SECURE IT Act
- Bill Number
- H.R. 6315
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Government Operations and Politics
- Status
- Introduced
- Latest Action
- 2025-11-25: Referred to the Committee on House Administration, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- Last Updated
- 2025-12-10T22:00:27Z
AI-Generated Summary
Purpose
The Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act (SECURE IT Act) aims to improve the security of U.S. election systems by mandating penetration testing—simulated cyberattacks to identify weaknesses—during the certification of voting machines and software. It also creates a pilot program to encourage independent experts to find and responsibly report security flaws in election technology, fostering better protection against cyber threats without mandating participation.
Key Provisions
- Penetration Testing Requirement (Section 2):
- Amends the Help America Vote Act of 2002 (HAVA) to require the Election Assistance Commission (EAC) to include penetration testing in the testing, certification, decertification, and recertification of voting system hardware and software.
- The EAC must implement this within 180 days of enactment.
- The National Institute of Standards and Technology (NIST) will recommend entities for accreditation to perform these tests, focusing on their expertise in penetration testing; the EAC votes on approvals.
- Pilot Program for Independent Security Testing and Vulnerability Disclosure (Section 3):
- Establishes a 5-year voluntary program called the Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDP-E), run by the EAC in consultation with the Secretary of Homeland Security.
- Key elements include:
- A process for election system vendors (companies providing voting machines or related tech) to voluntarily share their systems and source code with vetted cybersecurity researchers.
- Vetting of researchers, including background checks, to ensure trustworthiness.
- Participation terms that define allowed testing scope, require researchers to notify vendors, the EAC, and the Department of Homeland Security (DHS) of any found vulnerabilities (security weaknesses), and keep them confidential for 180 days.
- Vendors must respond to critical or high-severity vulnerabilities (as defined by NIST) by providing fixes or patches to state and local election officials, in coordination with the discovering researcher, and notify the EAC and DHS.
- For certified systems, patches receive expedited EAC review (within 90 days); if not reviewed in time, they are automatically deemed certified.
- After 180 days, vulnerabilities are reported to the Cybersecurity and Infrastructure Security Agency (CISA) for inclusion in the public Common Vulnerabilities and Exposures (CVE) database.
- Definitions clarify terms like "election system" (any tech used in elections, such as voting machines and voter databases) and "election system vendor."
- Voluntary Nature and Protections:
- Participation is optional for vendors and researchers.
- Provides "safe harbor" protections: Research under the program is exempt from liability under the Computer Fraud and Abuse Act (CFAA, a federal law against unauthorized computer access) and the Digital Millennium Copyright Act (DMCA, a law against bypassing digital locks), as long as it's done in good faith. Vendors agree not to sue researchers for accidental violations.
- Vulnerabilities found are exempt from the Freedom of Information Act (FOIA), meaning they won't be publicly disclosed through government requests.
Significant Changes to Existing Law
- Adds a new subsection (e) to Section 231 of HAVA, mandating penetration testing in voting system certification processes, which previously focused on general functionality and compliance without explicit cybersecurity simulations.
- Inserts a new Part 7 (Section 297) into HAVA's Subtitle D, creating the VDP-E pilot program from scratch. This introduces coordinated vulnerability disclosure—a structured way to report and fix flaws—tailored to election infrastructure, which was not previously required or formalized in federal election law.
- Updates HAVA's table of contents to reflect these additions.
Potential Impacts
- On Government Agencies: Increases workload for the EAC (overseeing testing and program administration), NIST (recommending testers), and DHS/CISA (consulting and tracking vulnerabilities), potentially leading to stronger federal coordination on election security but requiring new resources and guidelines.
- On Citizens: Could enhance trust in elections by reducing cyber risks to voting systems, making outcomes more reliable and resistant to hacking or interference; however, it relies on voluntary vendor participation, so benefits may vary by state.
- On International Relations: No direct impacts mentioned, though improved U.S. election cybersecurity could indirectly bolster national resilience against foreign cyber threats, aligning with broader U.S. efforts to protect democratic processes globally.
Main Stakeholders Affected
- Election Assistance Commission (EAC): Leads implementation, certification, and program oversight.
- Election System Vendors: Must decide on participation and respond to vulnerabilities, gaining potential protections but facing pressure to fix issues quickly.
- Cybersecurity Researchers and Experts: Gain vetted access to systems and legal safeguards to conduct ethical testing.
- State and Local Election Officials: Receive patches and mitigations, benefiting from more secure systems but needing to integrate fixes.
- Department of Homeland Security (DHS) and CISA: Consult on the program and manage vulnerability reporting, enhancing their role in critical infrastructure protection.
- National Institute of Standards and Technology (NIST): Recommends testers and defines vulnerability severity.
Notable Legal, Constitutional, or Political Implications
- Legal: The safe harbor provisions create exceptions to federal laws like CFAA and DMCA, encouraging ethical hacking while limiting vendor lawsuits; the FOIA exemption protects sensitive election security info from premature public release, balancing transparency with national security. Automatic certification of un-reviewed patches streamlines fixes but could raise concerns about rushed approvals.
- Constitutional: Aligns with Congress's authority under Article I to regulate federal elections and protect against threats, without infringing on states' primary role in administering elections (as the program is voluntary and advisory).
- Political: Promotes bipartisan election integrity by addressing cybersecurity—a non-partisan issue—potentially reducing vulnerabilities exploited in past foreign interference attempts. As a pilot, it allows testing before full mandates, but success may influence future laws; critics might argue it adds federal oversight without addressing broader election reforms.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Rep. Valadao, David G. [R-CA-22]
Cosponsors (1)
Rep. Deluzio, Christopher R. [D-PA-17]
Recent Actions
- 2025-11-25: Referred to the Committee on House Administration, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-11-25: Referred to the Committee on House Administration, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-11-25: Introduced in House
- 2025-11-25: Introduced in House
Bill Versions
- Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act — issued 2025-11-25 — PDF (9 pages)