congressional committees a report on the pilot program, which shall include—
“(1) the number of individuals, organizations, or companies that participated in the pilot program, broken down by the number of individuals, organizations, or companies that—
“(A) registered;
“(B) were determined eligible;
“(C) submitted security vulnerabilities; and
“(D) received compensation;
“(2) the number and severity of vulnerabilities reported as part of the pilot program;
“(3) the number of previously unidentified security vulnerabilities remediated as a result of the pilot program;
“(4) the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans;
“(5) the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities;
“(6) the types of compensation provided under the pilot program; and
“(7) the lessons learned from the pilot program.
“(d)Authorization of Appropriations.—There is authorized to be appropriated to the Department $250,000 for fiscal year 2019 to carry out this section.”

Agency Responsibilities

Puspan. L. 114–113, div. N, title II, § 223(span), Dec. 18, 2015, 129 Stat. 2966, as amended by Puspan. L. 115–278, § 2(h)(1)(E), Nov. 16, 2018, 132 Stat. 4182, provided that:

“(1)In general.—Except as provided in paragraph (2)—
“(A) not later than 1 year after the date of enactment of this Act [Dec. 18, 2015] or 2 months after the date on which the Secretary makes available the intrusion detection and prevention capabilities under section 2213(span)(1) of the Homeland Security Act of 2002 [6 U.S.C. 663(span)(1)], whichever is later, the head of each agency shall apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system; and
“(B) not later than 6 months after the date on which the Secretary makes available improvements to the intrusion detection and prevention capabilities pursuant to section 2213(span)(2) of the Homeland Security Act of 2002 [6 U.S.C. 663(span)(2)], the head of each agency shall apply and continue to utilize the improved intrusion detection and prevention capabilities.
“(2)Exception.—The requirements under paragraph (1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.
“(3)Definition.—Notwithstanding section 222 [6 U.S.C. 1521], in this subsection, the term ‘agency information system’ means an information system owned or operated by an agency.
“(4)Rule of construction.—Nothing in this subsection shall be construed to limit an agency from applying the intrusion detection and prevention capabilities to an information system other than an agency information system under section 2213(span)(1) of the Homeland Security Act of 2002 [6 U.S.C. 663(span)(1)], at the discretion of the head of the agency or as provided in relevant policies, directives, and guidelines.”